publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/ongoing-authorization-oa
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

7 lines
No EOL
425 KiB
Text
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>Ongoing Authorization (OA) | CMS Information Security &amp; Privacy Group</title><meta name="description" content="Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities"/><link rel="canonical" href="https://security.cms.gov/learn/ongoing-authorization-oa"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="Ongoing Authorization (OA) | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities"/><meta property="og:url" content="https://security.cms.gov/learn/ongoing-authorization-oa"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/ongoing-authorization-oa/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Ongoing Authorization (OA) | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/ongoing-authorization-oa/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">Ongoing Authorization (OA)</h1><p class="hero__description">Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#oa-onboarding </li><li class="line-height-sans-5 margin-top-0">#security_community </li><li class="line-height-sans-5 margin-top-0">#CMS-CDM</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What is Ongoing Authorization (OA)?</h2><p>All FISMA systems must be proven secure before they are allowed to operate. This authorization process has traditionally focused on a compliance-based model. In an effort to modernize the way that the government manages its systems, the National Institute of Standards and Technology (NIST) released guidance that requires all agencies to adopt an “ongoing state of security” and conduct “ongoing authorizations”. CMS is adopting new processes, services, and tools to support the ongoing authorization model. These resources are designed to continuously monitor systems to address real-time threats. With ongoing authorization, system controls are constantly evaluated and tested to spot vulnerabilities. This allows you to make risk-based decisions quickly and confidently and engage in remediation efforts to minimize ongoing exposures.</p><h2>Ongoing Authorization (OA) vs. traditional ATO</h2><p>The traditional ATO process has been used by the CMS community for decades. The OA process offers exciting new benefits for CMS FISMA systems.</p><table><caption>Comparison between traditional ATO and the new Ongoing Authorization (OA)</caption><thead><tr><th><strong>Traditional ATO</strong></th><th><strong>Ongoing Authorization (OA)</strong></th></tr></thead><tbody><tr><td><ul><li>Completed every three years</li><li>Control-based testing</li><li>Assesses system security posture at a specific point in time</li><li>Manual process</li><li>Labor intensive</li></ul></td><td><ul><li>Continuous monitoring</li><li>Constant evaluation of controls</li><li>Assesses system security posture continuously</li><li>Automated process reduces labor burden</li><li>Compliant systems are allowed to continue to operate without a manual approval</li></ul></td></tr></tbody></table><h2>Is my system eligible for OA?</h2><p>CMS information systems must meet the following requirements before being considered for onboarding into the OA Program. These prerequisites are part of the pre-assessment conducted by the OA Team and determine the eligibility of the system to receive an OA:</p><ol><li>Valid ATO which is not expiring in the next 6 months</li><li>A security &amp; privacy assessment (<a href="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap">CSRAP</a>/<a href="/learn/security-controls-assessment-sca">SCA</a> and <a href="/learn/penetration-testing">PenTest</a>) within the past 12 months</li><li>System/Business Owner and ISSO participated in the ISPG-provided Threat Modeling session (your CRA can help set this up for your team)</li><li>System must be fully OIT AWS cloud hosted no hybrids</li><li>Security Hub (SecHub) must be enabled</li><li>Key <a href="/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Mitigation (CDM) </a>data feeds must be integrated into CDM architecture (HWAM, VUL)</li><li>Data integration into requisite reporting mechanisms and visibility in corresponding dashboards, reports, etc. verified</li><li>System ISSO with a valid CMS certification letter</li><li>System must meet metrics baseline requirement</li><li>No planned decommission of the system</li></ol><p>The <strong>Ongoing Authorization Program Dashboard</strong> helps ISSOs and other security professionals to quickly identify what parts of their system meet the requirements for OA, and what steps they need to take (either to achieve or maintain OA).</p></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>Quick start guide</h1><p>Learn how to access and use the Ongoing Authorization Program Dashboard. (CMS internal link)
</p><p><a href="https://confluenceent.cms.gov/pages/viewpage.action?pageId=195122542&amp;preview=/195122542/250712614/OA%20Program%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20102721_Final.pdf">See the OA Dashboard guide</a></p></section><div class="text-block text-block--theme-explainer"><h2>OA Program onboarding process</h2><p>If your system qualifies for the OA Program, you will complete the following process to onboard:</p></div><div><ol class="usa-process-list"><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Determine if your system qualifies </h4><div class="margin-top-05 usa-process-list__description"><p>The criteria above determines if your system is eligible for OA. The OA Team works to identify systems that meet the requirements for OA. As a System/Business Owner, you may receive proactive outreach from the OA Team if your system qualifies. System/Business Owners can also look at their specific system and reach out to the OA Team to request OA Program onboarding.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Receive OA candidate email</h4><div class="margin-top-05 usa-process-list__description"><p>CMS information systems that have met the OA requirements will receive an OA onboarding invitation email. This email has instructions to get your system started with OA. Your tasks will include: letting the OA Team know you are interested in joining the program, obtaining the appropriate job codes, and working with your ISSO to stay in communication with the OA Team throughout the process.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Review OA welcome package</h4><div class="margin-top-05 usa-process-list__description"><p>The candidate email will include a welcome package for review by the System/Business Owner and ISSO that includes:</p><ul><li>&nbsp;Details on how to maintain OA status&nbsp;</li><li>The process for non-compliance</li><li>An <strong>OA Onboarding Memo</strong></li></ul><p>These artifacts must be reviewed by the System/Business Owner and the ISSO prior to joining OA. While reviewing these artifacts, the ISSO will ensure that all information in CFACTS is correct to date.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Submit system for OA status</h4><div class="margin-top-05 usa-process-list__description"><p>The ISSO will submit the signed memo into the ATO Request workflow in CMS Connect. The letter must be added as an attachment, and the certification form checkbox must be selected, as the memo takes its place.&nbsp; The CRA will change the OA Status field to OA Onboarding for that system in CFACTS.&nbsp; The System/Business Owner and ISSO must also participate in an ISPG-led Threat Modeling session during onboarding.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Receive Authorizing Official signature</h4><div class="margin-top-05 usa-process-list__description"><p>The CRA confirms the system is ready for onboarding and routes the <strong>OA Onboarding Memo</strong> to Authorizing Official (AO) for signature. The AO will return the signed letter to the CRA.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Confirm OA status in CFACTS</h4><div class="margin-top-05 usa-process-list__description"><p>The CRA uploads the signed OA letter to CFACTS and notifies the System/Business Owner that the system has been placed into OA. The CRA changes the system OA Status in CFACTS to OA Member. It is now the responsibility of the System/Business Owner and the ISSO&nbsp; to maintain compliance.</p></div></li></ol></div><div class="text-block text-block--theme-explainer"><h2>Maintaining your systems OA</h2><p>After a system has been onboarded to the OA Program, the system enters <strong>Continuous Monitoring </strong>status. During this phase, continuous assessment activities are conducted to ensure that the system is operating within the agreed-upon risk thresholds outlined in the OA Program welcome package . The following CMS programs and tools will be used to monitor the system:</p><ul><li>CMS CDM Program</li><li>CMS Cybersecurity Integration Center (CCIC) monitoring</li><li><a href="/learn/cyber-risk-reports">Cyber Risk Reporting</a></li><li>Ad hoc risk reviews</li></ul><p>The OA Program also publishes the<strong> OA Cyber Risk Report</strong>, which<strong> </strong>includes security results from all risk information sources including:</p><ul><li>Assessment of inherited controls</li><li>Development environment testing</li><li><a href="/learn/continuous-diagnostics-and-mitigation-cdm">CDM</a></li><li>CCIC</li><li><a href="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap">Cybersecurity and Risk Assessment Program (CSRAP)</a></li><li>Other assessment activities as required</li></ul></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>Learn more about CSRAP </h1><p>CSRAP is one of the fundamentals of the OA Program. Find out more about this service and schedule your test.
</p></section><div class="text-block text-block--theme-explainer"><h2>Continuous monitoring result: triggers</h2><p>Triggers directly monitor a system's security posture and can indicate risks beyond acceptable limits. During the continuous monitoring process, the OA Team manages both <strong>time-driven</strong> and <strong>event-driven </strong>triggers.</p><p><strong>Time-driven</strong> triggers are based on CMSs predefined frequency by the OA Team, senior CMS leadership, and system security stakeholders.</p><p><strong>Event-driven triggers</strong> are based on a specific internal or external event of significance to the system.</p><p>Each trigger requires a unique response. Example responses to triggers include:</p><p><strong>OA Cyber Risk Report Trigger</strong></p><p>If the OA Cyber Risk Report shows risk that is out of compliance with the documented risk tolerance, the OA Team will conduct a risk review to determine the severity and mitigation needed.</p><p><strong>Incident or Cyber Threat Intelligence Trigger</strong></p><p>An incident or relevant cyber threat intelligence may also trigger an OA Team risk review to determine the severity and mitigation needed.</p><p><strong>Significant System Change</strong></p><p>A significant change to a system should be reviewed by the CRA to determine if the security requirements of the system will need to change.</p><p>Triggers may come from any number of internal or external sources and may vary in degree of severity, requiring unique response times. The System/Business Owner and ISSO should independently review the <strong>OA Program Dashboard </strong>weekly to confirm system status.</p><p>If the trigger identifies remediation activities, those activities will be tracked to completion by the OA Team, including any need for re-authorization or renewal of the OA. Items of non-compliance are identified and entered on the trigger log (with severity assigned). Non-compliant fields will turn red on the<strong> OA Program Dashboard</strong>. The System/Business Owner, ISSO, and CRA must work together to resolve these triggers with mitigations or other actions.</p><p>Systems will be considered non-compliant with OA Program requirements if they fail to meet 1 out of 5 metrics (i.e. 20%). The ISSO coordinates remedial actions based on trigger severity. Items of non-compliance below the defined threshold are identified and entered on the Trigger Accountability Log (TRAL) by the CRA. The CRA then notifies the System/Business Owner and ISSO of non-compliance via email.</p><h2>Trigger severity guide</h2><p>The following guide helps System/Business Owners and ISSOs determine the severity of a trigger experienced by their system, and offers the timeline for remediation.</p><h3>Last Penetration Test (PenTest)</h3><p><strong>Description</strong></p><p>Ensures<strong> </strong>that a PenTest has been performed based on the system's risk. This is done as part of the Cybersecurity and Risk Assessment Program (CSRAP) process. Per ARS 5.0, this is a requirement for HVA, FIPS High, and systems with PII/PHI.</p><p><strong>Scope/Criteria</strong></p><p>Measured in days. If the measuring scale goes beyond 1 year, an adjustment would need to be made.</p><p><strong>Calculation</strong></p><p>Last PenTest date:<br>*Risk Level 3: &lt;= 365 days<br>*Risk Level 2: &lt;= 365 days<br>*Risk Level 1: &lt; = N/A</p><p><strong>System risk level 1 (FIPS Low):</strong> N/A</p><p><strong>System risk level 2 (System is financial or contains PII)</strong>: Moderate</p><p><strong>System risk level 3 (System is HVA or MEF or FIPS High)</strong>: Moderate</p><h3>Last Cybersecurity and Risk Assessment Program (CSRAP)</h3><p><strong>Description</strong></p><p>Ensures that an CSRAP has been performed and provides coverage for controls that are not yet automated and integrated into the OA Program.</p><p><strong>Scope/Criteria</strong></p><p>Measured in days.</p><p><strong>Calculation</strong></p><p>Last CSRAP date:<br>*Risk Level 3: &lt;= 365 days<br>*Risk Level 2: &lt;= 365 days<br>*Risk Level 1: &lt; = 365 days</p><p><strong>System risk level 1 (FIPS Low): </strong>Low</p><p><strong>System risk level 2 (System is financial or contains PII)</strong>: Moderate</p><p><strong>System risk level 3 (System is HVA or MEF or FIPS High)</strong>: High</p><h3>Vulnerability Risk Tolerance</h3><p><strong>Description</strong></p><p>Provides the average AWARE score for all systems components</p><p><strong>Scope/Criteria</strong></p><p>AWARE Score current vs. previous 30 days</p><p><strong>Calculation</strong></p><p>Calculated for each Vulnerability: CVSS Score * Age * System Risk Category * 2 (If Exploitability flag = "Yes")</p><p>System calculation is the average score for all vulnerabilities identified for the system (High &amp; Critical for MVP)</p><p><strong>System risk level 1 (FIPS Low)</strong>: Moderate</p><p><strong>System risk level 2 (System is financial or contains PII)</strong>: High</p><p><strong>System risk level 3 (System is HVA or MEF or FIPS High)</strong>: High</p><h3>Resiliency Score</h3><p><strong>Description</strong></p><p>Provides an overall risk score for an IS and/or Component</p><p><strong>Scope/Criteria</strong></p><p>All POA&amp;M within the FISMA boundary</p><p><strong>Calculation</strong></p><p>Aggregate risk score attributed by Open POA&amp;Ms based upon criticality (L = 10, M = 15, H = 30, C = 45)</p><p><strong>System risk level 1 (FIPS Low)</strong>: Moderate</p><p><strong>System risk level 2 (System is financial or contains PII)</strong>: Moderate</p><p><strong>System risk level 3 (System is HVA or MEF or FIPS High)</strong>: High</p><h3>Residual Risk</h3><p><strong>Description</strong></p><p>Understanding the number of accepted risks in correlation with active risks/vulnerabilities on the system</p><p><strong>Scope/Criteria</strong></p><p>All risks associated with the information system boundary</p><p><strong>Calculation</strong></p><p>Target: (thresholds scale)</p><p>Calculation: Total # of risk acceptances that are valid</p><p><strong>System risk level 1 (FIPS Low)</strong>: Informational</p><p><strong>System risk level 2 (System is financial or contains PII)</strong>: Informational</p><p><strong>System risk level 3 (System is HVA or MEF or FIPS High)</strong>: Informational</p><h3>Asset Risk Tolerance</h3><p><strong>Description</strong></p><p>Represents the confidence that the reporting is accurate based on past reported asset data per system</p><p><strong>Scope/Criteria</strong></p><p>All assets within the FISMA Boundary</p><p>Ref: Unaccounted change of +/-40% over the last 30 days flags a value as unreliable (prior months inventory current months inventory)/prior months inventory &gt;40% or &lt; -40%</p><p><strong>Calculation</strong></p><p>Target = + or - 40%</p><p>Weight = N/A</p><p>Calculation: Unaccounted change of +/-40% over the last 30</p><p><strong>System risk level 1 (FIPS Low)</strong>: Low</p><p><strong>System risk level 2 (System is financial or contains PII)</strong>: Low</p><p><strong>System risk level 3 (System is HVA or MEF or FIPS High)</strong>: Moderate</p><h2>OA Program non-compliance process</h2><p>If a system fails to meet 1 out of 5 of the OA Program metrics, the System/Business Owner and ISSO will be notified via email and given a grace period of 30 calendar days to get the system back into compliance (i.e. green on all metrics). If the deficiencies have been fully addressed, the system may remain in the OA Program.</p><p>If the deficiencies are not fully addressed during the 30-day probation period, the system team will be required to present their progress in correcting deficiencies to the Chief Information Security Officer (CISO) and AO for their review and consideration for continued participation.</p><p>A system will be considered non-compliant based on the following criteria:</p><h3>Risk tolerance level</h3><p>Exceeds the prescribed CMS risk tolerance level for the corresponding system risk threshold tier based on <a href="https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf">FIPS 199 categorization</a>, High Value Asset (HVA) identification, and other factors.</p><h3>Delayed remediation</h3><p>Has delayed remediation of critical and/or high-impact vulnerabilities</p><h3>POA&amp;M non-compliance</h3><p>Is non-compliant with CMS <a href="/learn/plan-action-and-milestones-poam">Plan of Action &amp; Milestones (POA&amp;M)</a> resolution timelines policies:</p><ul><li>Critical: 15 days</li><li>High: 30 days</li><li>Moderate: 90 days</li><li>Low: 365 days</li></ul><h3>Lack of continuous monitoring</h3><p>The system is unable to execute continuous monitoring processes and tasks, such as:</p><ul><li>System has not been scanned in accordance with CMS minimum requirements</li><li>System has not been patched in accordance with CMS minimum requirements</li><li>System is non-compliant with required monitoring/assessment frequencies within two assessment frequency cycles</li></ul><p>The System/Business Owner and ISSO will be notified of non-compliance via email. A 30-day grace period will be given to remediate the issue. After the 30 calendar day grace period has lapsed, systems that fail to meet metrics will be terminated from the OA Program.</p><p>Systems that are terminated from the OA Program because of non-compliance will be issued a one-year traditional ATO, and will be provided with a list of the actions required to fully rejoin the OA Program. Required actions will include a comprehensive CSRAP and Penetration Test. Other actions may be identified based on specific circumstances.</p><h2>Re-entry into the OA Program</h2><p>It is possible for a terminated system to re-enter the OA Program. The System/Business Owner may request re-entry when the system has successfully met the required actions set in the one year <a href="/learn/authorization-operate-ato">traditional ATO</a>. The CRA will evaluate the completion of the required actions.</p><p>This may occur at or before the one year time period is up. However, the systems metrics must have remained green for at least 6 months prior to rejoining.</p><p>Rejoining will require the re-issuance of the OA letter for the system.</p><h2>Frequently Asked Questions</h2><p><strong>How do I access the OA Dashboard?</strong></p><p>First, ensure that you have the TABLEAU_DIR_VIEWER_PRD job code on your EUA profile. We have already added this code for known CMS ISSOs and System/Business Owners, but contractors will likely not have it. Request the job code through EUA if you do not have it.</p><p>Next, follow the instructions from the <a href="https://confluenceent.cms.gov/download/attachments/195122542/OA%20Program%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20102721_Final.pdf?version=2&amp;modificationDate=1639140237656&amp;api=v2">OA Program Dashboard - Quick Start Guide</a>. (Note that Step 2 of the Quick Start Guide references the “Projects page”. The correct link on the navigation on the left side of the page is “Explore”. The Explore page then lists available projects.)</p><p><strong>Is there a status report of the Security Hub integration for each system?</strong></p><p>Yes, the SecOps group tracks this. ISPG also reflects this information through mediums like CFACTS. For more information, please see <a href="https://cfacts.cms.gov/apps/ArcherApp/Home.aspx">CFACTS</a> or ask your Cyber Risk Advisor (CRA).</p><p><strong>How is system data collected and disseminated for OA?</strong></p><p>The automation of data collection is from the <a href="/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Monitoring (CDM)</a> program. Since we are starting in the OIT AWS Cloud, we have all aspects of the CDM data. We are still working on how that data is normalized and aggregated down to our data warehouse to support the reports through our reporting platform. The use of Security Hub is one way we are disseminating data, and we are also working on an OA concept report we are developing alongside users and internal SMEs. The Ongoing Authorization Program Status Dashboard is populated using available CDM data feeds regardless of the systems OA status or participation in the OA program. Our aim is to make data dissemination for OA usable for everybody.</p><p><strong>Will OA be inclusive of hybrid PaaS/SaaS systems such as Salesforce?</strong></p><p>Platform as a Service (PaaS) and Software as a Service (SaaS) systems will not be considered for OA at this time.</p><p><strong>|OIT Specific| How will non-critical findings from Security Hub be communicated?</strong></p><p>Non-critical findings will be communicated directly through Security Hub. There will not be any Jira tickets created for non-critical findings (which includes some of the Highs and certainly the Moderates and Lows).</p><p><strong>How will the new automated CDM approach support the same level of useful metadata that the former manual HW/SW inventory previously provided?</strong></p><p>The information will still be just as understandable, and delivered daily. The expanded reporting will be helpful in giving you a fuller picture. You can expect a more robust set of metadata for your use.</p></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cybersecurity-risk-assessment-program-csrap">Cybersecurity and Risk Assessment Program (CSRAP)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>A streamlined risk-based control(s) testing methodology designed to relieve operational burden.</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-cloud-services">CMS Cloud Services</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Platform-As-A-Service with tools, security, and support services designed specifically for CMS</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Mitigation (CDM)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cyber-risk-reports">Cyber Risk Reports (CRR)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-fisma-continuous-tracking-system-cfacts">CMS FISMA Continuous Tracking System (CFACTS)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>CFACTS is a CMS database that tracks application security deficiencies and POA&amp;Ms, and supports the ATO process</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Testing and documenting system security and compliance to gain approval to operate the system at CMS</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"ongoing-authorization-oa\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"ongoing-authorization-oa\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"ongoing-authorization-oa\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"ongoing-authorization-oa\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:Td81,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is Ongoing Authorization (OA)?\u003c/h2\u003e\u003cp\u003eAll FISMA systems must be proven secure before they are allowed to operate. This authorization process has traditionally focused on a compliance-based model. In an effort to modernize the way that the government manages its systems, the National Institute of Standards and Technology (NIST) released guidance that requires all agencies to adopt an “ongoing state of security” and conduct “ongoing authorizations”. CMS is adopting new processes, services, and tools to support the ongoing authorization model. These resources are designed to continuously monitor systems to address real-time threats. With ongoing authorization, system controls are constantly evaluated and tested to spot vulnerabilities. This allows you to make risk-based decisions quickly and confidently and engage in remediation efforts to minimize ongoing exposures.\u003c/p\u003e\u003ch2\u003eOngoing Authorization (OA) vs. traditional ATO\u003c/h2\u003e\u003cp\u003eThe traditional ATO process has been used by the CMS community for decades. The OA process offers exciting new benefits for CMS FISMA systems.\u003c/p\u003e\u003ctable\u003e\u003ccaption\u003eComparison between traditional ATO and the new Ongoing Authorization (OA)\u003c/caption\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTraditional ATO\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eOngoing Authorization (OA)\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eCompleted every three years\u003c/li\u003e\u003cli\u003eControl-based testing\u003c/li\u003e\u003cli\u003eAssesses system security posture at a specific point in time\u003c/li\u003e\u003cli\u003eManual process\u003c/li\u003e\u003cli\u003eLabor intensive\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eContinuous monitoring\u003c/li\u003e\u003cli\u003eConstant evaluation of controls\u003c/li\u003e\u003cli\u003eAssesses system security posture continuously\u003c/li\u003e\u003cli\u003eAutomated process reduces labor burden\u003c/li\u003e\u003cli\u003eCompliant systems are allowed to continue to operate without a manual approval\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003eIs my system eligible for OA?\u003c/h2\u003e\u003cp\u003eCMS information systems must meet the following requirements before being considered for onboarding into the OA Program. These prerequisites are part of the pre-assessment conducted by the OA Team and determine the eligibility of the system to receive an OA:\u003c/p\u003e\u003col\u003e\u003cli\u003eValid ATO which is not expiring in the next 6 months\u003c/li\u003e\u003cli\u003eA security \u0026amp; privacy assessment (\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCSRAP\u003c/a\u003e/\u003ca href=\"/learn/security-controls-assessment-sca\"\u003eSCA\u003c/a\u003e and \u003ca href=\"/learn/penetration-testing\"\u003ePenTest\u003c/a\u003e) within the past 12 months\u003c/li\u003e\u003cli\u003eSystem/Business Owner and ISSO participated in the ISPG-provided Threat Modeling session (your CRA can help set this up for your team)\u003c/li\u003e\u003cli\u003eSystem must be fully OIT AWS cloud hosted no hybrids\u003c/li\u003e\u003cli\u003eSecurity Hub (SecHub) must be enabled\u003c/li\u003e\u003cli\u003eKey \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM) \u003c/a\u003edata feeds must be integrated into CDM architecture (HWAM, VUL)\u003c/li\u003e\u003cli\u003eData integration into requisite reporting mechanisms and visibility in corresponding dashboards, reports, etc. verified\u003c/li\u003e\u003cli\u003eSystem ISSO with a valid CMS certification letter\u003c/li\u003e\u003cli\u003eSystem must meet metrics baseline requirement\u003c/li\u003e\u003cli\u003eNo planned decommission of the system\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe \u003cstrong\u003eOngoing Authorization Program Dashboard\u003c/strong\u003e helps ISSOs and other security professionals to quickly identify what parts of their system meet the requirements for OA, and what steps they need to take (either to achieve or maintain OA).\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:Td81,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is Ongoing Authorization (OA)?\u003c/h2\u003e\u003cp\u003eAll FISMA systems must be proven secure before they are allowed to operate. This authorization process has traditionally focused on a compliance-based model. In an effort to modernize the way that the government manages its systems, the National Institute of Standards and Technology (NIST) released guidance that requires all agencies to adopt an “ongoing state of security” and conduct “ongoing authorizations”. CMS is adopting new processes, services, and tools to support the ongoing authorization model. These resources are designed to continuously monitor systems to address real-time threats. With ongoing authorization, system controls are constantly evaluated and tested to spot vulnerabilities. This allows you to make risk-based decisions quickly and confidently and engage in remediation efforts to minimize ongoing exposures.\u003c/p\u003e\u003ch2\u003eOngoing Authorization (OA) vs. traditional ATO\u003c/h2\u003e\u003cp\u003eThe traditional ATO process has been used by the CMS community for decades. The OA process offers exciting new benefits for CMS FISMA systems.\u003c/p\u003e\u003ctable\u003e\u003ccaption\u003eComparison between traditional ATO and the new Ongoing Authorization (OA)\u003c/caption\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTraditional ATO\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eOngoing Authorization (OA)\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eCompleted every three years\u003c/li\u003e\u003cli\u003eControl-based testing\u003c/li\u003e\u003cli\u003eAssesses system security posture at a specific point in time\u003c/li\u003e\u003cli\u003eManual process\u003c/li\u003e\u003cli\u003eLabor intensive\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eContinuous monitoring\u003c/li\u003e\u003cli\u003eConstant evaluation of controls\u003c/li\u003e\u003cli\u003eAssesses system security posture continuously\u003c/li\u003e\u003cli\u003eAutomated process reduces labor burden\u003c/li\u003e\u003cli\u003eCompliant systems are allowed to continue to operate without a manual approval\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003eIs my system eligible for OA?\u003c/h2\u003e\u003cp\u003eCMS information systems must meet the following requirements before being considered for onboarding into the OA Program. These prerequisites are part of the pre-assessment conducted by the OA Team and determine the eligibility of the system to receive an OA:\u003c/p\u003e\u003col\u003e\u003cli\u003eValid ATO which is not expiring in the next 6 months\u003c/li\u003e\u003cli\u003eA security \u0026amp; privacy assessment (\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCSRAP\u003c/a\u003e/\u003ca href=\"/learn/security-controls-assessment-sca\"\u003eSCA\u003c/a\u003e and \u003ca href=\"/learn/penetration-testing\"\u003ePenTest\u003c/a\u003e) within the past 12 months\u003c/li\u003e\u003cli\u003eSystem/Business Owner and ISSO participated in the ISPG-provided Threat Modeling session (your CRA can help set this up for your team)\u003c/li\u003e\u003cli\u003eSystem must be fully OIT AWS cloud hosted no hybrids\u003c/li\u003e\u003cli\u003eSecurity Hub (SecHub) must be enabled\u003c/li\u003e\u003cli\u003eKey \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM) \u003c/a\u003edata feeds must be integrated into CDM architecture (HWAM, VUL)\u003c/li\u003e\u003cli\u003eData integration into requisite reporting mechanisms and visibility in corresponding dashboards, reports, etc. verified\u003c/li\u003e\u003cli\u003eSystem ISSO with a valid CMS certification letter\u003c/li\u003e\u003cli\u003eSystem must meet metrics baseline requirement\u003c/li\u003e\u003cli\u003eNo planned decommission of the system\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe \u003cstrong\u003eOngoing Authorization Program Dashboard\u003c/strong\u003e helps ISSOs and other security professionals to quickly identify what parts of their system meet the requirements for OA, and what steps they need to take (either to achieve or maintain OA).\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1a:T48c,\u003ch2\u003eMaintaining your systems OA\u003c/h2\u003e\u003cp\u003eAfter a system has been onboarded to the OA Program, the system enters \u003cstrong\u003eContinuous Monitoring \u003c/strong\u003estatus. During this phase, continuous assessment activities are conducted to ensure that the system is operating within the agreed-upon risk thresholds outlined in the OA Program welcome package . The following CMS programs and tools will be used to monitor the system:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS CDM Program\u003c/li\u003e\u003cli\u003eCMS Cybersecurity Integration Center (CCIC) monitoring\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/cyber-risk-reports\"\u003eCyber Risk Reporting\u003c/a\u003e\u003c/li\u003e\u003cli\u003eAd hoc risk reviews\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe OA Program also publishes the\u003cstrong\u003e OA Cyber Risk Report\u003c/strong\u003e, which\u003cstrong\u003e \u003c/strong\u003eincludes security results from all risk information sources including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAssessment of inherited controls\u003c/li\u003e\u003cli\u003eDevelopment environment testing\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCCIC\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eOther assessment activities as required\u003c/li\u003e\u003c/ul\u003e1b:T48c,\u003ch2\u003eMaintaining your systems OA\u003c/h2\u003e\u003cp\u003eAfter a system has been onboarded to the OA Program, the system enters \u003cstrong\u003eContinuous Monitoring \u003c/strong\u003estatus. During this phase, continuous assessment activities are conducted to ensure that the system is operating within the agreed-upon risk thresholds outlined in the OA Program welcome package . The following CMS programs and tools will be used to monitor the system:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS CDM Program\u003c/li\u003e\u003cli\u003eCMS Cybersecurity Integration Center (CCIC) monitoring\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/cyber-risk-reports\"\u003eCyber Risk Reporting\u003c/a\u003e\u003c/li\u003e\u003cli\u003eAd hoc risk reviews\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe OA Program also publishes the\u003cstrong\u003e OA Cyber Risk Report\u003c/strong\u003e, which\u003cstrong\u003e \u003c/strong\u003eincludes security results from all risk information sources including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAssessment of inherited controls\u003c/li\u003e\u003cli\u003eDevelopment environment test"])</script><script>self.__next_f.push([1,"ing\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCCIC\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eOther assessment activities as required\u003c/li\u003e\u003c/ul\u003e1c:T3377,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eContinuous monitoring result: triggers\u003c/h2\u003e\u003cp\u003eTriggers directly monitor a system's security posture and can indicate risks beyond acceptable limits. During the continuous monitoring process, the OA Team manages both \u003cstrong\u003etime-driven\u003c/strong\u003e and \u003cstrong\u003eevent-driven \u003c/strong\u003etriggers.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTime-driven\u003c/strong\u003e triggers are based on CMSs predefined frequency by the OA Team, senior CMS leadership, and system security stakeholders.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent-driven triggers\u003c/strong\u003e are based on a specific internal or external event of significance to the system.\u003c/p\u003e\u003cp\u003eEach trigger requires a unique response. Example responses to triggers include:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOA Cyber Risk Report Trigger\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIf the OA Cyber Risk Report shows risk that is out of compliance with the documented risk tolerance, the OA Team will conduct a risk review to determine the severity and mitigation needed.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident or Cyber Threat Intelligence Trigger\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAn incident or relevant cyber threat intelligence may also trigger an OA Team risk review to determine the severity and mitigation needed.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSignificant System Change\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eA significant change to a system should be reviewed by the CRA to determine if the security requirements of the system will need to change.\u003c/p\u003e\u003cp\u003eTriggers may come from any number of internal or external sources and may vary in degree of severity, requiring unique response times. The System/Business Owner and ISSO should independently review the \u003cstrong\u003eOA Program Dashboard \u003c/strong\u003eweekly to confirm system status.\u003c/p\u003e\u003cp\u003eIf the trigger identifies remediation activities, those activities will be tracked to completion by the OA Team, including any need for re-authorization or renewal of the OA. Items of non-compliance are identified and entered on the trigger log (with severity assigned). Non-compliant fields will turn red on the\u003cstrong\u003e OA Program Dashboard\u003c/strong\u003e. The System/Business Owner, ISSO, and CRA must work together to resolve these triggers with mitigations or other actions.\u003c/p\u003e\u003cp\u003eSystems will be considered non-compliant with OA Program requirements if they fail to meet 1 out of 5 metrics (i.e. 20%). The ISSO coordinates remedial actions based on trigger severity. Items of non-compliance below the defined threshold are identified and entered on the Trigger Accountability Log (TRAL) by the CRA. The CRA then notifies the System/Business Owner and ISSO of non-compliance via email.\u003c/p\u003e\u003ch2\u003eTrigger severity guide\u003c/h2\u003e\u003cp\u003eThe following guide helps System/Business Owners and ISSOs determine the severity of a trigger experienced by their system, and offers the timeline for remediation.\u003c/p\u003e\u003ch3\u003eLast Penetration Test (PenTest)\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eEnsures\u003cstrong\u003e \u003c/strong\u003ethat a PenTest has been performed based on the system's risk. This is done as part of the Cybersecurity and Risk Assessment Program (CSRAP) process. Per ARS 5.0, this is a requirement for HVA, FIPS High, and systems with PII/PHI.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eMeasured in days. If the measuring scale goes beyond 1 year, an adjustment would need to be made.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eLast PenTest date:\u003cbr\u003e*Risk Level 3: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 2: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 1: \u0026lt; = N/A\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low):\u003c/strong\u003e N/A\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003ch3\u003eLast Cybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eEnsures that an CSRAP has been performed and provides coverage for controls that are not yet automated and integrated into the OA Program.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eMeasured in days.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eLast CSRAP date:\u003cbr\u003e*Risk Level 3: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 2: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 1: \u0026lt; = 365 days\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low): \u003c/strong\u003eLow\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: High\u003c/p\u003e\u003ch3\u003eVulnerability Risk Tolerance\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eProvides the average AWARE score for all systems components\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAWARE Score current vs. previous 30 days\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCalculated for each Vulnerability: CVSS Score * Age * System Risk Category * 2 (If Exploitability flag = \"Yes\")\u003c/p\u003e\u003cp\u003eSystem calculation is the average score for all vulnerabilities identified for the system (High \u0026amp; Critical for MVP)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: High\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: High\u003c/p\u003e\u003ch3\u003eResiliency Score\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eProvides an overall risk score for an IS and/or Component\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll POA\u0026amp;M within the FISMA boundary\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAggregate risk score attributed by Open POA\u0026amp;Ms based upon criticality (L = 10, M = 15, H = 30, C = 45)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: High\u003c/p\u003e\u003ch3\u003eResidual Risk\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eUnderstanding the number of accepted risks in correlation with active risks/vulnerabilities on the system\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll risks associated with the information system boundary\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eTarget: (thresholds scale)\u003c/p\u003e\u003cp\u003eCalculation: Total # of risk acceptances that are valid\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Informational\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Informational\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: Informational\u003c/p\u003e\u003ch3\u003eAsset Risk Tolerance\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eRepresents the confidence that the reporting is accurate based on past reported asset data per system\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll assets within the FISMA Boundary\u003c/p\u003e\u003cp\u003eRef: Unaccounted change of +/-40% over the last 30 days flags a value as unreliable (prior months inventory current months inventory)/prior months inventory \u0026gt;40% or \u0026lt; -40%\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eTarget = + or - 40%\u003c/p\u003e\u003cp\u003eWeight = N/A\u003c/p\u003e\u003cp\u003eCalculation: Unaccounted change of +/-40% over the last 30\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Low\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Low\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003ch2\u003eOA Program non-compliance process\u003c/h2\u003e\u003cp\u003eIf a system fails to meet 1 out of 5 of the OA Program metrics, the System/Business Owner and ISSO will be notified via email and given a grace period of 30 calendar days to get the system back into compliance (i.e. green on all metrics). If the deficiencies have been fully addressed, the system may remain in the OA Program.\u003c/p\u003e\u003cp\u003eIf the deficiencies are not fully addressed during the 30-day probation period, the system team will be required to present their progress in correcting deficiencies to the Chief Information Security Officer (CISO) and AO for their review and consideration for continued participation.\u003c/p\u003e\u003cp\u003eA system will be considered non-compliant based on the following criteria:\u003c/p\u003e\u003ch3\u003eRisk tolerance level\u003c/h3\u003e\u003cp\u003eExceeds the prescribed CMS risk tolerance level for the corresponding system risk threshold tier based on \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFIPS 199 categorization\u003c/a\u003e, High Value Asset (HVA) identification, and other factors.\u003c/p\u003e\u003ch3\u003eDelayed remediation\u003c/h3\u003e\u003cp\u003eHas delayed remediation of critical and/or high-impact vulnerabilities\u003c/p\u003e\u003ch3\u003ePOA\u0026amp;M non-compliance\u003c/h3\u003e\u003cp\u003eIs non-compliant with CMS \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action \u0026amp; Milestones (POA\u0026amp;M)\u003c/a\u003e resolution timelines policies:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCritical: 15 days\u003c/li\u003e\u003cli\u003eHigh: 30 days\u003c/li\u003e\u003cli\u003eModerate: 90 days\u003c/li\u003e\u003cli\u003eLow: 365 days\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eLack of continuous monitoring\u003c/h3\u003e\u003cp\u003eThe system is unable to execute continuous monitoring processes and tasks, such as:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem has not been scanned in accordance with CMS minimum requirements\u003c/li\u003e\u003cli\u003eSystem has not been patched in accordance with CMS minimum requirements\u003c/li\u003e\u003cli\u003eSystem is non-compliant with required monitoring/assessment frequencies within two assessment frequency cycles\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe System/Business Owner and ISSO will be notified of non-compliance via email. A 30-day grace period will be given to remediate the issue. After the 30 calendar day grace period has lapsed, systems that fail to meet metrics will be terminated from the OA Program.\u003c/p\u003e\u003cp\u003eSystems that are terminated from the OA Program because of non-compliance will be issued a one-year traditional ATO, and will be provided with a list of the actions required to fully rejoin the OA Program. Required actions will include a comprehensive CSRAP and Penetration Test. Other actions may be identified based on specific circumstances.\u003c/p\u003e\u003ch2\u003eRe-entry into the OA Program\u003c/h2\u003e\u003cp\u003eIt is possible for a terminated system to re-enter the OA Program. The System/Business Owner may request re-entry when the system has successfully met the required actions set in the one year \u003ca href=\"/learn/authorization-operate-ato\"\u003etraditional ATO\u003c/a\u003e. The CRA will evaluate the completion of the required actions.\u003c/p\u003e\u003cp\u003eThis may occur at or before the one year time period is up. However, the systems metrics must have remained green for at least 6 months prior to rejoining.\u003c/p\u003e\u003cp\u003eRejoining will require the re-issuance of the OA letter for the system.\u003c/p\u003e\u003ch2\u003eFrequently Asked Questions\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eHow do I access the OA Dashboard?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eFirst, ensure that you have the TABLEAU_DIR_VIEWER_PRD job code on your EUA profile. We have already added this code for known CMS ISSOs and System/Business Owners, but contractors will likely not have it. Request the job code through EUA if you do not have it.\u003c/p\u003e\u003cp\u003eNext, follow the instructions from the \u003ca href=\"https://confluenceent.cms.gov/download/attachments/195122542/OA%20Program%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20102721_Final.pdf?version=2\u0026amp;modificationDate=1639140237656\u0026amp;api=v2\"\u003eOA Program Dashboard - Quick Start Guide\u003c/a\u003e. (Note that Step 2 of the Quick Start Guide references the “Projects page”. The correct link on the navigation on the left side of the page is “Explore”. The Explore page then lists available projects.)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIs there a status report of the Security Hub integration for each system?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYes, the SecOps group tracks this. ISPG also reflects this information through mediums like CFACTS. For more information, please see \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCFACTS\u003c/a\u003e or ask your Cyber Risk Advisor (CRA).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow is system data collected and disseminated for OA?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe automation of data collection is from the \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Monitoring (CDM)\u003c/a\u003e program. Since we are starting in the OIT AWS Cloud, we have all aspects of the CDM data. We are still working on how that data is normalized and aggregated down to our data warehouse to support the reports through our reporting platform. The use of Security Hub is one way we are disseminating data, and we are also working on an OA concept report we are developing alongside users and internal SMEs. The Ongoing Authorization Program Status Dashboard is populated using available CDM data feeds regardless of the systems OA status or participation in the OA program. Our aim is to make data dissemination for OA usable for everybody.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWill OA be inclusive of hybrid PaaS/SaaS systems such as Salesforce?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ePlatform as a Service (PaaS) and Software as a Service (SaaS) systems will not be considered for OA at this time.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e|OIT Specific| How will non-critical findings from Security Hub be communicated?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eNon-critical findings will be communicated directly through Security Hub. There will not be any Jira tickets created for non-critical findings (which includes some of the Highs and certainly the Moderates and Lows).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow will the new automated CDM approach support the same level of useful metadata that the former manual HW/SW inventory previously provided?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe information will still be just as understandable, and delivered daily. The expanded reporting will be helpful in giving you a fuller picture. You can expect a more robust set of metadata for your use.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1d:T3377,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eContinuous monitoring result: triggers\u003c/h2\u003e\u003cp\u003eTriggers directly monitor a system's security posture and can indicate risks beyond acceptable limits. During the continuous monitoring process, the OA Team manages both \u003cstrong\u003etime-driven\u003c/strong\u003e and \u003cstrong\u003eevent-driven \u003c/strong\u003etriggers.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTime-driven\u003c/strong\u003e triggers are based on CMSs predefined frequency by the OA Team, senior CMS leadership, and system security stakeholders.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent-driven triggers\u003c/strong\u003e are based on a specific internal or external event of significance to the system.\u003c/p\u003e\u003cp\u003eEach trigger requires a unique response. Example responses to triggers include:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOA Cyber Risk Report Trigger\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIf the OA Cyber Risk Report shows risk that is out of compliance with the documented risk tolerance, the OA Team will conduct a risk review to determine the severity and mitigation needed.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident or Cyber Threat Intelligence Trigger\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAn incident or relevant cyber threat intelligence may also trigger an OA Team risk review to determine the severity and mitigation needed.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSignificant System Change\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eA significant change to a system should be reviewed by the CRA to determine if the security requirements of the system will need to change.\u003c/p\u003e\u003cp\u003eTriggers may come from any number of internal or external sources and may vary in degree of severity, requiring unique response times. The System/Business Owner and ISSO should independently review the \u003cstrong\u003eOA Program Dashboard \u003c/strong\u003eweekly to confirm system status.\u003c/p\u003e\u003cp\u003eIf the trigger identifies remediation activities, those activities will be tracked to completion by the OA Team, including any need for re-authorization or renewal of the OA. Items of non-compliance are identified and entered on the trigger log (with severity assigned). Non-compliant fields will turn red on the\u003cstrong\u003e OA Program Dashboard\u003c/strong\u003e. The System/Business Owner, ISSO, and CRA must work together to resolve these triggers with mitigations or other actions.\u003c/p\u003e\u003cp\u003eSystems will be considered non-compliant with OA Program requirements if they fail to meet 1 out of 5 metrics (i.e. 20%). The ISSO coordinates remedial actions based on trigger severity. Items of non-compliance below the defined threshold are identified and entered on the Trigger Accountability Log (TRAL) by the CRA. The CRA then notifies the System/Business Owner and ISSO of non-compliance via email.\u003c/p\u003e\u003ch2\u003eTrigger severity guide\u003c/h2\u003e\u003cp\u003eThe following guide helps System/Business Owners and ISSOs determine the severity of a trigger experienced by their system, and offers the timeline for remediation.\u003c/p\u003e\u003ch3\u003eLast Penetration Test (PenTest)\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eEnsures\u003cstrong\u003e \u003c/strong\u003ethat a PenTest has been performed based on the system's risk. This is done as part of the Cybersecurity and Risk Assessment Program (CSRAP) process. Per ARS 5.0, this is a requirement for HVA, FIPS High, and systems with PII/PHI.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eMeasured in days. If the measuring scale goes beyond 1 year, an adjustment would need to be made.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eLast PenTest date:\u003cbr\u003e*Risk Level 3: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 2: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 1: \u0026lt; = N/A\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low):\u003c/strong\u003e N/A\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003ch3\u003eLast Cybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eEnsures that an CSRAP has been performed and provides coverage for controls that are not yet automated and integrated into the OA Program.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eMeasured in days.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eLast CSRAP date:\u003cbr\u003e*Risk Level 3: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 2: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 1: \u0026lt; = 365 days\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low): \u003c/strong\u003eLow\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: High\u003c/p\u003e\u003ch3\u003eVulnerability Risk Tolerance\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eProvides the average AWARE score for all systems components\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAWARE Score current vs. previous 30 days\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCalculated for each Vulnerability: CVSS Score * Age * System Risk Category * 2 (If Exploitability flag = \"Yes\")\u003c/p\u003e\u003cp\u003eSystem calculation is the average score for all vulnerabilities identified for the system (High \u0026amp; Critical for MVP)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: High\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: High\u003c/p\u003e\u003ch3\u003eResiliency Score\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eProvides an overall risk score for an IS and/or Component\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll POA\u0026amp;M within the FISMA boundary\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAggregate risk score attributed by Open POA\u0026amp;Ms based upon criticality (L = 10, M = 15, H = 30, C = 45)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: High\u003c/p\u003e\u003ch3\u003eResidual Risk\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eUnderstanding the number of accepted risks in correlation with active risks/vulnerabilities on the system\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll risks associated with the information system boundary\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eTarget: (thresholds scale)\u003c/p\u003e\u003cp\u003eCalculation: Total # of risk acceptances that are valid\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Informational\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Informational\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: Informational\u003c/p\u003e\u003ch3\u003eAsset Risk Tolerance\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eRepresents the confidence that the reporting is accurate based on past reported asset data per system\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll assets within the FISMA Boundary\u003c/p\u003e\u003cp\u003eRef: Unaccounted change of +/-40% over the last 30 days flags a value as unreliable (prior months inventory current months inventory)/prior months inventory \u0026gt;40% or \u0026lt; -40%\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eTarget = + or - 40%\u003c/p\u003e\u003cp\u003eWeight = N/A\u003c/p\u003e\u003cp\u003eCalculation: Unaccounted change of +/-40% over the last 30\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Low\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Low\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003ch2\u003eOA Program non-compliance process\u003c/h2\u003e\u003cp\u003eIf a system fails to meet 1 out of 5 of the OA Program metrics, the System/Business Owner and ISSO will be notified via email and given a grace period of 30 calendar days to get the system back into compliance (i.e. green on all metrics). If the deficiencies have been fully addressed, the system may remain in the OA Program.\u003c/p\u003e\u003cp\u003eIf the deficiencies are not fully addressed during the 30-day probation period, the system team will be required to present their progress in correcting deficiencies to the Chief Information Security Officer (CISO) and AO for their review and consideration for continued participation.\u003c/p\u003e\u003cp\u003eA system will be considered non-compliant based on the following criteria:\u003c/p\u003e\u003ch3\u003eRisk tolerance level\u003c/h3\u003e\u003cp\u003eExceeds the prescribed CMS risk tolerance level for the corresponding system risk threshold tier based on \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFIPS 199 categorization\u003c/a\u003e, High Value Asset (HVA) identification, and other factors.\u003c/p\u003e\u003ch3\u003eDelayed remediation\u003c/h3\u003e\u003cp\u003eHas delayed remediation of critical and/or high-impact vulnerabilities\u003c/p\u003e\u003ch3\u003ePOA\u0026amp;M non-compliance\u003c/h3\u003e\u003cp\u003eIs non-compliant with CMS \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action \u0026amp; Milestones (POA\u0026amp;M)\u003c/a\u003e resolution timelines policies:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCritical: 15 days\u003c/li\u003e\u003cli\u003eHigh: 30 days\u003c/li\u003e\u003cli\u003eModerate: 90 days\u003c/li\u003e\u003cli\u003eLow: 365 days\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eLack of continuous monitoring\u003c/h3\u003e\u003cp\u003eThe system is unable to execute continuous monitoring processes and tasks, such as:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem has not been scanned in accordance with CMS minimum requirements\u003c/li\u003e\u003cli\u003eSystem has not been patched in accordance with CMS minimum requirements\u003c/li\u003e\u003cli\u003eSystem is non-compliant with required monitoring/assessment frequencies within two assessment frequency cycles\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe System/Business Owner and ISSO will be notified of non-compliance via email. A 30-day grace period will be given to remediate the issue. After the 30 calendar day grace period has lapsed, systems that fail to meet metrics will be terminated from the OA Program.\u003c/p\u003e\u003cp\u003eSystems that are terminated from the OA Program because of non-compliance will be issued a one-year traditional ATO, and will be provided with a list of the actions required to fully rejoin the OA Program. Required actions will include a comprehensive CSRAP and Penetration Test. Other actions may be identified based on specific circumstances.\u003c/p\u003e\u003ch2\u003eRe-entry into the OA Program\u003c/h2\u003e\u003cp\u003eIt is possible for a terminated system to re-enter the OA Program. The System/Business Owner may request re-entry when the system has successfully met the required actions set in the one year \u003ca href=\"/learn/authorization-operate-ato\"\u003etraditional ATO\u003c/a\u003e. The CRA will evaluate the completion of the required actions.\u003c/p\u003e\u003cp\u003eThis may occur at or before the one year time period is up. However, the systems metrics must have remained green for at least 6 months prior to rejoining.\u003c/p\u003e\u003cp\u003eRejoining will require the re-issuance of the OA letter for the system.\u003c/p\u003e\u003ch2\u003eFrequently Asked Questions\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eHow do I access the OA Dashboard?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eFirst, ensure that you have the TABLEAU_DIR_VIEWER_PRD job code on your EUA profile. We have already added this code for known CMS ISSOs and System/Business Owners, but contractors will likely not have it. Request the job code through EUA if you do not have it.\u003c/p\u003e\u003cp\u003eNext, follow the instructions from the \u003ca href=\"https://confluenceent.cms.gov/download/attachments/195122542/OA%20Program%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20102721_Final.pdf?version=2\u0026amp;modificationDate=1639140237656\u0026amp;api=v2\"\u003eOA Program Dashboard - Quick Start Guide\u003c/a\u003e. (Note that Step 2 of the Quick Start Guide references the “Projects page”. The correct link on the navigation on the left side of the page is “Explore”. The Explore page then lists available projects.)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIs there a status report of the Security Hub integration for each system?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYes, the SecOps group tracks this. ISPG also reflects this information through mediums like CFACTS. For more information, please see \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCFACTS\u003c/a\u003e or ask your Cyber Risk Advisor (CRA).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow is system data collected and disseminated for OA?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe automation of data collection is from the \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Monitoring (CDM)\u003c/a\u003e program. Since we are starting in the OIT AWS Cloud, we have all aspects of the CDM data. We are still working on how that data is normalized and aggregated down to our data warehouse to support the reports through our reporting platform. The use of Security Hub is one way we are disseminating data, and we are also working on an OA concept report we are developing alongside users and internal SMEs. The Ongoing Authorization Program Status Dashboard is populated using available CDM data feeds regardless of the systems OA status or participation in the OA program. Our aim is to make data dissemination for OA usable for everybody.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWill OA be inclusive of hybrid PaaS/SaaS systems such as Salesforce?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ePlatform as a Service (PaaS) and Software as a Service (SaaS) systems will not be considered for OA at this time.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e|OIT Specific| How will non-critical findings from Security Hub be communicated?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eNon-critical findings will be communicated directly through Security Hub. There will not be any Jira tickets created for non-critical findings (which includes some of the Highs and certainly the Moderates and Lows).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow will the new automated CDM approach support the same level of useful metadata that the former manual HW/SW inventory previously provided?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe information will still be just as understandable, and delivered daily. The expanded reporting will be helpful in giving you a fuller picture. You can expect a more robust set of metadata for your use.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"20:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1f:{\"self\":\"$20\"}\n23:[\"menu_ui\",\"scheduler\"]\n22:{\"module\":\"$23\"}\n26:[]\n25:{\"available_menus\":\"$26\",\"parent\":\"\"}\n27:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n24:{\"menu_ui\":\"$25\",\"scheduler\":\"$27\"}\n21:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$22\",\"third_party_settings\":\"$24\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1e:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1f\",\"attributes\":\"$21\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"mburgess\"}\n28:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n2d:{\"self\":\"$2e\"}\n2f:{\"display_name\":\"meg - retired\"}\n2c:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$2d\",\"attributes\":\"$2f\"}\n32:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}\n31:{\"self\":\"$32\"}\n34:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n33:{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00"])</script><script>self.__next_f.push([1,"\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$34\"}\n38:{\"drupal_internal__target_id\":\"resource_type\"}\n37:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$38\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n36:{\"data\":\"$37\",\"links\":\"$39\"}\n3e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"}\n3f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}\n3d:{\"related\":\"$3e\",\"self\":\"$3f\"}\n3c:{\"data\":null,\"links\":\"$3d\"}\n46:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n45:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$46\"}\n44:{\"help\":\"$45\"}\n43:{\"links\":\"$44\"}\n42:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$43\"}\n41:[\"$42\"]\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"}\n49:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}\n47:{\"related\":\"$48\",\"self\":\"$49\"}\n40:{\"data\":\"$41\",\"links\":\"$47\"}\n35:{\"vid\":\"$36\",\"revision_user\":\"$3c\",\"parent\":\"$40\"}\n30:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":\"$31\",\"attributes\":\"$33\",\"relationships\":\"$35\"}\n4c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n4b:{\"self\":\"$4c\"}\n4e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4d:{\"drupal_intern"])</script><script>self.__next_f.push([1,"al__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4e\"}\n52:{\"drupal_internal__target_id\":\"roles\"}\n51:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$52\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n50:{\"data\":\"$51\",\"links\":\"$53\"}\n58:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n59:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n57:{\"related\":\"$58\",\"self\":\"$59\"}\n56:{\"data\":null,\"links\":\"$57\"}\n60:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$60\"}\n5e:{\"help\":\"$5f\"}\n5d:{\"links\":\"$5e\"}\n5c:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$5d\"}\n5b:[\"$5c\"]\n62:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n63:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n61:{\"related\":\"$62\",\"self\":\"$63\"}\n5a:{\"data\":\"$5b\",\"links\":\"$61\"}\n4f:{\"vid\":\"$50\",\"revision_user\":\"$56\",\"parent\":\"$5a\"}\n4a:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$4b\",\"attributes\":\"$4d\",\"relationships\":\"$4f\"}\n66:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles"])</script><script>self.__next_f.push([1,"/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n65:{\"self\":\"$66\"}\n68:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n67:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$68\"}\n6c:{\"drupal_internal__target_id\":\"roles\"}\n6b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$6c\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6a:{\"data\":\"$6b\",\"links\":\"$6d\"}\n72:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n73:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n71:{\"related\":\"$72\",\"self\":\"$73\"}\n70:{\"data\":null,\"links\":\"$71\"}\n7a:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n79:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$7a\"}\n78:{\"help\":\"$79\"}\n77:{\"links\":\"$78\"}\n76:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$77\"}\n75:[\"$76\"]\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n7d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n7b:{\"related\":\"$7c\",\"self\":\"$7d\"}\n74:{\"data\":\"$75\",\"links\":\"$7b\"}\n69:{\"vid\":\"$6a\",\"revision_user\":\"$70\",\"parent\":\"$74\"}\n64:{\"type\":\"taxonomy_term--roles\",\"i"])</script><script>self.__next_f.push([1,"d\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$65\",\"attributes\":\"$67\",\"relationships\":\"$69\"}\n80:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n7f:{\"self\":\"$80\"}\n82:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n81:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$82\"}\n86:{\"drupal_internal__target_id\":\"roles\"}\n85:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$86\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n84:{\"data\":\"$85\",\"links\":\"$87\"}\n8c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n8d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n8b:{\"related\":\"$8c\",\"self\":\"$8d\"}\n8a:{\"data\":null,\"links\":\"$8b\"}\n94:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n93:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$94\"}\n92:{\"help\":\"$93\"}\n91:{\"links\":\"$92\"}\n90:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$91\"}\n8f:[\"$90\"]\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n97:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n95:{\"related"])</script><script>self.__next_f.push([1,"\":\"$96\",\"self\":\"$97\"}\n8e:{\"data\":\"$8f\",\"links\":\"$95\"}\n83:{\"vid\":\"$84\",\"revision_user\":\"$8a\",\"parent\":\"$8e\"}\n7e:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$7f\",\"attributes\":\"$81\",\"relationships\":\"$83\"}\n9a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}\n99:{\"self\":\"$9a\"}\n9c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n9b:{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$9c\"}\na0:{\"drupal_internal__target_id\":\"topics\"}\n9f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$a0\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\n9e:{\"data\":\"$9f\",\"links\":\"$a1\"}\na6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"}\na7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}\na5:{\"related\":\"$a6\",\"self\":\"$a7\"}\na4:{\"data\":null,\"links\":\"$a5\"}\nae:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nad:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$ae\"}\nac:{\"help\":\"$ad\"}\nab:{\"links\":\"$ac\"}\naa:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$ab\"}\na9:[\"$aa\"]\nb0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"}\nb1:{\"h"])</script><script>self.__next_f.push([1,"ref\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}\naf:{\"related\":\"$b0\",\"self\":\"$b1\"}\na8:{\"data\":\"$a9\",\"links\":\"$af\"}\n9d:{\"vid\":\"$9e\",\"revision_user\":\"$a4\",\"parent\":\"$a8\"}\n98:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":\"$99\",\"attributes\":\"$9b\",\"relationships\":\"$9d\"}\nb4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e?resourceVersion=id%3A11\"}\nb3:{\"self\":\"$b4\"}\nb6:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb5:{\"drupal_internal__tid\":11,\"drupal_internal__revision_id\":11,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:12+00:00\",\"status\":true,\"name\":\"System Authorization\",\"description\":null,\"weight\":7,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b6\"}\nba:{\"drupal_internal__target_id\":\"topics\"}\nb9:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$ba\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/vid?resourceVersion=id%3A11\"}\nbd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/vid?resourceVersion=id%3A11\"}\nbb:{\"related\":\"$bc\",\"self\":\"$bd\"}\nb8:{\"data\":\"$b9\",\"links\":\"$bb\"}\nc0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/revision_user?resourceVersion=id%3A11\"}\nc1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/revision_user?resourceVersion=id%3A11\"}\nbf:{\"related\":\"$c0\",\"self\":\"$c1\"}\nbe:{\"data\":null,\"links\":\"$bf\"}\nc8:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc7:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c8\"}\nc6:{\"help\":\"$c7\"}\nc5:{\"links\":\"$c6\"}\nc4:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$c5\"}\nc3:"])</script><script>self.__next_f.push([1,"[\"$c4\"]\nca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/parent?resourceVersion=id%3A11\"}\ncb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/parent?resourceVersion=id%3A11\"}\nc9:{\"related\":\"$ca\",\"self\":\"$cb\"}\nc2:{\"data\":\"$c3\",\"links\":\"$c9\"}\nb7:{\"vid\":\"$b8\",\"revision_user\":\"$be\",\"parent\":\"$c2\"}\nb2:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"links\":\"$b3\",\"attributes\":\"$b5\",\"relationships\":\"$b7\"}\nce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8e64b2f7-d23c-4782-b0e3-e3b850374054?resourceVersion=id%3A19161\"}\ncd:{\"self\":\"$ce\"}\nd0:[]\nd2:Td81,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is Ongoing Authorization (OA)?\u003c/h2\u003e\u003cp\u003eAll FISMA systems must be proven secure before they are allowed to operate. This authorization process has traditionally focused on a compliance-based model. In an effort to modernize the way that the government manages its systems, the National Institute of Standards and Technology (NIST) released guidance that requires all agencies to adopt an “ongoing state of security” and conduct “ongoing authorizations”. CMS is adopting new processes, services, and tools to support the ongoing authorization model. These resources are designed to continuously monitor systems to address real-time threats. With ongoing authorization, system controls are constantly evaluated and tested to spot vulnerabilities. This allows you to make risk-based decisions quickly and confidently and engage in remediation efforts to minimize ongoing exposures.\u003c/p\u003e\u003ch2\u003eOngoing Authorization (OA) vs. traditional ATO\u003c/h2\u003e\u003cp\u003eThe traditional ATO process has been used by the CMS community for decades. The OA process offers exciting new benefits for CMS FISMA systems.\u003c/p\u003e\u003ctable\u003e\u003ccaption\u003eComparison between traditional ATO and the new Ongoing Authorization (OA)\u003c/caption\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTraditional ATO\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eOngoing Authorization (OA)\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eCompleted every three years\u003c/li\u003e\u003cli\u003eControl-based testing\u003c/li\u003e\u003cli\u003eAssesses system security posture at a specific point in time\u003c/li\u003e\u003cli\u003eManual process\u003c/li\u003e\u003cli\u003eLabor intensive\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eContinuous monitoring\u003c/li\u003e\u003cli\u003eConstant evaluation of controls\u003c/li\u003e\u003cli\u003eAssesses system security posture continuously\u003c/li\u003e\u003cli\u003eAutomated process reduces labor burden\u003c/li\u003e\u003cli\u003eCompliant systems are allowed to continue to operate without a manual approval\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003eIs my system eligible for OA?\u003c/h2\u003e\u003cp\u003eCMS information systems must meet the following requirements before being considered for onboarding into the OA Program. These prerequisites are part of the pre-assessment conducted by the OA Team and determine the eligibility of the system to receive an OA:\u003c/p\u003e\u003col\u003e\u003cli\u003eValid ATO which is not expiring in the next 6 months\u003c/li\u003e\u003cli\u003eA security \u0026amp; privacy assessment (\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCSRAP\u003c/a\u003e/\u003ca href=\"/learn/security-controls-assessment-sca\"\u003eSCA\u003c/a\u003e and \u003ca href=\"/learn/penetration-testing\"\u003ePenTest\u003c/a\u003e) within the past 12 months\u003c/li\u003e\u003cli\u003eSystem/Business Owner and ISSO participated in the ISPG-provided Threat Modeling session (your CRA can help set this up for your team)\u003c/li\u003e\u003cli\u003eSystem must be fully OIT AWS cloud hosted no hybrids\u003c/li\u003e\u003cli\u003eSecurity Hub (SecHub) must be enabled\u003c/li\u003e\u003cli\u003eKey \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM) \u003c/a\u003edata feeds must be integrated into CDM architecture (HWAM, VUL)\u003c/li\u003e\u003cli\u003eData integration into requisite reporting mechanisms and visibility in corresponding dashboards, reports, etc. verified\u003c/li\u003e\u003cli\u003eSystem ISSO with a valid CMS certification letter\u003c/li\u003e\u003cli\u003eSystem must meet metrics baseline requirement\u003c/li\u003e\u003cli\u003eNo planned decommission of the system\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe \u003cstrong\u003eOngoing Authorization Program Dashboard\u003c/strong\u003e helps ISSOs and other security professionals to quickly identify what parts of their system meet the requirements for OA, and what steps they need to take (either to achieve or maintain OA).\u003c/p\u003e"])</script><script>self.__next_f.push([1,"d3:Td81,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is Ongoing Authorization (OA)?\u003c/h2\u003e\u003cp\u003eAll FISMA systems must be proven secure before they are allowed to operate. This authorization process has traditionally focused on a compliance-based model. In an effort to modernize the way that the government manages its systems, the National Institute of Standards and Technology (NIST) released guidance that requires all agencies to adopt an “ongoing state of security” and conduct “ongoing authorizations”. CMS is adopting new processes, services, and tools to support the ongoing authorization model. These resources are designed to continuously monitor systems to address real-time threats. With ongoing authorization, system controls are constantly evaluated and tested to spot vulnerabilities. This allows you to make risk-based decisions quickly and confidently and engage in remediation efforts to minimize ongoing exposures.\u003c/p\u003e\u003ch2\u003eOngoing Authorization (OA) vs. traditional ATO\u003c/h2\u003e\u003cp\u003eThe traditional ATO process has been used by the CMS community for decades. The OA process offers exciting new benefits for CMS FISMA systems.\u003c/p\u003e\u003ctable\u003e\u003ccaption\u003eComparison between traditional ATO and the new Ongoing Authorization (OA)\u003c/caption\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTraditional ATO\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eOngoing Authorization (OA)\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eCompleted every three years\u003c/li\u003e\u003cli\u003eControl-based testing\u003c/li\u003e\u003cli\u003eAssesses system security posture at a specific point in time\u003c/li\u003e\u003cli\u003eManual process\u003c/li\u003e\u003cli\u003eLabor intensive\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eContinuous monitoring\u003c/li\u003e\u003cli\u003eConstant evaluation of controls\u003c/li\u003e\u003cli\u003eAssesses system security posture continuously\u003c/li\u003e\u003cli\u003eAutomated process reduces labor burden\u003c/li\u003e\u003cli\u003eCompliant systems are allowed to continue to operate without a manual approval\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003eIs my system eligible for OA?\u003c/h2\u003e\u003cp\u003eCMS information systems must meet the following requirements before being considered for onboarding into the OA Program. These prerequisites are part of the pre-assessment conducted by the OA Team and determine the eligibility of the system to receive an OA:\u003c/p\u003e\u003col\u003e\u003cli\u003eValid ATO which is not expiring in the next 6 months\u003c/li\u003e\u003cli\u003eA security \u0026amp; privacy assessment (\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCSRAP\u003c/a\u003e/\u003ca href=\"/learn/security-controls-assessment-sca\"\u003eSCA\u003c/a\u003e and \u003ca href=\"/learn/penetration-testing\"\u003ePenTest\u003c/a\u003e) within the past 12 months\u003c/li\u003e\u003cli\u003eSystem/Business Owner and ISSO participated in the ISPG-provided Threat Modeling session (your CRA can help set this up for your team)\u003c/li\u003e\u003cli\u003eSystem must be fully OIT AWS cloud hosted no hybrids\u003c/li\u003e\u003cli\u003eSecurity Hub (SecHub) must be enabled\u003c/li\u003e\u003cli\u003eKey \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM) \u003c/a\u003edata feeds must be integrated into CDM architecture (HWAM, VUL)\u003c/li\u003e\u003cli\u003eData integration into requisite reporting mechanisms and visibility in corresponding dashboards, reports, etc. verified\u003c/li\u003e\u003cli\u003eSystem ISSO with a valid CMS certification letter\u003c/li\u003e\u003cli\u003eSystem must meet metrics baseline requirement\u003c/li\u003e\u003cli\u003eNo planned decommission of the system\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe \u003cstrong\u003eOngoing Authorization Program Dashboard\u003c/strong\u003e helps ISSOs and other security professionals to quickly identify what parts of their system meet the requirements for OA, and what steps they need to take (either to achieve or maintain OA).\u003c/p\u003e"])</script><script>self.__next_f.push([1,"d1:{\"value\":\"$d2\",\"format\":\"body_text\",\"processed\":\"$d3\"}\ncf:{\"drupal_internal__id\":2336,\"drupal_internal__revision_id\":19161,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-06T21:17:11+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$d0\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$d1\"}\nd7:{\"drupal_internal__target_id\":\"page_section\"}\nd6:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$d7\"}\nd9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8e64b2f7-d23c-4782-b0e3-e3b850374054/paragraph_type?resourceVersion=id%3A19161\"}\nda:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8e64b2f7-d23c-4782-b0e3-e3b850374054/relationships/paragraph_type?resourceVersion=id%3A19161\"}\nd8:{\"related\":\"$d9\",\"self\":\"$da\"}\nd5:{\"data\":\"$d6\",\"links\":\"$d8\"}\ndd:{\"target_revision_id\":19160,\"drupal_internal__target_id\":2331}\ndc:{\"type\":\"paragraph--call_out_box\",\"id\":\"ae0c6c13-8abb-443d-a45e-6cbaf3437a4c\",\"meta\":\"$dd\"}\ndf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8e64b2f7-d23c-4782-b0e3-e3b850374054/field_specialty_item?resourceVersion=id%3A19161\"}\ne0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8e64b2f7-d23c-4782-b0e3-e3b850374054/relationships/field_specialty_item?resourceVersion=id%3A19161\"}\nde:{\"related\":\"$df\",\"self\":\"$e0\"}\ndb:{\"data\":\"$dc\",\"links\":\"$de\"}\nd4:{\"paragraph_type\":\"$d5\",\"field_specialty_item\":\"$db\"}\ncc:{\"type\":\"paragraph--page_section\",\"id\":\"8e64b2f7-d23c-4782-b0e3-e3b850374054\",\"links\":\"$cd\",\"attributes\":\"$cf\",\"relationships\":\"$d4\"}\ne3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53ba39d8-a757-47cf-9d7e-e7a23389889e?resourceVersion=id%3A19169\"}\ne2:{\"self\":\"$e3\"}\ne5:[]\ne6:{\"value\":\"\u003ch2\u003eOA Program onboarding process\u003c/h2\u003e\u003cp\u003eIf your system qualifies for the OA Program, you will complete the following process to onboard:\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2\u003eOA Program onboarding proces"])</script><script>self.__next_f.push([1,"s\u003c/h2\u003e\u003cp\u003eIf your system qualifies for the OA Program, you will complete the following process to onboard:\u003c/p\u003e\"}\ne4:{\"drupal_internal__id\":2351,\"drupal_internal__revision_id\":19169,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-06T21:18:07+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$e5\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$e6\"}\nea:{\"drupal_internal__target_id\":\"page_section\"}\ne9:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$ea\"}\nec:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53ba39d8-a757-47cf-9d7e-e7a23389889e/paragraph_type?resourceVersion=id%3A19169\"}\ned:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53ba39d8-a757-47cf-9d7e-e7a23389889e/relationships/paragraph_type?resourceVersion=id%3A19169\"}\neb:{\"related\":\"$ec\",\"self\":\"$ed\"}\ne8:{\"data\":\"$e9\",\"links\":\"$eb\"}\nf0:{\"target_revision_id\":19168,\"drupal_internal__target_id\":2346}\nef:{\"type\":\"paragraph--process_list\",\"id\":\"5a00832f-f53f-42e9-bcfe-20b3a03db922\",\"meta\":\"$f0\"}\nf2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53ba39d8-a757-47cf-9d7e-e7a23389889e/field_specialty_item?resourceVersion=id%3A19169\"}\nf3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53ba39d8-a757-47cf-9d7e-e7a23389889e/relationships/field_specialty_item?resourceVersion=id%3A19169\"}\nf1:{\"related\":\"$f2\",\"self\":\"$f3\"}\nee:{\"data\":\"$ef\",\"links\":\"$f1\"}\ne7:{\"paragraph_type\":\"$e8\",\"field_specialty_item\":\"$ee\"}\ne1:{\"type\":\"paragraph--page_section\",\"id\":\"53ba39d8-a757-47cf-9d7e-e7a23389889e\",\"links\":\"$e2\",\"attributes\":\"$e4\",\"relationships\":\"$e7\"}\nf6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/123ffcec-1914-4725-a582-5c61bd8c9241?resourceVersion=id%3A19171\"}\nf5:{\"self\":\"$f6\"}\nf8:[]\nfa:T48c,\u003ch2\u003eMaintaining your systems OA\u003c/h2\u003e\u003cp\u003eAfter a system has been onboarded to the OA Program, the system enters \u003cstrong\u003eContinuous Monitoring \u003c/strong\u003estatus. "])</script><script>self.__next_f.push([1,"During this phase, continuous assessment activities are conducted to ensure that the system is operating within the agreed-upon risk thresholds outlined in the OA Program welcome package . The following CMS programs and tools will be used to monitor the system:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS CDM Program\u003c/li\u003e\u003cli\u003eCMS Cybersecurity Integration Center (CCIC) monitoring\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/cyber-risk-reports\"\u003eCyber Risk Reporting\u003c/a\u003e\u003c/li\u003e\u003cli\u003eAd hoc risk reviews\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe OA Program also publishes the\u003cstrong\u003e OA Cyber Risk Report\u003c/strong\u003e, which\u003cstrong\u003e \u003c/strong\u003eincludes security results from all risk information sources including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAssessment of inherited controls\u003c/li\u003e\u003cli\u003eDevelopment environment testing\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCCIC\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eOther assessment activities as required\u003c/li\u003e\u003c/ul\u003efb:T48c,\u003ch2\u003eMaintaining your systems OA\u003c/h2\u003e\u003cp\u003eAfter a system has been onboarded to the OA Program, the system enters \u003cstrong\u003eContinuous Monitoring \u003c/strong\u003estatus. During this phase, continuous assessment activities are conducted to ensure that the system is operating within the agreed-upon risk thresholds outlined in the OA Program welcome package . The following CMS programs and tools will be used to monitor the system:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS CDM Program\u003c/li\u003e\u003cli\u003eCMS Cybersecurity Integration Center (CCIC) monitoring\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/cyber-risk-reports\"\u003eCyber Risk Reporting\u003c/a\u003e\u003c/li\u003e\u003cli\u003eAd hoc risk reviews\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe OA Program also publishes the\u003cstrong\u003e OA Cyber Risk Report\u003c/strong\u003e, which\u003cstrong\u003e \u003c/strong\u003eincludes security results from all risk information sources including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAssessment of inherited controls\u003c/li\u003e\u003cli\u003eDevelopment environment testing\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCCIC\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessmen"])</script><script>self.__next_f.push([1,"t-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eOther assessment activities as required\u003c/li\u003e\u003c/ul\u003ef9:{\"value\":\"$fa\",\"format\":\"body_text\",\"processed\":\"$fb\"}\nf7:{\"drupal_internal__id\":2386,\"drupal_internal__revision_id\":19171,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:21:55+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$f8\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$f9\"}\nff:{\"drupal_internal__target_id\":\"page_section\"}\nfe:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$ff\"}\n101:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/123ffcec-1914-4725-a582-5c61bd8c9241/paragraph_type?resourceVersion=id%3A19171\"}\n102:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/123ffcec-1914-4725-a582-5c61bd8c9241/relationships/paragraph_type?resourceVersion=id%3A19171\"}\n100:{\"related\":\"$101\",\"self\":\"$102\"}\nfd:{\"data\":\"$fe\",\"links\":\"$100\"}\n105:{\"target_revision_id\":19170,\"drupal_internal__target_id\":2381}\n104:{\"type\":\"paragraph--call_out_box\",\"id\":\"aecadbee-307a-44a7-bfcc-aeca5ef14e74\",\"meta\":\"$105\"}\n107:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/123ffcec-1914-4725-a582-5c61bd8c9241/field_specialty_item?resourceVersion=id%3A19171\"}\n108:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/123ffcec-1914-4725-a582-5c61bd8c9241/relationships/field_specialty_item?resourceVersion=id%3A19171\"}\n106:{\"related\":\"$107\",\"self\":\"$108\"}\n103:{\"data\":\"$104\",\"links\":\"$106\"}\nfc:{\"paragraph_type\":\"$fd\",\"field_specialty_item\":\"$103\"}\nf4:{\"type\":\"paragraph--page_section\",\"id\":\"123ffcec-1914-4725-a582-5c61bd8c9241\",\"links\":\"$f5\",\"attributes\":\"$f7\",\"relationships\":\"$fc\"}\n10b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/e5ef118a-a42b-4cfb-b5a6-cebc127739d3?resourceVersion=id%3A19172\"}\n10a:{\"self\":\"$10b\"}\n10d:[]\n10f:T3377,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eContinuous monitoring result: triggers\u003c/h2\u003e\u003cp\u003eTriggers directly monitor a system's security posture and can indicate risks beyond acceptable limits. During the continuous monitoring process, the OA Team manages both \u003cstrong\u003etime-driven\u003c/strong\u003e and \u003cstrong\u003eevent-driven \u003c/strong\u003etriggers.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTime-driven\u003c/strong\u003e triggers are based on CMSs predefined frequency by the OA Team, senior CMS leadership, and system security stakeholders.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent-driven triggers\u003c/strong\u003e are based on a specific internal or external event of significance to the system.\u003c/p\u003e\u003cp\u003eEach trigger requires a unique response. Example responses to triggers include:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOA Cyber Risk Report Trigger\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIf the OA Cyber Risk Report shows risk that is out of compliance with the documented risk tolerance, the OA Team will conduct a risk review to determine the severity and mitigation needed.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident or Cyber Threat Intelligence Trigger\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAn incident or relevant cyber threat intelligence may also trigger an OA Team risk review to determine the severity and mitigation needed.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSignificant System Change\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eA significant change to a system should be reviewed by the CRA to determine if the security requirements of the system will need to change.\u003c/p\u003e\u003cp\u003eTriggers may come from any number of internal or external sources and may vary in degree of severity, requiring unique response times. The System/Business Owner and ISSO should independently review the \u003cstrong\u003eOA Program Dashboard \u003c/strong\u003eweekly to confirm system status.\u003c/p\u003e\u003cp\u003eIf the trigger identifies remediation activities, those activities will be tracked to completion by the OA Team, including any need for re-authorization or renewal of the OA. Items of non-compliance are identified and entered on the trigger log (with severity assigned). Non-compliant fields will turn red on the\u003cstrong\u003e OA Program Dashboard\u003c/strong\u003e. The System/Business Owner, ISSO, and CRA must work together to resolve these triggers with mitigations or other actions.\u003c/p\u003e\u003cp\u003eSystems will be considered non-compliant with OA Program requirements if they fail to meet 1 out of 5 metrics (i.e. 20%). The ISSO coordinates remedial actions based on trigger severity. Items of non-compliance below the defined threshold are identified and entered on the Trigger Accountability Log (TRAL) by the CRA. The CRA then notifies the System/Business Owner and ISSO of non-compliance via email.\u003c/p\u003e\u003ch2\u003eTrigger severity guide\u003c/h2\u003e\u003cp\u003eThe following guide helps System/Business Owners and ISSOs determine the severity of a trigger experienced by their system, and offers the timeline for remediation.\u003c/p\u003e\u003ch3\u003eLast Penetration Test (PenTest)\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eEnsures\u003cstrong\u003e \u003c/strong\u003ethat a PenTest has been performed based on the system's risk. This is done as part of the Cybersecurity and Risk Assessment Program (CSRAP) process. Per ARS 5.0, this is a requirement for HVA, FIPS High, and systems with PII/PHI.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eMeasured in days. If the measuring scale goes beyond 1 year, an adjustment would need to be made.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eLast PenTest date:\u003cbr\u003e*Risk Level 3: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 2: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 1: \u0026lt; = N/A\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low):\u003c/strong\u003e N/A\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003ch3\u003eLast Cybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eEnsures that an CSRAP has been performed and provides coverage for controls that are not yet automated and integrated into the OA Program.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eMeasured in days.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eLast CSRAP date:\u003cbr\u003e*Risk Level 3: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 2: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 1: \u0026lt; = 365 days\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low): \u003c/strong\u003eLow\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: High\u003c/p\u003e\u003ch3\u003eVulnerability Risk Tolerance\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eProvides the average AWARE score for all systems components\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAWARE Score current vs. previous 30 days\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCalculated for each Vulnerability: CVSS Score * Age * System Risk Category * 2 (If Exploitability flag = \"Yes\")\u003c/p\u003e\u003cp\u003eSystem calculation is the average score for all vulnerabilities identified for the system (High \u0026amp; Critical for MVP)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: High\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: High\u003c/p\u003e\u003ch3\u003eResiliency Score\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eProvides an overall risk score for an IS and/or Component\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll POA\u0026amp;M within the FISMA boundary\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAggregate risk score attributed by Open POA\u0026amp;Ms based upon criticality (L = 10, M = 15, H = 30, C = 45)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: High\u003c/p\u003e\u003ch3\u003eResidual Risk\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eUnderstanding the number of accepted risks in correlation with active risks/vulnerabilities on the system\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll risks associated with the information system boundary\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eTarget: (thresholds scale)\u003c/p\u003e\u003cp\u003eCalculation: Total # of risk acceptances that are valid\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Informational\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Informational\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: Informational\u003c/p\u003e\u003ch3\u003eAsset Risk Tolerance\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eRepresents the confidence that the reporting is accurate based on past reported asset data per system\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll assets within the FISMA Boundary\u003c/p\u003e\u003cp\u003eRef: Unaccounted change of +/-40% over the last 30 days flags a value as unreliable (prior months inventory current months inventory)/prior months inventory \u0026gt;40% or \u0026lt; -40%\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eTarget = + or - 40%\u003c/p\u003e\u003cp\u003eWeight = N/A\u003c/p\u003e\u003cp\u003eCalculation: Unaccounted change of +/-40% over the last 30\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Low\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Low\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003ch2\u003eOA Program non-compliance process\u003c/h2\u003e\u003cp\u003eIf a system fails to meet 1 out of 5 of the OA Program metrics, the System/Business Owner and ISSO will be notified via email and given a grace period of 30 calendar days to get the system back into compliance (i.e. green on all metrics). If the deficiencies have been fully addressed, the system may remain in the OA Program.\u003c/p\u003e\u003cp\u003eIf the deficiencies are not fully addressed during the 30-day probation period, the system team will be required to present their progress in correcting deficiencies to the Chief Information Security Officer (CISO) and AO for their review and consideration for continued participation.\u003c/p\u003e\u003cp\u003eA system will be considered non-compliant based on the following criteria:\u003c/p\u003e\u003ch3\u003eRisk tolerance level\u003c/h3\u003e\u003cp\u003eExceeds the prescribed CMS risk tolerance level for the corresponding system risk threshold tier based on \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFIPS 199 categorization\u003c/a\u003e, High Value Asset (HVA) identification, and other factors.\u003c/p\u003e\u003ch3\u003eDelayed remediation\u003c/h3\u003e\u003cp\u003eHas delayed remediation of critical and/or high-impact vulnerabilities\u003c/p\u003e\u003ch3\u003ePOA\u0026amp;M non-compliance\u003c/h3\u003e\u003cp\u003eIs non-compliant with CMS \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action \u0026amp; Milestones (POA\u0026amp;M)\u003c/a\u003e resolution timelines policies:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCritical: 15 days\u003c/li\u003e\u003cli\u003eHigh: 30 days\u003c/li\u003e\u003cli\u003eModerate: 90 days\u003c/li\u003e\u003cli\u003eLow: 365 days\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eLack of continuous monitoring\u003c/h3\u003e\u003cp\u003eThe system is unable to execute continuous monitoring processes and tasks, such as:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem has not been scanned in accordance with CMS minimum requirements\u003c/li\u003e\u003cli\u003eSystem has not been patched in accordance with CMS minimum requirements\u003c/li\u003e\u003cli\u003eSystem is non-compliant with required monitoring/assessment frequencies within two assessment frequency cycles\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe System/Business Owner and ISSO will be notified of non-compliance via email. A 30-day grace period will be given to remediate the issue. After the 30 calendar day grace period has lapsed, systems that fail to meet metrics will be terminated from the OA Program.\u003c/p\u003e\u003cp\u003eSystems that are terminated from the OA Program because of non-compliance will be issued a one-year traditional ATO, and will be provided with a list of the actions required to fully rejoin the OA Program. Required actions will include a comprehensive CSRAP and Penetration Test. Other actions may be identified based on specific circumstances.\u003c/p\u003e\u003ch2\u003eRe-entry into the OA Program\u003c/h2\u003e\u003cp\u003eIt is possible for a terminated system to re-enter the OA Program. The System/Business Owner may request re-entry when the system has successfully met the required actions set in the one year \u003ca href=\"/learn/authorization-operate-ato\"\u003etraditional ATO\u003c/a\u003e. The CRA will evaluate the completion of the required actions.\u003c/p\u003e\u003cp\u003eThis may occur at or before the one year time period is up. However, the systems metrics must have remained green for at least 6 months prior to rejoining.\u003c/p\u003e\u003cp\u003eRejoining will require the re-issuance of the OA letter for the system.\u003c/p\u003e\u003ch2\u003eFrequently Asked Questions\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eHow do I access the OA Dashboard?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eFirst, ensure that you have the TABLEAU_DIR_VIEWER_PRD job code on your EUA profile. We have already added this code for known CMS ISSOs and System/Business Owners, but contractors will likely not have it. Request the job code through EUA if you do not have it.\u003c/p\u003e\u003cp\u003eNext, follow the instructions from the \u003ca href=\"https://confluenceent.cms.gov/download/attachments/195122542/OA%20Program%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20102721_Final.pdf?version=2\u0026amp;modificationDate=1639140237656\u0026amp;api=v2\"\u003eOA Program Dashboard - Quick Start Guide\u003c/a\u003e. (Note that Step 2 of the Quick Start Guide references the “Projects page”. The correct link on the navigation on the left side of the page is “Explore”. The Explore page then lists available projects.)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIs there a status report of the Security Hub integration for each system?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYes, the SecOps group tracks this. ISPG also reflects this information through mediums like CFACTS. For more information, please see \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCFACTS\u003c/a\u003e or ask your Cyber Risk Advisor (CRA).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow is system data collected and disseminated for OA?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe automation of data collection is from the \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Monitoring (CDM)\u003c/a\u003e program. Since we are starting in the OIT AWS Cloud, we have all aspects of the CDM data. We are still working on how that data is normalized and aggregated down to our data warehouse to support the reports through our reporting platform. The use of Security Hub is one way we are disseminating data, and we are also working on an OA concept report we are developing alongside users and internal SMEs. The Ongoing Authorization Program Status Dashboard is populated using available CDM data feeds regardless of the systems OA status or participation in the OA program. Our aim is to make data dissemination for OA usable for everybody.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWill OA be inclusive of hybrid PaaS/SaaS systems such as Salesforce?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ePlatform as a Service (PaaS) and Software as a Service (SaaS) systems will not be considered for OA at this time.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e|OIT Specific| How will non-critical findings from Security Hub be communicated?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eNon-critical findings will be communicated directly through Security Hub. There will not be any Jira tickets created for non-critical findings (which includes some of the Highs and certainly the Moderates and Lows).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow will the new automated CDM approach support the same level of useful metadata that the former manual HW/SW inventory previously provided?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe information will still be just as understandable, and delivered daily. The expanded reporting will be helpful in giving you a fuller picture. You can expect a more robust set of metadata for your use.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"110:T3377,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eContinuous monitoring result: triggers\u003c/h2\u003e\u003cp\u003eTriggers directly monitor a system's security posture and can indicate risks beyond acceptable limits. During the continuous monitoring process, the OA Team manages both \u003cstrong\u003etime-driven\u003c/strong\u003e and \u003cstrong\u003eevent-driven \u003c/strong\u003etriggers.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTime-driven\u003c/strong\u003e triggers are based on CMSs predefined frequency by the OA Team, senior CMS leadership, and system security stakeholders.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent-driven triggers\u003c/strong\u003e are based on a specific internal or external event of significance to the system.\u003c/p\u003e\u003cp\u003eEach trigger requires a unique response. Example responses to triggers include:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOA Cyber Risk Report Trigger\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIf the OA Cyber Risk Report shows risk that is out of compliance with the documented risk tolerance, the OA Team will conduct a risk review to determine the severity and mitigation needed.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident or Cyber Threat Intelligence Trigger\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAn incident or relevant cyber threat intelligence may also trigger an OA Team risk review to determine the severity and mitigation needed.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSignificant System Change\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eA significant change to a system should be reviewed by the CRA to determine if the security requirements of the system will need to change.\u003c/p\u003e\u003cp\u003eTriggers may come from any number of internal or external sources and may vary in degree of severity, requiring unique response times. The System/Business Owner and ISSO should independently review the \u003cstrong\u003eOA Program Dashboard \u003c/strong\u003eweekly to confirm system status.\u003c/p\u003e\u003cp\u003eIf the trigger identifies remediation activities, those activities will be tracked to completion by the OA Team, including any need for re-authorization or renewal of the OA. Items of non-compliance are identified and entered on the trigger log (with severity assigned). Non-compliant fields will turn red on the\u003cstrong\u003e OA Program Dashboard\u003c/strong\u003e. The System/Business Owner, ISSO, and CRA must work together to resolve these triggers with mitigations or other actions.\u003c/p\u003e\u003cp\u003eSystems will be considered non-compliant with OA Program requirements if they fail to meet 1 out of 5 metrics (i.e. 20%). The ISSO coordinates remedial actions based on trigger severity. Items of non-compliance below the defined threshold are identified and entered on the Trigger Accountability Log (TRAL) by the CRA. The CRA then notifies the System/Business Owner and ISSO of non-compliance via email.\u003c/p\u003e\u003ch2\u003eTrigger severity guide\u003c/h2\u003e\u003cp\u003eThe following guide helps System/Business Owners and ISSOs determine the severity of a trigger experienced by their system, and offers the timeline for remediation.\u003c/p\u003e\u003ch3\u003eLast Penetration Test (PenTest)\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eEnsures\u003cstrong\u003e \u003c/strong\u003ethat a PenTest has been performed based on the system's risk. This is done as part of the Cybersecurity and Risk Assessment Program (CSRAP) process. Per ARS 5.0, this is a requirement for HVA, FIPS High, and systems with PII/PHI.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eMeasured in days. If the measuring scale goes beyond 1 year, an adjustment would need to be made.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eLast PenTest date:\u003cbr\u003e*Risk Level 3: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 2: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 1: \u0026lt; = N/A\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low):\u003c/strong\u003e N/A\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003ch3\u003eLast Cybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eEnsures that an CSRAP has been performed and provides coverage for controls that are not yet automated and integrated into the OA Program.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eMeasured in days.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eLast CSRAP date:\u003cbr\u003e*Risk Level 3: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 2: \u0026lt;= 365 days\u003cbr\u003e*Risk Level 1: \u0026lt; = 365 days\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low): \u003c/strong\u003eLow\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: High\u003c/p\u003e\u003ch3\u003eVulnerability Risk Tolerance\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eProvides the average AWARE score for all systems components\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAWARE Score current vs. previous 30 days\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCalculated for each Vulnerability: CVSS Score * Age * System Risk Category * 2 (If Exploitability flag = \"Yes\")\u003c/p\u003e\u003cp\u003eSystem calculation is the average score for all vulnerabilities identified for the system (High \u0026amp; Critical for MVP)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: High\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: High\u003c/p\u003e\u003ch3\u003eResiliency Score\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eProvides an overall risk score for an IS and/or Component\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll POA\u0026amp;M within the FISMA boundary\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAggregate risk score attributed by Open POA\u0026amp;Ms based upon criticality (L = 10, M = 15, H = 30, C = 45)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: High\u003c/p\u003e\u003ch3\u003eResidual Risk\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eUnderstanding the number of accepted risks in correlation with active risks/vulnerabilities on the system\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll risks associated with the information system boundary\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eTarget: (thresholds scale)\u003c/p\u003e\u003cp\u003eCalculation: Total # of risk acceptances that are valid\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Informational\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Informational\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: Informational\u003c/p\u003e\u003ch3\u003eAsset Risk Tolerance\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eRepresents the confidence that the reporting is accurate based on past reported asset data per system\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eScope/Criteria\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll assets within the FISMA Boundary\u003c/p\u003e\u003cp\u003eRef: Unaccounted change of +/-40% over the last 30 days flags a value as unreliable (prior months inventory current months inventory)/prior months inventory \u0026gt;40% or \u0026lt; -40%\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCalculation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eTarget = + or - 40%\u003c/p\u003e\u003cp\u003eWeight = N/A\u003c/p\u003e\u003cp\u003eCalculation: Unaccounted change of +/-40% over the last 30\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 1 (FIPS Low)\u003c/strong\u003e: Low\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 2 (System is financial or contains PII)\u003c/strong\u003e: Low\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem risk level 3 (System is HVA or MEF or FIPS High)\u003c/strong\u003e: Moderate\u003c/p\u003e\u003ch2\u003eOA Program non-compliance process\u003c/h2\u003e\u003cp\u003eIf a system fails to meet 1 out of 5 of the OA Program metrics, the System/Business Owner and ISSO will be notified via email and given a grace period of 30 calendar days to get the system back into compliance (i.e. green on all metrics). If the deficiencies have been fully addressed, the system may remain in the OA Program.\u003c/p\u003e\u003cp\u003eIf the deficiencies are not fully addressed during the 30-day probation period, the system team will be required to present their progress in correcting deficiencies to the Chief Information Security Officer (CISO) and AO for their review and consideration for continued participation.\u003c/p\u003e\u003cp\u003eA system will be considered non-compliant based on the following criteria:\u003c/p\u003e\u003ch3\u003eRisk tolerance level\u003c/h3\u003e\u003cp\u003eExceeds the prescribed CMS risk tolerance level for the corresponding system risk threshold tier based on \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFIPS 199 categorization\u003c/a\u003e, High Value Asset (HVA) identification, and other factors.\u003c/p\u003e\u003ch3\u003eDelayed remediation\u003c/h3\u003e\u003cp\u003eHas delayed remediation of critical and/or high-impact vulnerabilities\u003c/p\u003e\u003ch3\u003ePOA\u0026amp;M non-compliance\u003c/h3\u003e\u003cp\u003eIs non-compliant with CMS \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action \u0026amp; Milestones (POA\u0026amp;M)\u003c/a\u003e resolution timelines policies:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCritical: 15 days\u003c/li\u003e\u003cli\u003eHigh: 30 days\u003c/li\u003e\u003cli\u003eModerate: 90 days\u003c/li\u003e\u003cli\u003eLow: 365 days\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eLack of continuous monitoring\u003c/h3\u003e\u003cp\u003eThe system is unable to execute continuous monitoring processes and tasks, such as:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem has not been scanned in accordance with CMS minimum requirements\u003c/li\u003e\u003cli\u003eSystem has not been patched in accordance with CMS minimum requirements\u003c/li\u003e\u003cli\u003eSystem is non-compliant with required monitoring/assessment frequencies within two assessment frequency cycles\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe System/Business Owner and ISSO will be notified of non-compliance via email. A 30-day grace period will be given to remediate the issue. After the 30 calendar day grace period has lapsed, systems that fail to meet metrics will be terminated from the OA Program.\u003c/p\u003e\u003cp\u003eSystems that are terminated from the OA Program because of non-compliance will be issued a one-year traditional ATO, and will be provided with a list of the actions required to fully rejoin the OA Program. Required actions will include a comprehensive CSRAP and Penetration Test. Other actions may be identified based on specific circumstances.\u003c/p\u003e\u003ch2\u003eRe-entry into the OA Program\u003c/h2\u003e\u003cp\u003eIt is possible for a terminated system to re-enter the OA Program. The System/Business Owner may request re-entry when the system has successfully met the required actions set in the one year \u003ca href=\"/learn/authorization-operate-ato\"\u003etraditional ATO\u003c/a\u003e. The CRA will evaluate the completion of the required actions.\u003c/p\u003e\u003cp\u003eThis may occur at or before the one year time period is up. However, the systems metrics must have remained green for at least 6 months prior to rejoining.\u003c/p\u003e\u003cp\u003eRejoining will require the re-issuance of the OA letter for the system.\u003c/p\u003e\u003ch2\u003eFrequently Asked Questions\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eHow do I access the OA Dashboard?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eFirst, ensure that you have the TABLEAU_DIR_VIEWER_PRD job code on your EUA profile. We have already added this code for known CMS ISSOs and System/Business Owners, but contractors will likely not have it. Request the job code through EUA if you do not have it.\u003c/p\u003e\u003cp\u003eNext, follow the instructions from the \u003ca href=\"https://confluenceent.cms.gov/download/attachments/195122542/OA%20Program%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20102721_Final.pdf?version=2\u0026amp;modificationDate=1639140237656\u0026amp;api=v2\"\u003eOA Program Dashboard - Quick Start Guide\u003c/a\u003e. (Note that Step 2 of the Quick Start Guide references the “Projects page”. The correct link on the navigation on the left side of the page is “Explore”. The Explore page then lists available projects.)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIs there a status report of the Security Hub integration for each system?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYes, the SecOps group tracks this. ISPG also reflects this information through mediums like CFACTS. For more information, please see \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCFACTS\u003c/a\u003e or ask your Cyber Risk Advisor (CRA).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow is system data collected and disseminated for OA?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe automation of data collection is from the \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Monitoring (CDM)\u003c/a\u003e program. Since we are starting in the OIT AWS Cloud, we have all aspects of the CDM data. We are still working on how that data is normalized and aggregated down to our data warehouse to support the reports through our reporting platform. The use of Security Hub is one way we are disseminating data, and we are also working on an OA concept report we are developing alongside users and internal SMEs. The Ongoing Authorization Program Status Dashboard is populated using available CDM data feeds regardless of the systems OA status or participation in the OA program. Our aim is to make data dissemination for OA usable for everybody.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWill OA be inclusive of hybrid PaaS/SaaS systems such as Salesforce?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ePlatform as a Service (PaaS) and Software as a Service (SaaS) systems will not be considered for OA at this time.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e|OIT Specific| How will non-critical findings from Security Hub be communicated?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eNon-critical findings will be communicated directly through Security Hub. There will not be any Jira tickets created for non-critical findings (which includes some of the Highs and certainly the Moderates and Lows).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow will the new automated CDM approach support the same level of useful metadata that the former manual HW/SW inventory previously provided?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe information will still be just as understandable, and delivered daily. The expanded reporting will be helpful in giving you a fuller picture. You can expect a more robust set of metadata for your use.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"10e:{\"value\":\"$10f\",\"format\":\"body_text\",\"processed\":\"$110\"}\n10c:{\"drupal_internal__id\":2426,\"drupal_internal__revision_id\":19172,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:23:16+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$10d\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$10e\"}\n114:{\"drupal_internal__target_id\":\"page_section\"}\n113:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$114\"}\n116:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/e5ef118a-a42b-4cfb-b5a6-cebc127739d3/paragraph_type?resourceVersion=id%3A19172\"}\n117:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/e5ef118a-a42b-4cfb-b5a6-cebc127739d3/relationships/paragraph_type?resourceVersion=id%3A19172\"}\n115:{\"related\":\"$116\",\"self\":\"$117\"}\n112:{\"data\":\"$113\",\"links\":\"$115\"}\n11a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/e5ef118a-a42b-4cfb-b5a6-cebc127739d3/field_specialty_item?resourceVersion=id%3A19172\"}\n11b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/e5ef118a-a42b-4cfb-b5a6-cebc127739d3/relationships/field_specialty_item?resourceVersion=id%3A19172\"}\n119:{\"related\":\"$11a\",\"self\":\"$11b\"}\n118:{\"data\":null,\"links\":\"$119\"}\n111:{\"paragraph_type\":\"$112\",\"field_specialty_item\":\"$118\"}\n109:{\"type\":\"paragraph--page_section\",\"id\":\"e5ef118a-a42b-4cfb-b5a6-cebc127739d3\",\"links\":\"$10a\",\"attributes\":\"$10c\",\"relationships\":\"$111\"}\n11e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/ae0c6c13-8abb-443d-a45e-6cbaf3437a4c?resourceVersion=id%3A19160\"}\n11d:{\"self\":\"$11e\"}\n120:[]\n122:[]\n121:{\"uri\":\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=195122542\u0026preview=/195122542/250712614/OA%20Program%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20102721_Final.pdf\",\"title\":\"\",\"options\":\"$122\",\"url\":\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=195122542\u0026preview=/195122542/250712614/OA%20Program%20Dashb"])</script><script>self.__next_f.push([1,"oard%20-%20Quick%20Start%20Guide%201.0%20102721_Final.pdf\"}\n123:{\"value\":\"Learn how to access and use the Ongoing Authorization Program Dashboard. (CMS internal link)\\r\\n\\r\\n\\r\\n\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eLearn how to access and use the Ongoing Authorization Program Dashboard. (CMS internal link)\u003c/p\u003e\\n\"}\n11f:{\"drupal_internal__id\":2331,\"drupal_internal__revision_id\":19160,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-06T21:17:11+00:00\",\"parent_id\":\"2336\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$120\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":\"$121\",\"field_call_out_link_text\":\"See the OA Dashboard guide\",\"field_call_out_text\":\"$123\",\"field_header\":\"Quick start guide\"}\n127:{\"drupal_internal__target_id\":\"call_out_box\"}\n126:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$127\"}\n129:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/ae0c6c13-8abb-443d-a45e-6cbaf3437a4c/paragraph_type?resourceVersion=id%3A19160\"}\n12a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/ae0c6c13-8abb-443d-a45e-6cbaf3437a4c/relationships/paragraph_type?resourceVersion=id%3A19160\"}\n128:{\"related\":\"$129\",\"self\":\"$12a\"}\n125:{\"data\":\"$126\",\"links\":\"$128\"}\n124:{\"paragraph_type\":\"$125\"}\n11c:{\"type\":\"paragraph--call_out_box\",\"id\":\"ae0c6c13-8abb-443d-a45e-6cbaf3437a4c\",\"links\":\"$11d\",\"attributes\":\"$11f\",\"relationships\":\"$124\"}\n12d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/5a00832f-f53f-42e9-bcfe-20b3a03db922?resourceVersion=id%3A19168\"}\n12c:{\"self\":\"$12d\"}\n12f:[]\n12e:{\"drupal_internal__id\":2346,\"drupal_internal__revision_id\":19168,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-06T21:18:30+00:00\",\"parent_id\":\"2351\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$12f\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null}\n133:{\"drupal_internal__target_id\":\"pr"])</script><script>self.__next_f.push([1,"ocess_list\"}\n132:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":\"$133\"}\n135:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/5a00832f-f53f-42e9-bcfe-20b3a03db922/paragraph_type?resourceVersion=id%3A19168\"}\n136:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/5a00832f-f53f-42e9-bcfe-20b3a03db922/relationships/paragraph_type?resourceVersion=id%3A19168\"}\n134:{\"related\":\"$135\",\"self\":\"$136\"}\n131:{\"data\":\"$132\",\"links\":\"$134\"}\n13a:{\"target_revision_id\":19162,\"drupal_internal__target_id\":2341}\n139:{\"type\":\"paragraph--process_list_item\",\"id\":\"8fd40376-7435-486e-8349-b5d170510f05\",\"meta\":\"$13a\"}\n13c:{\"target_revision_id\":19163,\"drupal_internal__target_id\":2356}\n13b:{\"type\":\"paragraph--process_list_item\",\"id\":\"62b8fb6b-a4f8-4043-8ffe-51da6dfb4720\",\"meta\":\"$13c\"}\n13e:{\"target_revision_id\":19164,\"drupal_internal__target_id\":2361}\n13d:{\"type\":\"paragraph--process_list_item\",\"id\":\"de1e111d-bb99-44d6-a1a6-b3c92b895371\",\"meta\":\"$13e\"}\n140:{\"target_revision_id\":19165,\"drupal_internal__target_id\":2366}\n13f:{\"type\":\"paragraph--process_list_item\",\"id\":\"9da16e13-7938-4288-afa1-3ada5fc77270\",\"meta\":\"$140\"}\n142:{\"target_revision_id\":19166,\"drupal_internal__target_id\":2371}\n141:{\"type\":\"paragraph--process_list_item\",\"id\":\"8bea1337-54bc-44cd-ae45-705accdd579f\",\"meta\":\"$142\"}\n144:{\"target_revision_id\":19167,\"drupal_internal__target_id\":2376}\n143:{\"type\":\"paragraph--process_list_item\",\"id\":\"8c05f7ef-2515-47e1-876f-73f19caf2858\",\"meta\":\"$144\"}\n138:[\"$139\",\"$13b\",\"$13d\",\"$13f\",\"$141\",\"$143\"]\n146:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/5a00832f-f53f-42e9-bcfe-20b3a03db922/field_process_list_item?resourceVersion=id%3A19168\"}\n147:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/5a00832f-f53f-42e9-bcfe-20b3a03db922/relationships/field_process_list_item?resourceVersion=id%3A19168\"}\n145:{\"related\":\"$146\",\"self\":\"$147\"}\n137:{\"data\":\"$138\",\"links\":\"$145\"}\n130:{\"paragraph_type\":\"$131\",\"field_process_list_item\":\"$137\"}\n12b:{\"type"])</script><script>self.__next_f.push([1,"\":\"paragraph--process_list\",\"id\":\"5a00832f-f53f-42e9-bcfe-20b3a03db922\",\"links\":\"$12c\",\"attributes\":\"$12e\",\"relationships\":\"$130\"}\n14a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/aecadbee-307a-44a7-bfcc-aeca5ef14e74?resourceVersion=id%3A19170\"}\n149:{\"self\":\"$14a\"}\n14c:[]\n14d:{\"value\":\"CSRAP is one of the fundamentals of the OA Program. Find out more about this service and schedule your test. \\r\\n\\r\\n\\r\\n\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCSRAP is one of the fundamentals of the OA Program. Find out more about this service and schedule your test.\u003c/p\u003e\\n\"}\n14b:{\"drupal_internal__id\":2381,\"drupal_internal__revision_id\":19170,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:22:32+00:00\",\"parent_id\":\"2386\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$14c\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":null,\"field_call_out_link_text\":\"Learn more and schedule\",\"field_call_out_text\":\"$14d\",\"field_header\":\"Learn more about CSRAP \"}\n151:{\"drupal_internal__target_id\":\"call_out_box\"}\n150:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$151\"}\n153:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/aecadbee-307a-44a7-bfcc-aeca5ef14e74/paragraph_type?resourceVersion=id%3A19170\"}\n154:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/aecadbee-307a-44a7-bfcc-aeca5ef14e74/relationships/paragraph_type?resourceVersion=id%3A19170\"}\n152:{\"related\":\"$153\",\"self\":\"$154\"}\n14f:{\"data\":\"$150\",\"links\":\"$152\"}\n14e:{\"paragraph_type\":\"$14f\"}\n148:{\"type\":\"paragraph--call_out_box\",\"id\":\"aecadbee-307a-44a7-bfcc-aeca5ef14e74\",\"links\":\"$149\",\"attributes\":\"$14b\",\"relationships\":\"$14e\"}\n157:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8fd40376-7435-486e-8349-b5d170510f05?resourceVersion=id%3A19162\"}\n156:{\"self\":\"$157\"}\n159:[]\n15a:{\"value\":\"\u003cp\u003eThe criteria above determines if your system is eligible for OA. The OA Team works to identify sys"])</script><script>self.__next_f.push([1,"tems that meet the requirements for OA. As a System/Business Owner, you may receive proactive outreach from the OA Team if your system qualifies. System/Business Owners can also look at their specific system and reach out to the OA Team to request OA Program onboarding.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe criteria above determines if your system is eligible for OA. The OA Team works to identify systems that meet the requirements for OA. As a System/Business Owner, you may receive proactive outreach from the OA Team if your system qualifies. System/Business Owners can also look at their specific system and reach out to the OA Team to request OA Program onboarding.\u003c/p\u003e\"}\n158:{\"drupal_internal__id\":2341,\"drupal_internal__revision_id\":19162,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-06T21:18:30+00:00\",\"parent_id\":\"2346\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$159\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$15a\",\"field_list_item_title\":\"Determine if your system qualifies \"}\n15e:{\"drupal_internal__target_id\":\"process_list_item\"}\n15d:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$15e\"}\n160:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8fd40376-7435-486e-8349-b5d170510f05/paragraph_type?resourceVersion=id%3A19162\"}\n161:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8fd40376-7435-486e-8349-b5d170510f05/relationships/paragraph_type?resourceVersion=id%3A19162\"}\n15f:{\"related\":\"$160\",\"self\":\"$161\"}\n15c:{\"data\":\"$15d\",\"links\":\"$15f\"}\n15b:{\"paragraph_type\":\"$15c\"}\n155:{\"type\":\"paragraph--process_list_item\",\"id\":\"8fd40376-7435-486e-8349-b5d170510f05\",\"links\":\"$156\",\"attributes\":\"$158\",\"relationships\":\"$15b\"}\n164:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/62b8fb6b-a4f8-4043-8ffe-51da6dfb4720?resourceVersion=id%3A19163\"}\n163:{\"self\":\"$164\"}\n166:[]\n167:{\"value\":\"\u003cp\u003eCMS information s"])</script><script>self.__next_f.push([1,"ystems that have met the OA requirements will receive an OA onboarding invitation email. This email has instructions to get your system started with OA. Your tasks will include: letting the OA Team know you are interested in joining the program, obtaining the appropriate job codes, and working with your ISSO to stay in communication with the OA Team throughout the process.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eCMS information systems that have met the OA requirements will receive an OA onboarding invitation email. This email has instructions to get your system started with OA. Your tasks will include: letting the OA Team know you are interested in joining the program, obtaining the appropriate job codes, and working with your ISSO to stay in communication with the OA Team throughout the process.\u003c/p\u003e\"}\n165:{\"drupal_internal__id\":2356,\"drupal_internal__revision_id\":19163,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:19:54+00:00\",\"parent_id\":\"2346\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$166\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$167\",\"field_list_item_title\":\"Receive OA candidate email\"}\n16b:{\"drupal_internal__target_id\":\"process_list_item\"}\n16a:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$16b\"}\n16d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/62b8fb6b-a4f8-4043-8ffe-51da6dfb4720/paragraph_type?resourceVersion=id%3A19163\"}\n16e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/62b8fb6b-a4f8-4043-8ffe-51da6dfb4720/relationships/paragraph_type?resourceVersion=id%3A19163\"}\n16c:{\"related\":\"$16d\",\"self\":\"$16e\"}\n169:{\"data\":\"$16a\",\"links\":\"$16c\"}\n168:{\"paragraph_type\":\"$169\"}\n162:{\"type\":\"paragraph--process_list_item\",\"id\":\"62b8fb6b-a4f8-4043-8ffe-51da6dfb4720\",\"links\":\"$163\",\"attributes\":\"$165\",\"relationships\":\"$168\"}\n171:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/de1e111d"])</script><script>self.__next_f.push([1,"-bb99-44d6-a1a6-b3c92b895371?resourceVersion=id%3A19164\"}\n170:{\"self\":\"$171\"}\n173:[]\n174:{\"value\":\"\u003cp\u003eThe candidate email will include a welcome package for review by the System/Business Owner and ISSO that includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026nbsp;Details on how to maintain OA status\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe process for non-compliance\u003c/li\u003e\u003cli\u003eAn \u003cstrong\u003eOA Onboarding Memo\u003c/strong\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese artifacts must be reviewed by the System/Business Owner and the ISSO prior to joining OA. While reviewing these artifacts, the ISSO will ensure that all information in CFACTS is correct to date.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe candidate email will include a welcome package for review by the System/Business Owner and ISSO that includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026nbsp;Details on how to maintain OA status\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe process for non-compliance\u003c/li\u003e\u003cli\u003eAn \u003cstrong\u003eOA Onboarding Memo\u003c/strong\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese artifacts must be reviewed by the System/Business Owner and the ISSO prior to joining OA. While reviewing these artifacts, the ISSO will ensure that all information in CFACTS is correct to date.\u003c/p\u003e\"}\n172:{\"drupal_internal__id\":2361,\"drupal_internal__revision_id\":19164,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:20:38+00:00\",\"parent_id\":\"2346\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$173\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$174\",\"field_list_item_title\":\"Review OA welcome package\"}\n178:{\"drupal_internal__target_id\":\"process_list_item\"}\n177:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$178\"}\n17a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/de1e111d-bb99-44d6-a1a6-b3c92b895371/paragraph_type?resourceVersion=id%3A19164\"}\n17b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/de1e111d-bb99-44d6-a1a6-b3c92b895371/relationships/paragraph_type?resourceVersion=id%3A19164\"}\n179:{\"related\":\"$17a\",\"self\":\"$17b\"}\n176:{\"data\":\"$"])</script><script>self.__next_f.push([1,"177\",\"links\":\"$179\"}\n175:{\"paragraph_type\":\"$176\"}\n16f:{\"type\":\"paragraph--process_list_item\",\"id\":\"de1e111d-bb99-44d6-a1a6-b3c92b895371\",\"links\":\"$170\",\"attributes\":\"$172\",\"relationships\":\"$175\"}\n17e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/9da16e13-7938-4288-afa1-3ada5fc77270?resourceVersion=id%3A19165\"}\n17d:{\"self\":\"$17e\"}\n180:[]\n181:{\"value\":\"\u003cp\u003eThe ISSO will submit the signed memo into the ATO Request workflow in CMS Connect. The letter must be added as an attachment, and the certification form checkbox must be selected, as the memo takes its place.\u0026nbsp; The CRA will change the OA Status field to OA Onboarding for that system in CFACTS.\u0026nbsp; The System/Business Owner and ISSO must also participate in an ISPG-led Threat Modeling session during onboarding.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe ISSO will submit the signed memo into the ATO Request workflow in CMS Connect. The letter must be added as an attachment, and the certification form checkbox must be selected, as the memo takes its place.\u0026nbsp; The CRA will change the OA Status field to OA Onboarding for that system in CFACTS.\u0026nbsp; The System/Business Owner and ISSO must also participate in an ISPG-led Threat Modeling session during onboarding.\u003c/p\u003e\"}\n17f:{\"drupal_internal__id\":2366,\"drupal_internal__revision_id\":19165,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:20:48+00:00\",\"parent_id\":\"2346\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$180\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$181\",\"field_list_item_title\":\"Submit system for OA status\"}\n185:{\"drupal_internal__target_id\":\"process_list_item\"}\n184:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$185\"}\n187:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/9da16e13-7938-4288-afa1-3ada5fc77270/paragraph_type?resourceVersion=id%3A19165\"}\n188:{\"href\":\"https://cybergeek.cms.gov/jsonapi/"])</script><script>self.__next_f.push([1,"paragraph/process_list_item/9da16e13-7938-4288-afa1-3ada5fc77270/relationships/paragraph_type?resourceVersion=id%3A19165\"}\n186:{\"related\":\"$187\",\"self\":\"$188\"}\n183:{\"data\":\"$184\",\"links\":\"$186\"}\n182:{\"paragraph_type\":\"$183\"}\n17c:{\"type\":\"paragraph--process_list_item\",\"id\":\"9da16e13-7938-4288-afa1-3ada5fc77270\",\"links\":\"$17d\",\"attributes\":\"$17f\",\"relationships\":\"$182\"}\n18b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8bea1337-54bc-44cd-ae45-705accdd579f?resourceVersion=id%3A19166\"}\n18a:{\"self\":\"$18b\"}\n18d:[]\n18e:{\"value\":\"\u003cp\u003eThe CRA confirms the system is ready for onboarding and routes the \u003cstrong\u003eOA Onboarding Memo\u003c/strong\u003e to Authorizing Official (AO) for signature. The AO will return the signed letter to the CRA.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe CRA confirms the system is ready for onboarding and routes the \u003cstrong\u003eOA Onboarding Memo\u003c/strong\u003e to Authorizing Official (AO) for signature. The AO will return the signed letter to the CRA.\u003c/p\u003e\"}\n18c:{\"drupal_internal__id\":2371,\"drupal_internal__revision_id\":19166,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:21:02+00:00\",\"parent_id\":\"2346\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$18d\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$18e\",\"field_list_item_title\":\"Receive Authorizing Official signature\"}\n192:{\"drupal_internal__target_id\":\"process_list_item\"}\n191:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$192\"}\n194:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8bea1337-54bc-44cd-ae45-705accdd579f/paragraph_type?resourceVersion=id%3A19166\"}\n195:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8bea1337-54bc-44cd-ae45-705accdd579f/relationships/paragraph_type?resourceVersion=id%3A19166\"}\n193:{\"related\":\"$194\",\"self\":\"$195\"}\n190:{\"data\":\"$191\",\"links\":\"$193\"}\n18f:{\"paragraph_type\":\"$190\"}\n189:{\"type\":\"paragraph--process_list_i"])</script><script>self.__next_f.push([1,"tem\",\"id\":\"8bea1337-54bc-44cd-ae45-705accdd579f\",\"links\":\"$18a\",\"attributes\":\"$18c\",\"relationships\":\"$18f\"}\n198:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8c05f7ef-2515-47e1-876f-73f19caf2858?resourceVersion=id%3A19167\"}\n197:{\"self\":\"$198\"}\n19a:[]\n19b:{\"value\":\"\u003cp\u003eThe CRA uploads the signed OA letter to CFACTS and notifies the System/Business Owner that the system has been placed into OA. The CRA changes the system OA Status in CFACTS to OA Member. It is now the responsibility of the System/Business Owner and the ISSO\u0026nbsp; to maintain compliance.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe CRA uploads the signed OA letter to CFACTS and notifies the System/Business Owner that the system has been placed into OA. The CRA changes the system OA Status in CFACTS to OA Member. It is now the responsibility of the System/Business Owner and the ISSO\u0026nbsp; to maintain compliance.\u003c/p\u003e\"}\n199:{\"drupal_internal__id\":2376,\"drupal_internal__revision_id\":19167,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:21:31+00:00\",\"parent_id\":\"2346\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$19a\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$19b\",\"field_list_item_title\":\"Confirm OA status in CFACTS\"}\n19f:{\"drupal_internal__target_id\":\"process_list_item\"}\n19e:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$19f\"}\n1a1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8c05f7ef-2515-47e1-876f-73f19caf2858/paragraph_type?resourceVersion=id%3A19167\"}\n1a2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8c05f7ef-2515-47e1-876f-73f19caf2858/relationships/paragraph_type?resourceVersion=id%3A19167\"}\n1a0:{\"related\":\"$1a1\",\"self\":\"$1a2\"}\n19d:{\"data\":\"$19e\",\"links\":\"$1a0\"}\n19c:{\"paragraph_type\":\"$19d\"}\n196:{\"type\":\"paragraph--process_list_item\",\"id\":\"8c05f7ef-2515-47e1-876f-73f19caf2858\",\"links\":\"$197\",\"attributes\":\"$199\",\"rel"])</script><script>self.__next_f.push([1,"ationships\":\"$19c\"}\n1a5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de5326cf-552a-427c-9781-a4912ad4e45a?resourceVersion=id%3A19173\"}\n1a4:{\"self\":\"$1a5\"}\n1a7:[]\n1a6:{\"drupal_internal__id\":2466,\"drupal_internal__revision_id\":19173,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:36:46+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1a7\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1ab:{\"drupal_internal__target_id\":\"internal_link\"}\n1aa:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1ab\"}\n1ad:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de5326cf-552a-427c-9781-a4912ad4e45a/paragraph_type?resourceVersion=id%3A19173\"}\n1ae:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de5326cf-552a-427c-9781-a4912ad4e45a/relationships/paragraph_type?resourceVersion=id%3A19173\"}\n1ac:{\"related\":\"$1ad\",\"self\":\"$1ae\"}\n1a9:{\"data\":\"$1aa\",\"links\":\"$1ac\"}\n1b1:{\"drupal_internal__target_id\":201}\n1b0:{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"meta\":\"$1b1\"}\n1b3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de5326cf-552a-427c-9781-a4912ad4e45a/field_link?resourceVersion=id%3A19173\"}\n1b4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de5326cf-552a-427c-9781-a4912ad4e45a/relationships/field_link?resourceVersion=id%3A19173\"}\n1b2:{\"related\":\"$1b3\",\"self\":\"$1b4\"}\n1af:{\"data\":\"$1b0\",\"links\":\"$1b2\"}\n1a8:{\"paragraph_type\":\"$1a9\",\"field_link\":\"$1af\"}\n1a3:{\"type\":\"paragraph--internal_link\",\"id\":\"de5326cf-552a-427c-9781-a4912ad4e45a\",\"links\":\"$1a4\",\"attributes\":\"$1a6\",\"relationships\":\"$1a8\"}\n1b7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b5f6c429-201a-4f5f-ae6e-05b6e235ddbc?resourceVersion=id%3A19174\"}\n1b6:{\"self\":\"$1b7\"}\n1b9:[]\n1b8:{\"drupal_internal__id\":2471,\"drupal_internal__revision_id\":19174,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:36:52+00:00\",\"p"])</script><script>self.__next_f.push([1,"arent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1b9\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1bd:{\"drupal_internal__target_id\":\"internal_link\"}\n1bc:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1bd\"}\n1bf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b5f6c429-201a-4f5f-ae6e-05b6e235ddbc/paragraph_type?resourceVersion=id%3A19174\"}\n1c0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b5f6c429-201a-4f5f-ae6e-05b6e235ddbc/relationships/paragraph_type?resourceVersion=id%3A19174\"}\n1be:{\"related\":\"$1bf\",\"self\":\"$1c0\"}\n1bb:{\"data\":\"$1bc\",\"links\":\"$1be\"}\n1c3:{\"drupal_internal__target_id\":246}\n1c2:{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"meta\":\"$1c3\"}\n1c5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b5f6c429-201a-4f5f-ae6e-05b6e235ddbc/field_link?resourceVersion=id%3A19174\"}\n1c6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b5f6c429-201a-4f5f-ae6e-05b6e235ddbc/relationships/field_link?resourceVersion=id%3A19174\"}\n1c4:{\"related\":\"$1c5\",\"self\":\"$1c6\"}\n1c1:{\"data\":\"$1c2\",\"links\":\"$1c4\"}\n1ba:{\"paragraph_type\":\"$1bb\",\"field_link\":\"$1c1\"}\n1b5:{\"type\":\"paragraph--internal_link\",\"id\":\"b5f6c429-201a-4f5f-ae6e-05b6e235ddbc\",\"links\":\"$1b6\",\"attributes\":\"$1b8\",\"relationships\":\"$1ba\"}\n1c9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5a2be300-e6a0-41ff-9db9-5b88b77f18f2?resourceVersion=id%3A19175\"}\n1c8:{\"self\":\"$1c9\"}\n1cb:[]\n1ca:{\"drupal_internal__id\":2476,\"drupal_internal__revision_id\":19175,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:37:16+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1cb\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1cf:{\"drupal_internal__target_id\":\"internal_link\"}\n1ce:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\""])</script><script>self.__next_f.push([1,"$1cf\"}\n1d1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5a2be300-e6a0-41ff-9db9-5b88b77f18f2/paragraph_type?resourceVersion=id%3A19175\"}\n1d2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5a2be300-e6a0-41ff-9db9-5b88b77f18f2/relationships/paragraph_type?resourceVersion=id%3A19175\"}\n1d0:{\"related\":\"$1d1\",\"self\":\"$1d2\"}\n1cd:{\"data\":\"$1ce\",\"links\":\"$1d0\"}\n1d5:{\"drupal_internal__target_id\":676}\n1d4:{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"meta\":\"$1d5\"}\n1d7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5a2be300-e6a0-41ff-9db9-5b88b77f18f2/field_link?resourceVersion=id%3A19175\"}\n1d8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5a2be300-e6a0-41ff-9db9-5b88b77f18f2/relationships/field_link?resourceVersion=id%3A19175\"}\n1d6:{\"related\":\"$1d7\",\"self\":\"$1d8\"}\n1d3:{\"data\":\"$1d4\",\"links\":\"$1d6\"}\n1cc:{\"paragraph_type\":\"$1cd\",\"field_link\":\"$1d3\"}\n1c7:{\"type\":\"paragraph--internal_link\",\"id\":\"5a2be300-e6a0-41ff-9db9-5b88b77f18f2\",\"links\":\"$1c8\",\"attributes\":\"$1ca\",\"relationships\":\"$1cc\"}\n1db:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7539e73-da37-44b0-ad17-9c481c5e89e9?resourceVersion=id%3A19176\"}\n1da:{\"self\":\"$1db\"}\n1dd:[]\n1dc:{\"drupal_internal__id\":2481,\"drupal_internal__revision_id\":19176,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:37:22+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1dd\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1e1:{\"drupal_internal__target_id\":\"internal_link\"}\n1e0:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1e1\"}\n1e3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7539e73-da37-44b0-ad17-9c481c5e89e9/paragraph_type?resourceVersion=id%3A19176\"}\n1e4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7539e73-da37-44b0-ad17-9c481c5e89e9/relationships/paragraph_type?resourceVersion=id%3A19176\""])</script><script>self.__next_f.push([1,"}\n1e2:{\"related\":\"$1e3\",\"self\":\"$1e4\"}\n1df:{\"data\":\"$1e0\",\"links\":\"$1e2\"}\n1e7:{\"drupal_internal__target_id\":276}\n1e6:{\"type\":\"node--explainer\",\"id\":\"2bfd3478-c381-432c-a7ec-53fa803668ee\",\"meta\":\"$1e7\"}\n1e9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7539e73-da37-44b0-ad17-9c481c5e89e9/field_link?resourceVersion=id%3A19176\"}\n1ea:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7539e73-da37-44b0-ad17-9c481c5e89e9/relationships/field_link?resourceVersion=id%3A19176\"}\n1e8:{\"related\":\"$1e9\",\"self\":\"$1ea\"}\n1e5:{\"data\":\"$1e6\",\"links\":\"$1e8\"}\n1de:{\"paragraph_type\":\"$1df\",\"field_link\":\"$1e5\"}\n1d9:{\"type\":\"paragraph--internal_link\",\"id\":\"a7539e73-da37-44b0-ad17-9c481c5e89e9\",\"links\":\"$1da\",\"attributes\":\"$1dc\",\"relationships\":\"$1de\"}\n1ed:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4f862230-6bb8-4954-b295-52e00e609ba5?resourceVersion=id%3A19177\"}\n1ec:{\"self\":\"$1ed\"}\n1ef:[]\n1ee:{\"drupal_internal__id\":2486,\"drupal_internal__revision_id\":19177,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:37:39+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1ef\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1f3:{\"drupal_internal__target_id\":\"internal_link\"}\n1f2:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1f3\"}\n1f5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4f862230-6bb8-4954-b295-52e00e609ba5/paragraph_type?resourceVersion=id%3A19177\"}\n1f6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4f862230-6bb8-4954-b295-52e00e609ba5/relationships/paragraph_type?resourceVersion=id%3A19177\"}\n1f4:{\"related\":\"$1f5\",\"self\":\"$1f6\"}\n1f1:{\"data\":\"$1f2\",\"links\":\"$1f4\"}\n1f9:{\"drupal_internal__target_id\":261}\n1f8:{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"meta\":\"$1f9\"}\n1fb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4f862230-6bb8-4954-b295-52e00e609ba5/field_link?re"])</script><script>self.__next_f.push([1,"sourceVersion=id%3A19177\"}\n1fc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4f862230-6bb8-4954-b295-52e00e609ba5/relationships/field_link?resourceVersion=id%3A19177\"}\n1fa:{\"related\":\"$1fb\",\"self\":\"$1fc\"}\n1f7:{\"data\":\"$1f8\",\"links\":\"$1fa\"}\n1f0:{\"paragraph_type\":\"$1f1\",\"field_link\":\"$1f7\"}\n1eb:{\"type\":\"paragraph--internal_link\",\"id\":\"4f862230-6bb8-4954-b295-52e00e609ba5\",\"links\":\"$1ec\",\"attributes\":\"$1ee\",\"relationships\":\"$1f0\"}\n1ff:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8f0f75de-c261-41da-9ef7-06ccd80efb66?resourceVersion=id%3A19178\"}\n1fe:{\"self\":\"$1ff\"}\n201:[]\n200:{\"drupal_internal__id\":2491,\"drupal_internal__revision_id\":19178,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:38:08+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$201\",\"default_langcode\":true,\"revision_translation_affected\":true}\n205:{\"drupal_internal__target_id\":\"internal_link\"}\n204:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$205\"}\n207:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8f0f75de-c261-41da-9ef7-06ccd80efb66/paragraph_type?resourceVersion=id%3A19178\"}\n208:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8f0f75de-c261-41da-9ef7-06ccd80efb66/relationships/paragraph_type?resourceVersion=id%3A19178\"}\n206:{\"related\":\"$207\",\"self\":\"$208\"}\n203:{\"data\":\"$204\",\"links\":\"$206\"}\n20b:{\"drupal_internal__target_id\":206}\n20a:{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"meta\":\"$20b\"}\n20d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8f0f75de-c261-41da-9ef7-06ccd80efb66/field_link?resourceVersion=id%3A19178\"}\n20e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8f0f75de-c261-41da-9ef7-06ccd80efb66/relationships/field_link?resourceVersion=id%3A19178\"}\n20c:{\"related\":\"$20d\",\"self\":\"$20e\"}\n209:{\"data\":\"$20a\",\"links\":\"$20c\"}\n202:{\"paragraph_type\":\"$203\",\"field_link\":\"$209\"}\n1fd:{\"type\":"])</script><script>self.__next_f.push([1,"\"paragraph--internal_link\",\"id\":\"8f0f75de-c261-41da-9ef7-06ccd80efb66\",\"links\":\"$1fe\",\"attributes\":\"$200\",\"relationships\":\"$202\"}\n211:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320?resourceVersion=id%3A5941\"}\n210:{\"self\":\"$211\"}\n213:{\"alias\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"pid\":191,\"langcode\":\"en\"}\n214:{\"value\":\"A streamlined risk-based control(s) testing methodology designed to relieve operational burden.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA streamlined risk-based control(s) testing methodology designed to relieve operational burden.\u003c/p\u003e\\n\"}\n215:[]\n212:{\"drupal_internal__nid\":201,\"drupal_internal__vid\":5941,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-17T14:04:35+00:00\",\"status\":true,\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"created\":\"2022-08-25T18:58:52+00:00\",\"changed\":\"2024-10-07T20:27:11+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$213\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CSRAP@cms.hhs.gov\",\"field_contact_name\":\"CSRAP Team\",\"field_short_description\":\"$214\",\"field_slack_channel\":\"$215\"}\n219:{\"drupal_internal__target_id\":\"explainer\"}\n218:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$219\"}\n21b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/node_type?resourceVersion=id%3A5941\"}\n21c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/node_type?resourceVersion=id%3A5941\"}\n21a:{\"related\":\"$21b\",\"self\":\"$21c\"}\n217:{\"data\":\"$218\",\"links\":\"$21a\"}\n21f:{\"drupal_internal__target_id\":95}\n21e:{\"type\":\"user--user\",\"id\":\"39240c69-3096-49cd-a07c-3843b6c48c5f\",\"meta\":\"$21f\"}\n221:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa"])</script><script>self.__next_f.push([1,"320/revision_uid?resourceVersion=id%3A5941\"}\n222:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/revision_uid?resourceVersion=id%3A5941\"}\n220:{\"related\":\"$221\",\"self\":\"$222\"}\n21d:{\"data\":\"$21e\",\"links\":\"$220\"}\n225:{\"drupal_internal__target_id\":26}\n224:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$225\"}\n227:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/uid?resourceVersion=id%3A5941\"}\n228:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/uid?resourceVersion=id%3A5941\"}\n226:{\"related\":\"$227\",\"self\":\"$228\"}\n223:{\"data\":\"$224\",\"links\":\"$226\"}\n22c:{\"target_revision_id\":19433,\"drupal_internal__target_id\":3501}\n22b:{\"type\":\"paragraph--page_section\",\"id\":\"f36fb6d1-0795-400f-8a15-36d1979118b0\",\"meta\":\"$22c\"}\n22e:{\"target_revision_id\":19434,\"drupal_internal__target_id\":611}\n22d:{\"type\":\"paragraph--page_section\",\"id\":\"eb5b28d8-8825-43c5-a889-513068f48fd8\",\"meta\":\"$22e\"}\n230:{\"target_revision_id\":19435,\"drupal_internal__target_id\":651}\n22f:{\"type\":\"paragraph--page_section\",\"id\":\"269aaf52-85f1-411f-a67e-e9d9ad620d8a\",\"meta\":\"$230\"}\n232:{\"target_revision_id\":19442,\"drupal_internal__target_id\":3502}\n231:{\"type\":\"paragraph--page_section\",\"id\":\"3a3615ff-9d53-40d6-8291-fd4516dbc893\",\"meta\":\"$232\"}\n234:{\"target_revision_id\":19443,\"drupal_internal__target_id\":3503}\n233:{\"type\":\"paragraph--page_section\",\"id\":\"cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa\",\"meta\":\"$234\"}\n236:{\"target_revision_id\":19444,\"drupal_internal__target_id\":3504}\n235:{\"type\":\"paragraph--page_section\",\"id\":\"a46d03b7-7478-40f1-a7da-3171ffcfaa2d\",\"meta\":\"$236\"}\n22a:[\"$22b\",\"$22d\",\"$22f\",\"$231\",\"$233\",\"$235\"]\n238:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_page_section?resourceVersion=id%3A5941\"}\n239:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_page_section"])</script><script>self.__next_f.push([1,"?resourceVersion=id%3A5941\"}\n237:{\"related\":\"$238\",\"self\":\"$239\"}\n229:{\"data\":\"$22a\",\"links\":\"$237\"}\n23d:{\"target_revision_id\":19445,\"drupal_internal__target_id\":656}\n23c:{\"type\":\"paragraph--internal_link\",\"id\":\"28dbad4c-79e6-4f83-bc5e-965ba6aa4926\",\"meta\":\"$23d\"}\n23f:{\"target_revision_id\":19446,\"drupal_internal__target_id\":661}\n23e:{\"type\":\"paragraph--internal_link\",\"id\":\"9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2\",\"meta\":\"$23f\"}\n241:{\"target_revision_id\":19447,\"drupal_internal__target_id\":671}\n240:{\"type\":\"paragraph--internal_link\",\"id\":\"77c203ce-2da8-4200-986c-1093acc2ff5a\",\"meta\":\"$241\"}\n243:{\"target_revision_id\":19448,\"drupal_internal__target_id\":676}\n242:{\"type\":\"paragraph--internal_link\",\"id\":\"50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a\",\"meta\":\"$243\"}\n245:{\"target_revision_id\":19449,\"drupal_internal__target_id\":681}\n244:{\"type\":\"paragraph--internal_link\",\"id\":\"c4a332dc-02ea-48f6-9c08-c12ca06e62b5\",\"meta\":\"$245\"}\n247:{\"target_revision_id\":19450,\"drupal_internal__target_id\":3505}\n246:{\"type\":\"paragraph--internal_link\",\"id\":\"5cc61db4-e2f7-43ad-b914-3661d73886e9\",\"meta\":\"$247\"}\n23b:[\"$23c\",\"$23e\",\"$240\",\"$242\",\"$244\",\"$246\"]\n249:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_related_collection?resourceVersion=id%3A5941\"}\n24a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_related_collection?resourceVersion=id%3A5941\"}\n248:{\"related\":\"$249\",\"self\":\"$24a\"}\n23a:{\"data\":\"$23b\",\"links\":\"$248\"}\n24d:{\"drupal_internal__target_id\":121}\n24c:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$24d\"}\n24f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_resource_type?resourceVersion=id%3A5941\"}\n250:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_resource_type?resourceVersion=id%3A5941\"}\n24e:{\"related\":\"$24f\",\"self\":\"$250\"}\n24b:{\"data\":\"$24c\",\"links\":\"$24e\"}\n254"])</script><script>self.__next_f.push([1,":{\"drupal_internal__target_id\":66}\n253:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$254\"}\n256:{\"drupal_internal__target_id\":61}\n255:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$256\"}\n258:{\"drupal_internal__target_id\":76}\n257:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$258\"}\n252:[\"$253\",\"$255\",\"$257\"]\n25a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_roles?resourceVersion=id%3A5941\"}\n25b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_roles?resourceVersion=id%3A5941\"}\n259:{\"related\":\"$25a\",\"self\":\"$25b\"}\n251:{\"data\":\"$252\",\"links\":\"$259\"}\n25f:{\"drupal_internal__target_id\":6}\n25e:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":\"$25f\"}\n261:{\"drupal_internal__target_id\":36}\n260:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$261\"}\n25d:[\"$25e\",\"$260\"]\n263:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_topics?resourceVersion=id%3A5941\"}\n264:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_topics?resourceVersion=id%3A5941\"}\n262:{\"related\":\"$263\",\"self\":\"$264\"}\n25c:{\"data\":\"$25d\",\"links\":\"$262\"}\n216:{\"node_type\":\"$217\",\"revision_uid\":\"$21d\",\"uid\":\"$223\",\"field_page_section\":\"$229\",\"field_related_collection\":\"$23a\",\"field_resource_type\":\"$24b\",\"field_roles\":\"$251\",\"field_topics\":\"$25c\"}\n20f:{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"links\":\"$210\",\"attributes\":\"$212\",\"relationships\":\"$216\"}\n267:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58?resourceVersion=id%3A5668\"}\n266:{\"self\":\"$267\"}\n269:{\"alias\":\"/learn/cms-cloud-services\",\"pid\":236,\"langcode\":\"en\"}\n26a:{\"value\":\"Platform-As-A-Service with tools, security, and support s"])</script><script>self.__next_f.push([1,"ervices designed specifically for CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003ePlatform-As-A-Service with tools, security, and support services designed specifically for CMS\u003c/p\u003e\\n\"}\n26b:[\"#cms-cloud-security-forum\"]\n268:{\"drupal_internal__nid\":246,\"drupal_internal__vid\":5668,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-12T15:23:53+00:00\",\"status\":true,\"title\":\"CMS Cloud Services\",\"created\":\"2022-08-26T14:47:12+00:00\",\"changed\":\"2024-07-12T15:23:53+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$269\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cloudsupport@cms.hhs.gov\",\"field_contact_name\":\"CMS Cloud Support\",\"field_short_description\":\"$26a\",\"field_slack_channel\":\"$26b\"}\n26f:{\"drupal_internal__target_id\":\"explainer\"}\n26e:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$26f\"}\n271:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/node_type?resourceVersion=id%3A5668\"}\n272:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/node_type?resourceVersion=id%3A5668\"}\n270:{\"related\":\"$271\",\"self\":\"$272\"}\n26d:{\"data\":\"$26e\",\"links\":\"$270\"}\n275:{\"drupal_internal__target_id\":6}\n274:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$275\"}\n277:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/revision_uid?resourceVersion=id%3A5668\"}\n278:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/revision_uid?resourceVersion=id%3A5668\"}\n276:{\"related\":\"$277\",\"self\":\"$278\"}\n273:{\"data\":\"$274\",\"links\":\"$276\"}\n27b:{\"drupal_internal__target_id\":26}\n27a:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$27b\"}\n27d:{\"href\":\"https://cybergeek.cms.gov/js"])</script><script>self.__next_f.push([1,"onapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/uid?resourceVersion=id%3A5668\"}\n27e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/uid?resourceVersion=id%3A5668\"}\n27c:{\"related\":\"$27d\",\"self\":\"$27e\"}\n279:{\"data\":\"$27a\",\"links\":\"$27c\"}\n282:{\"target_revision_id\":18519,\"drupal_internal__target_id\":1371}\n281:{\"type\":\"paragraph--page_section\",\"id\":\"15f8e7ab-00f6-4c17-b433-659267271131\",\"meta\":\"$282\"}\n280:[\"$281\"]\n284:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_page_section?resourceVersion=id%3A5668\"}\n285:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_page_section?resourceVersion=id%3A5668\"}\n283:{\"related\":\"$284\",\"self\":\"$285\"}\n27f:{\"data\":\"$280\",\"links\":\"$283\"}\n289:{\"target_revision_id\":18520,\"drupal_internal__target_id\":1376}\n288:{\"type\":\"paragraph--internal_link\",\"id\":\"b48e2348-59b0-42a6-9f44-62af8a94ddf1\",\"meta\":\"$289\"}\n28b:{\"target_revision_id\":18521,\"drupal_internal__target_id\":1381}\n28a:{\"type\":\"paragraph--internal_link\",\"id\":\"17ea04ed-0987-43ea-b494-7c051ddfcd28\",\"meta\":\"$28b\"}\n28d:{\"target_revision_id\":18522,\"drupal_internal__target_id\":1391}\n28c:{\"type\":\"paragraph--internal_link\",\"id\":\"ae49a5b4-3922-4f8d-bbe5-624b243b4637\",\"meta\":\"$28d\"}\n28f:{\"target_revision_id\":18523,\"drupal_internal__target_id\":1396}\n28e:{\"type\":\"paragraph--internal_link\",\"id\":\"3ebbf63a-35a8-4c15-8002-2b41f7ef528a\",\"meta\":\"$28f\"}\n287:[\"$288\",\"$28a\",\"$28c\",\"$28e\"]\n291:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_related_collection?resourceVersion=id%3A5668\"}\n292:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_related_collection?resourceVersion=id%3A5668\"}\n290:{\"related\":\"$291\",\"self\":\"$292\"}\n286:{\"data\":\"$287\",\"links\":\"$290\"}\n295:{\"drupal_internal__target_id\":121}\n294:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-"])</script><script>self.__next_f.push([1,"4dd3-8818-37cb1557a8f4\",\"meta\":\"$295\"}\n297:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_resource_type?resourceVersion=id%3A5668\"}\n298:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_resource_type?resourceVersion=id%3A5668\"}\n296:{\"related\":\"$297\",\"self\":\"$298\"}\n293:{\"data\":\"$294\",\"links\":\"$296\"}\n29c:{\"drupal_internal__target_id\":76}\n29b:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$29c\"}\n29e:{\"drupal_internal__target_id\":71}\n29d:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$29e\"}\n29a:[\"$29b\",\"$29d\"]\n2a0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_roles?resourceVersion=id%3A5668\"}\n2a1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_roles?resourceVersion=id%3A5668\"}\n29f:{\"related\":\"$2a0\",\"self\":\"$2a1\"}\n299:{\"data\":\"$29a\",\"links\":\"$29f\"}\n2a5:{\"drupal_internal__target_id\":41}\n2a4:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":\"$2a5\"}\n2a7:{\"drupal_internal__target_id\":11}\n2a6:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$2a7\"}\n2a3:[\"$2a4\",\"$2a6\"]\n2a9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_topics?resourceVersion=id%3A5668\"}\n2aa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_topics?resourceVersion=id%3A5668\"}\n2a8:{\"related\":\"$2a9\",\"self\":\"$2aa\"}\n2a2:{\"data\":\"$2a3\",\"links\":\"$2a8\"}\n26c:{\"node_type\":\"$26d\",\"revision_uid\":\"$273\",\"uid\":\"$279\",\"field_page_section\":\"$27f\",\"field_related_collection\":\"$286\",\"field_resource_type\":\"$293\",\"field_roles\":\"$299\",\"field_topics\":\"$2a2\"}\n265:{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"links\":\"$266\",\"attributes\":\"$268\",\"relationships\":\"$26c\"}\n2a"])</script><script>self.__next_f.push([1,"d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08?resourceVersion=id%3A5525\"}\n2ac:{\"self\":\"$2ad\"}\n2af:{\"alias\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"pid\":666,\"langcode\":\"en\"}\n2b0:{\"value\":\"Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eAutomated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\u003c/p\u003e\\n\"}\n2b1:[\"#cyber-risk-management\"]\n2ae:{\"drupal_internal__nid\":676,\"drupal_internal__vid\":5525,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-04T17:13:19+00:00\",\"status\":true,\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"created\":\"2023-02-04T14:55:07+00:00\",\"changed\":\"2024-06-04T17:13:19+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$2af\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CDMPMO@cms.hhs.gov\",\"field_contact_name\":\"CDM team\",\"field_short_description\":\"$2b0\",\"field_slack_channel\":\"$2b1\"}\n2b5:{\"drupal_internal__target_id\":\"explainer\"}\n2b4:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$2b5\"}\n2b7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/node_type?resourceVersion=id%3A5525\"}\n2b8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/node_type?resourceVersion=id%3A5525\"}\n2b6:{\"related\":\"$2b7\",\"self\":\"$2b8\"}\n2b3:{\"data\":\"$2b4\",\"links\":\"$2b6\"}\n2bb:{\"drupal_internal__target_id\":107}\n2ba:{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":\"$2bb\"}\n2bd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/revision_uid?resourceVersion=id%3A5525\"}\n2be:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-4"])</script><script>self.__next_f.push([1,"0ae-84b5-2cecc9300e08/relationships/revision_uid?resourceVersion=id%3A5525\"}\n2bc:{\"related\":\"$2bd\",\"self\":\"$2be\"}\n2b9:{\"data\":\"$2ba\",\"links\":\"$2bc\"}\n2c1:{\"drupal_internal__target_id\":6}\n2c0:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$2c1\"}\n2c3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/uid?resourceVersion=id%3A5525\"}\n2c4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/uid?resourceVersion=id%3A5525\"}\n2c2:{\"related\":\"$2c3\",\"self\":\"$2c4\"}\n2bf:{\"data\":\"$2c0\",\"links\":\"$2c2\"}\n2c8:{\"target_revision_id\":17929,\"drupal_internal__target_id\":546}\n2c7:{\"type\":\"paragraph--page_section\",\"id\":\"8b7bda2b-e3dc-4760-9901-27255f14ff41\",\"meta\":\"$2c8\"}\n2ca:{\"target_revision_id\":17930,\"drupal_internal__target_id\":551}\n2c9:{\"type\":\"paragraph--page_section\",\"id\":\"8e76f588-fd94-4439-b7e3-73c8b83e3500\",\"meta\":\"$2ca\"}\n2c6:[\"$2c7\",\"$2c9\"]\n2cc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_page_section?resourceVersion=id%3A5525\"}\n2cd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_page_section?resourceVersion=id%3A5525\"}\n2cb:{\"related\":\"$2cc\",\"self\":\"$2cd\"}\n2c5:{\"data\":\"$2c6\",\"links\":\"$2cb\"}\n2d1:{\"target_revision_id\":17931,\"drupal_internal__target_id\":1891}\n2d0:{\"type\":\"paragraph--internal_link\",\"id\":\"bc285af3-dba7-4a12-8881-a8fed446dded\",\"meta\":\"$2d1\"}\n2d3:{\"target_revision_id\":17932,\"drupal_internal__target_id\":1896}\n2d2:{\"type\":\"paragraph--internal_link\",\"id\":\"1bc4b03f-652f-4fbf-8024-43e830b4b0a3\",\"meta\":\"$2d3\"}\n2d5:{\"target_revision_id\":17933,\"drupal_internal__target_id\":1906}\n2d4:{\"type\":\"paragraph--internal_link\",\"id\":\"05f865ef-4960-439b-9fca-9e7d70dfbe39\",\"meta\":\"$2d5\"}\n2cf:[\"$2d0\",\"$2d2\",\"$2d4\"]\n2d7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_related_collection?resourceVersion=id%3A5525\"}\n2d8:{\"href\":\"https://cybergeek.c"])</script><script>self.__next_f.push([1,"ms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_related_collection?resourceVersion=id%3A5525\"}\n2d6:{\"related\":\"$2d7\",\"self\":\"$2d8\"}\n2ce:{\"data\":\"$2cf\",\"links\":\"$2d6\"}\n2db:{\"drupal_internal__target_id\":121}\n2da:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$2db\"}\n2dd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_resource_type?resourceVersion=id%3A5525\"}\n2de:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_resource_type?resourceVersion=id%3A5525\"}\n2dc:{\"related\":\"$2dd\",\"self\":\"$2de\"}\n2d9:{\"data\":\"$2da\",\"links\":\"$2dc\"}\n2e2:{\"drupal_internal__target_id\":61}\n2e1:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$2e2\"}\n2e4:{\"drupal_internal__target_id\":76}\n2e3:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$2e4\"}\n2e0:[\"$2e1\",\"$2e3\"]\n2e6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_roles?resourceVersion=id%3A5525\"}\n2e7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_roles?resourceVersion=id%3A5525\"}\n2e5:{\"related\":\"$2e6\",\"self\":\"$2e7\"}\n2df:{\"data\":\"$2e0\",\"links\":\"$2e5\"}\n2eb:{\"drupal_internal__target_id\":36}\n2ea:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$2eb\"}\n2ed:{\"drupal_internal__target_id\":11}\n2ec:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$2ed\"}\n2e9:[\"$2ea\",\"$2ec\"]\n2ef:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_topics?resourceVersion=id%3A5525\"}\n2f0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_topics?resourceVersion=id%3A5525\"}\n2ee:{\"related\":\"$2ef\",\"self\":\"$2f0\"}\n2e8:{\"data\":\"$2e9\",\"links\":\"$2ee\"}\n2b2:{\"node_type\":\"$2b"])</script><script>self.__next_f.push([1,"3\",\"revision_uid\":\"$2b9\",\"uid\":\"$2bf\",\"field_page_section\":\"$2c5\",\"field_related_collection\":\"$2ce\",\"field_resource_type\":\"$2d9\",\"field_roles\":\"$2df\",\"field_topics\":\"$2e8\"}\n2ab:{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"links\":\"$2ac\",\"attributes\":\"$2ae\",\"relationships\":\"$2b2\"}\n2f3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee?resourceVersion=id%3A6081\"}\n2f2:{\"self\":\"$2f3\"}\n2f5:{\"alias\":\"/learn/cyber-risk-reports\",\"pid\":266,\"langcode\":\"en\"}\n2f6:{\"value\":\"Reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eReports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats\u003c/p\u003e\\n\"}\n2f7:[\"#cyber-risk-management\"]\n2f4:{\"drupal_internal__nid\":276,\"drupal_internal__vid\":6081,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-15T19:24:02+00:00\",\"status\":true,\"title\":\"Cyber Risk Reports (CRR)\",\"created\":\"2022-08-26T15:05:42+00:00\",\"changed\":\"2025-01-14T20:34:25+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$2f5\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CRMPMO@cms.hhs.gov\",\"field_contact_name\":\"CRM Team\",\"field_short_description\":\"$2f6\",\"field_slack_channel\":\"$2f7\"}\n2fb:{\"drupal_internal__target_id\":\"explainer\"}\n2fa:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$2fb\"}\n2fd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/node_type?resourceVersion=id%3A6081\"}\n2fe:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/node_type?resourceVersion=id%3A6081\"}\n2fc:{\"related\":\"$2fd\",\"self\":\"$2fe\"}\n2f9"])</script><script>self.__next_f.push([1,":{\"data\":\"$2fa\",\"links\":\"$2fc\"}\n301:{\"drupal_internal__target_id\":107}\n300:{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":\"$301\"}\n303:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/revision_uid?resourceVersion=id%3A6081\"}\n304:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/revision_uid?resourceVersion=id%3A6081\"}\n302:{\"related\":\"$303\",\"self\":\"$304\"}\n2ff:{\"data\":\"$300\",\"links\":\"$302\"}\n307:{\"drupal_internal__target_id\":26}\n306:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$307\"}\n309:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/uid?resourceVersion=id%3A6081\"}\n30a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/uid?resourceVersion=id%3A6081\"}\n308:{\"related\":\"$309\",\"self\":\"$30a\"}\n305:{\"data\":\"$306\",\"links\":\"$308\"}\n30e:{\"target_revision_id\":19976,\"drupal_internal__target_id\":1041}\n30d:{\"type\":\"paragraph--page_section\",\"id\":\"99eb2a67-6873-48f2-9027-a58a87a1ef43\",\"meta\":\"$30e\"}\n310:{\"target_revision_id\":19981,\"drupal_internal__target_id\":1051}\n30f:{\"type\":\"paragraph--page_section\",\"id\":\"55411c7e-d16e-4e24-9ec0-e61d07f1aaab\",\"meta\":\"$310\"}\n312:{\"target_revision_id\":19986,\"drupal_internal__target_id\":1061}\n311:{\"type\":\"paragraph--page_section\",\"id\":\"1ed92f8d-8be4-41a2-bc9c-e012801a98bf\",\"meta\":\"$312\"}\n314:{\"target_revision_id\":19996,\"drupal_internal__target_id\":1071}\n313:{\"type\":\"paragraph--page_section\",\"id\":\"9ab563ca-90a0-4ff0-a86c-2b0de01421c2\",\"meta\":\"$314\"}\n316:{\"target_revision_id\":20006,\"drupal_internal__target_id\":1091}\n315:{\"type\":\"paragraph--page_section\",\"id\":\"d2de38a5-dc24-41cd-9344-bb7d2240b7f4\",\"meta\":\"$316\"}\n318:{\"target_revision_id\":20016,\"drupal_internal__target_id\":1101}\n317:{\"type\":\"paragraph--page_section\",\"id\":\"8383a3b3-7807-40a8-96f7-0197052ff373\",\"meta\":\"$318\"}\n30c:[\"$30d\",\"$30f\",\"$311\",\"$313\",\"$315\",\"$317\"]\n31a:{\"href\":\"https://cybe"])</script><script>self.__next_f.push([1,"rgeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_page_section?resourceVersion=id%3A6081\"}\n31b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_page_section?resourceVersion=id%3A6081\"}\n319:{\"related\":\"$31a\",\"self\":\"$31b\"}\n30b:{\"data\":\"$30c\",\"links\":\"$319\"}\n31f:{\"target_revision_id\":20021,\"drupal_internal__target_id\":1911}\n31e:{\"type\":\"paragraph--internal_link\",\"id\":\"b0c313be-306b-48cd-b0bf-8a70f2bae7fb\",\"meta\":\"$31f\"}\n321:{\"target_revision_id\":20026,\"drupal_internal__target_id\":1916}\n320:{\"type\":\"paragraph--internal_link\",\"id\":\"32ab944d-d8c2-480b-b01e-85fa1a7eaf17\",\"meta\":\"$321\"}\n323:{\"target_revision_id\":20031,\"drupal_internal__target_id\":3386}\n322:{\"type\":\"paragraph--internal_link\",\"id\":\"21220e28-a46b-469f-9033-3e3482d07b4e\",\"meta\":\"$323\"}\n325:{\"target_revision_id\":20036,\"drupal_internal__target_id\":3387}\n324:{\"type\":\"paragraph--internal_link\",\"id\":\"1dc73a64-e5a5-419e-9363-9e91887427be\",\"meta\":\"$325\"}\n31d:[\"$31e\",\"$320\",\"$322\",\"$324\"]\n327:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_related_collection?resourceVersion=id%3A6081\"}\n328:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_related_collection?resourceVersion=id%3A6081\"}\n326:{\"related\":\"$327\",\"self\":\"$328\"}\n31c:{\"data\":\"$31d\",\"links\":\"$326\"}\n32b:{\"drupal_internal__target_id\":121}\n32a:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$32b\"}\n32d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_resource_type?resourceVersion=id%3A6081\"}\n32e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_resource_type?resourceVersion=id%3A6081\"}\n32c:{\"related\":\"$32d\",\"self\":\"$32e\"}\n329:{\"data\":\"$32a\",\"links\":\"$32c\"}\n332:{\"drupal_internal__target_id\":66}\n331:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b4"])</script><script>self.__next_f.push([1,"3c-45fb-973e-dffe50c27da5\",\"meta\":\"$332\"}\n334:{\"drupal_internal__target_id\":61}\n333:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$334\"}\n336:{\"drupal_internal__target_id\":76}\n335:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$336\"}\n338:{\"drupal_internal__target_id\":71}\n337:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$338\"}\n330:[\"$331\",\"$333\",\"$335\",\"$337\"]\n33a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_roles?resourceVersion=id%3A6081\"}\n33b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_roles?resourceVersion=id%3A6081\"}\n339:{\"related\":\"$33a\",\"self\":\"$33b\"}\n32f:{\"data\":\"$330\",\"links\":\"$339\"}\n33f:{\"drupal_internal__target_id\":36}\n33e:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$33f\"}\n33d:[\"$33e\"]\n341:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_topics?resourceVersion=id%3A6081\"}\n342:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_topics?resourceVersion=id%3A6081\"}\n340:{\"related\":\"$341\",\"self\":\"$342\"}\n33c:{\"data\":\"$33d\",\"links\":\"$340\"}\n2f8:{\"node_type\":\"$2f9\",\"revision_uid\":\"$2ff\",\"uid\":\"$305\",\"field_page_section\":\"$30b\",\"field_related_collection\":\"$31c\",\"field_resource_type\":\"$329\",\"field_roles\":\"$32f\",\"field_topics\":\"$33c\"}\n2f1:{\"type\":\"node--explainer\",\"id\":\"2bfd3478-c381-432c-a7ec-53fa803668ee\",\"links\":\"$2f2\",\"attributes\":\"$2f4\",\"relationships\":\"$2f8\"}\n345:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b?resourceVersion=id%3A5999\"}\n344:{\"self\":\"$345\"}\n347:{\"alias\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"pid\":251,\"langcode\":\"en\"}\n348:{\"value\":\"CFACTS is a CMS database that tracks application security deficiencies and POA\u0026Ms, and supports the ATO process\",\"forma"])</script><script>self.__next_f.push([1,"t\":\"plain_text\",\"processed\":\"\u003cp\u003eCFACTS is a CMS database that tracks application security deficiencies and POA\u0026amp;Ms, and supports the ATO process\u003c/p\u003e\\n\"}\n349:[\"#cfacts_community\"]\n346:{\"drupal_internal__nid\":261,\"drupal_internal__vid\":5999,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-05T18:41:37+00:00\",\"status\":true,\"title\":\"CMS FISMA Continuous Tracking System (CFACTS)\",\"created\":\"2022-08-26T14:57:02+00:00\",\"changed\":\"2024-12-05T18:41:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$347\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ciso@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":\"$348\",\"field_slack_channel\":\"$349\"}\n34d:{\"drupal_internal__target_id\":\"explainer\"}\n34c:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$34d\"}\n34f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/node_type?resourceVersion=id%3A5999\"}\n350:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/node_type?resourceVersion=id%3A5999\"}\n34e:{\"related\":\"$34f\",\"self\":\"$350\"}\n34b:{\"data\":\"$34c\",\"links\":\"$34e\"}\n353:{\"drupal_internal__target_id\":159}\n352:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":\"$353\"}\n355:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/revision_uid?resourceVersion=id%3A5999\"}\n356:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/revision_uid?resourceVersion=id%3A5999\"}\n354:{\"related\":\"$355\",\"self\":\"$356\"}\n351:{\"data\":\"$352\",\"links\":\"$354\"}\n359:{\"drupal_internal__target_id\":26}\n358:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$359\"}\n35b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/expla"])</script><script>self.__next_f.push([1,"iner/de0901ae-4ea5-491c-badd-90a32da3989b/uid?resourceVersion=id%3A5999\"}\n35c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/uid?resourceVersion=id%3A5999\"}\n35a:{\"related\":\"$35b\",\"self\":\"$35c\"}\n357:{\"data\":\"$358\",\"links\":\"$35a\"}\n360:{\"target_revision_id\":19655,\"drupal_internal__target_id\":2101}\n35f:{\"type\":\"paragraph--page_section\",\"id\":\"963db416-cca0-421d-8c3e-40c8e2ce190f\",\"meta\":\"$360\"}\n362:{\"target_revision_id\":19660,\"drupal_internal__target_id\":446}\n361:{\"type\":\"paragraph--page_section\",\"id\":\"9b87eb1d-cb43-472b-9b5b-8618d2688563\",\"meta\":\"$362\"}\n364:{\"target_revision_id\":19666,\"drupal_internal__target_id\":1781}\n363:{\"type\":\"paragraph--page_section\",\"id\":\"122a8de9-c38d-492b-bc93-b43b270f2933\",\"meta\":\"$364\"}\n366:{\"target_revision_id\":19667,\"drupal_internal__target_id\":3468}\n365:{\"type\":\"paragraph--page_section\",\"id\":\"594617c8-824a-4962-aa08-fdf8dd4677fb\",\"meta\":\"$366\"}\n35e:[\"$35f\",\"$361\",\"$363\",\"$365\"]\n368:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_page_section?resourceVersion=id%3A5999\"}\n369:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_page_section?resourceVersion=id%3A5999\"}\n367:{\"related\":\"$368\",\"self\":\"$369\"}\n35d:{\"data\":\"$35e\",\"links\":\"$367\"}\n36d:{\"target_revision_id\":19668,\"drupal_internal__target_id\":1816}\n36c:{\"type\":\"paragraph--internal_link\",\"id\":\"76dcb171-ae0a-42ba-b330-b93b63633cdd\",\"meta\":\"$36d\"}\n36f:{\"target_revision_id\":19669,\"drupal_internal__target_id\":1821}\n36e:{\"type\":\"paragraph--internal_link\",\"id\":\"7f340091-9774-491a-817d-0cdfaf0c72d1\",\"meta\":\"$36f\"}\n371:{\"target_revision_id\":19670,\"drupal_internal__target_id\":1826}\n370:{\"type\":\"paragraph--internal_link\",\"id\":\"4b7486bb-57c5-440b-b07c-54deb80f1ca1\",\"meta\":\"$371\"}\n373:{\"target_revision_id\":19671,\"drupal_internal__target_id\":1831}\n372:{\"type\":\"paragraph--internal_link\",\"id\":\"d72a41d1-1d17-452f-9375-aea58d84e8e7\",\"meta\":\"$373\"}\n375:{\"target_revision_id\":1967"])</script><script>self.__next_f.push([1,"2,\"drupal_internal__target_id\":3462}\n374:{\"type\":\"paragraph--internal_link\",\"id\":\"726e3057-d549-4d7d-80c7-0f4c5d5f8007\",\"meta\":\"$375\"}\n377:{\"target_revision_id\":19673,\"drupal_internal__target_id\":3463}\n376:{\"type\":\"paragraph--internal_link\",\"id\":\"dbde5fa8-5137-4df4-af83-a4330e0778c7\",\"meta\":\"$377\"}\n36b:[\"$36c\",\"$36e\",\"$370\",\"$372\",\"$374\",\"$376\"]\n379:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_related_collection?resourceVersion=id%3A5999\"}\n37a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_related_collection?resourceVersion=id%3A5999\"}\n378:{\"related\":\"$379\",\"self\":\"$37a\"}\n36a:{\"data\":\"$36b\",\"links\":\"$378\"}\n37d:{\"drupal_internal__target_id\":121}\n37c:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$37d\"}\n37f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_resource_type?resourceVersion=id%3A5999\"}\n380:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_resource_type?resourceVersion=id%3A5999\"}\n37e:{\"related\":\"$37f\",\"self\":\"$380\"}\n37b:{\"data\":\"$37c\",\"links\":\"$37e\"}\n384:{\"drupal_internal__target_id\":66}\n383:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$384\"}\n386:{\"drupal_internal__target_id\":61}\n385:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$386\"}\n388:{\"drupal_internal__target_id\":76}\n387:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$388\"}\n38a:{\"drupal_internal__target_id\":71}\n389:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$38a\"}\n382:[\"$383\",\"$385\",\"$387\",\"$389\"]\n38c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_roles?resourceVersion=id%3A5999\"}\n38d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90"])</script><script>self.__next_f.push([1,"a32da3989b/relationships/field_roles?resourceVersion=id%3A5999\"}\n38b:{\"related\":\"$38c\",\"self\":\"$38d\"}\n381:{\"data\":\"$382\",\"links\":\"$38b\"}\n391:{\"drupal_internal__target_id\":36}\n390:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$391\"}\n393:{\"drupal_internal__target_id\":11}\n392:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$393\"}\n38f:[\"$390\",\"$392\"]\n395:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_topics?resourceVersion=id%3A5999\"}\n396:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_topics?resourceVersion=id%3A5999\"}\n394:{\"related\":\"$395\",\"self\":\"$396\"}\n38e:{\"data\":\"$38f\",\"links\":\"$394\"}\n34a:{\"node_type\":\"$34b\",\"revision_uid\":\"$351\",\"uid\":\"$357\",\"field_page_section\":\"$35d\",\"field_related_collection\":\"$36a\",\"field_resource_type\":\"$37b\",\"field_roles\":\"$381\",\"field_topics\":\"$38e\"}\n343:{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"links\":\"$344\",\"attributes\":\"$346\",\"relationships\":\"$34a\"}\n399:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2?resourceVersion=id%3A5737\"}\n398:{\"self\":\"$399\"}\n39b:{\"alias\":\"/learn/authorization-operate-ato\",\"pid\":196,\"langcode\":\"en\"}\n39c:{\"value\":\"Testing and documenting system security and compliance to gain approval to operate the system at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting and documenting system security and compliance to gain approval to operate the system at CMS\u003c/p\u003e\\n\"}\n39d:[\"#cra-help\"]\n39a:{\"drupal_internal__nid\":206,\"drupal_internal__vid\":5737,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-31T17:37:48+00:00\",\"status\":true,\"title\":\"Authorization to Operate (ATO)\",\"created\":\"2022-08-25T19:06:37+00:00\",\"changed\":\"2024-07-31T17:37:48+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$39b\",\"rh_action\":null,\"rh_redirect\":null,"])</script><script>self.__next_f.push([1,"\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$39c\",\"field_slack_channel\":\"$39d\"}\n3a1:{\"drupal_internal__target_id\":\"explainer\"}\n3a0:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$3a1\"}\n3a3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/node_type?resourceVersion=id%3A5737\"}\n3a4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/node_type?resourceVersion=id%3A5737\"}\n3a2:{\"related\":\"$3a3\",\"self\":\"$3a4\"}\n39f:{\"data\":\"$3a0\",\"links\":\"$3a2\"}\n3a7:{\"drupal_internal__target_id\":6}\n3a6:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$3a7\"}\n3a9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/revision_uid?resourceVersion=id%3A5737\"}\n3aa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/revision_uid?resourceVersion=id%3A5737\"}\n3a8:{\"related\":\"$3a9\",\"self\":\"$3aa\"}\n3a5:{\"data\":\"$3a6\",\"links\":\"$3a8\"}\n3ad:{\"drupal_internal__target_id\":26}\n3ac:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$3ad\"}\n3af:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/uid?resourceVersion=id%3A5737\"}\n3b0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/uid?resourceVersion=id%3A5737\"}\n3ae:{\"related\":\"$3af\",\"self\":\"$3b0\"}\n3ab:{\"data\":\"$3ac\",\"links\":\"$3ae\"}\n3b4:{\"target_revision_id\":18928,\"drupal_internal__target_id\":711}\n3b3:{\"type\":\"paragraph--page_section\",\"id\":\"d94629f9-9668-41dd-bce7-a4f267239c07\",\"meta\":\"$3b4\"}\n3b6:{\"target_revision_id\":18929,\"drupal_internal__target_id\":736}\n3b5:{\"type\":\"paragraph--page_section\",\"id\":\"243e2d3f-f903-438c-8b1f-aee53390b1df\",\"meta\":\"$3b6\"}\n3b2:[\"$"])</script><script>self.__next_f.push([1,"3b3\",\"$3b5\"]\n3b8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_page_section?resourceVersion=id%3A5737\"}\n3b9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_page_section?resourceVersion=id%3A5737\"}\n3b7:{\"related\":\"$3b8\",\"self\":\"$3b9\"}\n3b1:{\"data\":\"$3b2\",\"links\":\"$3b7\"}\n3bd:{\"target_revision_id\":18930,\"drupal_internal__target_id\":3376}\n3bc:{\"type\":\"paragraph--internal_link\",\"id\":\"6f904ac4-c80e-47d9-b786-ee79256befed\",\"meta\":\"$3bd\"}\n3bf:{\"target_revision_id\":18931,\"drupal_internal__target_id\":1306}\n3be:{\"type\":\"paragraph--internal_link\",\"id\":\"e20959d7-2a7b-4a01-b985-cfa5363233f5\",\"meta\":\"$3bf\"}\n3c1:{\"target_revision_id\":18932,\"drupal_internal__target_id\":1316}\n3c0:{\"type\":\"paragraph--internal_link\",\"id\":\"dba9b926-f657-43ce-bc94-0a2d803430c6\",\"meta\":\"$3c1\"}\n3c3:{\"target_revision_id\":18933,\"drupal_internal__target_id\":2521}\n3c2:{\"type\":\"paragraph--internal_link\",\"id\":\"44f7083e-9341-42a5-85dc-a9043cdccdce\",\"meta\":\"$3c3\"}\n3c5:{\"target_revision_id\":18934,\"drupal_internal__target_id\":3444}\n3c4:{\"type\":\"paragraph--internal_link\",\"id\":\"bd0366d9-64ce-401f-9453-bf38aa8054a1\",\"meta\":\"$3c5\"}\n3bb:[\"$3bc\",\"$3be\",\"$3c0\",\"$3c2\",\"$3c4\"]\n3c7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_related_collection?resourceVersion=id%3A5737\"}\n3c8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_related_collection?resourceVersion=id%3A5737\"}\n3c6:{\"related\":\"$3c7\",\"self\":\"$3c8\"}\n3ba:{\"data\":\"$3bb\",\"links\":\"$3c6\"}\n3cb:{\"drupal_internal__target_id\":131}\n3ca:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$3cb\"}\n3cd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_resource_type?resourceVersion=id%3A5737\"}\n3ce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/"])</script><script>self.__next_f.push([1,"field_resource_type?resourceVersion=id%3A5737\"}\n3cc:{\"related\":\"$3cd\",\"self\":\"$3ce\"}\n3c9:{\"data\":\"$3ca\",\"links\":\"$3cc\"}\n3d2:{\"drupal_internal__target_id\":66}\n3d1:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$3d2\"}\n3d4:{\"drupal_internal__target_id\":61}\n3d3:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$3d4\"}\n3d6:{\"drupal_internal__target_id\":76}\n3d5:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$3d6\"}\n3d0:[\"$3d1\",\"$3d3\",\"$3d5\"]\n3d8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_roles?resourceVersion=id%3A5737\"}\n3d9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_roles?resourceVersion=id%3A5737\"}\n3d7:{\"related\":\"$3d8\",\"self\":\"$3d9\"}\n3cf:{\"data\":\"$3d0\",\"links\":\"$3d7\"}\n3dd:{\"drupal_internal__target_id\":11}\n3dc:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$3dd\"}\n3db:[\"$3dc\"]\n3df:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_topics?resourceVersion=id%3A5737\"}\n3e0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_topics?resourceVersion=id%3A5737\"}\n3de:{\"related\":\"$3df\",\"self\":\"$3e0\"}\n3da:{\"data\":\"$3db\",\"links\":\"$3de\"}\n39e:{\"node_type\":\"$39f\",\"revision_uid\":\"$3a5\",\"uid\":\"$3ab\",\"field_page_section\":\"$3b1\",\"field_related_collection\":\"$3ba\",\"field_resource_type\":\"$3c9\",\"field_roles\":\"$3cf\",\"field_topics\":\"$3da\"}\n397:{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"links\":\"$398\",\"attributes\":\"$39a\",\"relationships\":\"$39e\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf?resourceVersion=id%3A5861\"}},\"attributes\":{\"drupal_internal__nid\":771,\"drupal_internal__vid\":5861,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-08T14:51:46+00:00\",\"status\":true,\"title\":\"Ongoing Authorization (OA)\",\"created\":\"2023-03-06T21:09:39+00:00\",\"changed\":\"2024-08-08T14:51:46+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/ongoing-authorization-oa\",\"pid\":751,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSupporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#oa-onboarding \",\"#security_community \",\"#CMS-CDM\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/node_type?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/node_type?resourceVersion=id%3A5861\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/revision_uid?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/revision_uid?resourceVersion=id%3A5861\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/uid?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/uid?resourceVersion=id%3A5861\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"8e64b2f7-d23c-4782-b0e3-e3b850374054\",\"meta\":{\"target_revision_id\":19161,\"drupal_internal__target_id\":2336}},{\"type\":\"paragraph--page_section\",\"id\":\"53ba39d8-a757-47cf-9d7e-e7a23389889e\",\"meta\":{\"target_revision_id\":19169,\"drupal_internal__target_id\":2351}},{\"type\":\"paragraph--page_section\",\"id\":\"123ffcec-1914-4725-a582-5c61bd8c9241\",\"meta\":{\"target_revision_id\":19171,\"drupal_internal__target_id\":2386}},{\"type\":\"paragraph--page_section\",\"id\":\"e5ef118a-a42b-4cfb-b5a6-cebc127739d3\",\"meta\":{\"target_revision_id\":19172,\"drupal_internal__target_id\":2426}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_page_section?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_page_section?resourceVersion=id%3A5861\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"de5326cf-552a-427c-9781-a4912ad4e45a\",\"meta\":{\"target_revision_id\":19173,\"drupal_internal__target_id\":2466}},{\"type\":\"paragraph--internal_link\",\"id\":\"b5f6c429-201a-4f5f-ae6e-05b6e235ddbc\",\"meta\":{\"target_revision_id\":19174,\"drupal_internal__target_id\":2471}},{\"type\":\"paragraph--internal_link\",\"id\":\"5a2be300-e6a0-41ff-9db9-5b88b77f18f2\",\"meta\":{\"target_revision_id\":19175,\"drupal_internal__target_id\":2476}},{\"type\":\"paragraph--internal_link\",\"id\":\"a7539e73-da37-44b0-ad17-9c481c5e89e9\",\"meta\":{\"target_revision_id\":19176,\"drupal_internal__target_id\":2481}},{\"type\":\"paragraph--internal_link\",\"id\":\"4f862230-6bb8-4954-b295-52e00e609ba5\",\"meta\":{\"target_revision_id\":19177,\"drupal_internal__target_id\":2486}},{\"type\":\"paragraph--internal_link\",\"id\":\"8f0f75de-c261-41da-9ef7-06ccd80efb66\",\"meta\":{\"target_revision_id\":19178,\"drupal_internal__target_id\":2491}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_related_collection?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_related_collection?resourceVersion=id%3A5861\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_resource_type?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_resource_type?resourceVersion=id%3A5861\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_roles?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_roles?resourceVersion=id%3A5861\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_topics?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_topics?resourceVersion=id%3A5861\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}},\"attributes\":{\"display_name\":\"mburgess\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}},\"attributes\":{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}},\"attributes\":{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e?resourceVersion=id%3A11\"}},\"attributes\":{\"drupal_internal__tid\":11,\"drupal_internal__revision_id\":11,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:12+00:00\",\"status\":true,\"name\":\"System Authorization\",\"description\":null,\"weight\":7,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/vid?resourceVersion=id%3A11\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/vid?resourceVersion=id%3A11\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/revision_user?resourceVersion=id%3A11\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/revision_user?resourceVersion=id%3A11\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/parent?resourceVersion=id%3A11\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/parent?resourceVersion=id%3A11\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"8e64b2f7-d23c-4782-b0e3-e3b850374054\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8e64b2f7-d23c-4782-b0e3-e3b850374054?resourceVersion=id%3A19161\"}},\"attributes\":{\"drupal_internal__id\":2336,\"drupal_internal__revision_id\":19161,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-06T21:17:11+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8e64b2f7-d23c-4782-b0e3-e3b850374054/paragraph_type?resourceVersion=id%3A19161\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8e64b2f7-d23c-4782-b0e3-e3b850374054/relationships/paragraph_type?resourceVersion=id%3A19161\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"ae0c6c13-8abb-443d-a45e-6cbaf3437a4c\",\"meta\":{\"target_revision_id\":19160,\"drupal_internal__target_id\":2331}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8e64b2f7-d23c-4782-b0e3-e3b850374054/field_specialty_item?resourceVersion=id%3A19161\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8e64b2f7-d23c-4782-b0e3-e3b850374054/relationships/field_specialty_item?resourceVersion=id%3A19161\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"53ba39d8-a757-47cf-9d7e-e7a23389889e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53ba39d8-a757-47cf-9d7e-e7a23389889e?resourceVersion=id%3A19169\"}},\"attributes\":{\"drupal_internal__id\":2351,\"drupal_internal__revision_id\":19169,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-06T21:18:07+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"\u003ch2\u003eOA Program onboarding process\u003c/h2\u003e\u003cp\u003eIf your system qualifies for the OA Program, you will complete the following process to onboard:\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2\u003eOA Program onboarding process\u003c/h2\u003e\u003cp\u003eIf your system qualifies for the OA Program, you will complete the following process to onboard:\u003c/p\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53ba39d8-a757-47cf-9d7e-e7a23389889e/paragraph_type?resourceVersion=id%3A19169\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53ba39d8-a757-47cf-9d7e-e7a23389889e/relationships/paragraph_type?resourceVersion=id%3A19169\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--process_list\",\"id\":\"5a00832f-f53f-42e9-bcfe-20b3a03db922\",\"meta\":{\"target_revision_id\":19168,\"drupal_internal__target_id\":2346}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53ba39d8-a757-47cf-9d7e-e7a23389889e/field_specialty_item?resourceVersion=id%3A19169\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53ba39d8-a757-47cf-9d7e-e7a23389889e/relationships/field_specialty_item?resourceVersion=id%3A19169\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"123ffcec-1914-4725-a582-5c61bd8c9241\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/123ffcec-1914-4725-a582-5c61bd8c9241?resourceVersion=id%3A19171\"}},\"attributes\":{\"drupal_internal__id\":2386,\"drupal_internal__revision_id\":19171,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:21:55+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/123ffcec-1914-4725-a582-5c61bd8c9241/paragraph_type?resourceVersion=id%3A19171\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/123ffcec-1914-4725-a582-5c61bd8c9241/relationships/paragraph_type?resourceVersion=id%3A19171\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"aecadbee-307a-44a7-bfcc-aeca5ef14e74\",\"meta\":{\"target_revision_id\":19170,\"drupal_internal__target_id\":2381}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/123ffcec-1914-4725-a582-5c61bd8c9241/field_specialty_item?resourceVersion=id%3A19171\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/123ffcec-1914-4725-a582-5c61bd8c9241/relationships/field_specialty_item?resourceVersion=id%3A19171\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"e5ef118a-a42b-4cfb-b5a6-cebc127739d3\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/e5ef118a-a42b-4cfb-b5a6-cebc127739d3?resourceVersion=id%3A19172\"}},\"attributes\":{\"drupal_internal__id\":2426,\"drupal_internal__revision_id\":19172,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:23:16+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$1c\",\"format\":\"body_text\",\"processed\":\"$1d\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/e5ef118a-a42b-4cfb-b5a6-cebc127739d3/paragraph_type?resourceVersion=id%3A19172\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/e5ef118a-a42b-4cfb-b5a6-cebc127739d3/relationships/paragraph_type?resourceVersion=id%3A19172\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/e5ef118a-a42b-4cfb-b5a6-cebc127739d3/field_specialty_item?resourceVersion=id%3A19172\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/e5ef118a-a42b-4cfb-b5a6-cebc127739d3/relationships/field_specialty_item?resourceVersion=id%3A19172\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"ae0c6c13-8abb-443d-a45e-6cbaf3437a4c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/ae0c6c13-8abb-443d-a45e-6cbaf3437a4c?resourceVersion=id%3A19160\"}},\"attributes\":{\"drupal_internal__id\":2331,\"drupal_internal__revision_id\":19160,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-06T21:17:11+00:00\",\"parent_id\":\"2336\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":{\"uri\":\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=195122542\u0026preview=/195122542/250712614/OA%20Program%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20102721_Final.pdf\",\"title\":\"\",\"options\":[],\"url\":\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=195122542\u0026preview=/195122542/250712614/OA%20Program%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20102721_Final.pdf\"},\"field_call_out_link_text\":\"See the OA Dashboard guide\",\"field_call_out_text\":{\"value\":\"Learn how to access and use the Ongoing Authorization Program Dashboard. (CMS internal link)\\r\\n\\r\\n\\r\\n\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eLearn how to access and use the Ongoing Authorization Program Dashboard. (CMS internal link)\u003c/p\u003e\\n\"},\"field_header\":\"Quick start guide\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/ae0c6c13-8abb-443d-a45e-6cbaf3437a4c/paragraph_type?resourceVersion=id%3A19160\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/ae0c6c13-8abb-443d-a45e-6cbaf3437a4c/relationships/paragraph_type?resourceVersion=id%3A19160\"}}}}},{\"type\":\"paragraph--process_list\",\"id\":\"5a00832f-f53f-42e9-bcfe-20b3a03db922\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/5a00832f-f53f-42e9-bcfe-20b3a03db922?resourceVersion=id%3A19168\"}},\"attributes\":{\"drupal_internal__id\":2346,\"drupal_internal__revision_id\":19168,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-06T21:18:30+00:00\",\"parent_id\":\"2351\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":{\"drupal_internal__target_id\":\"process_list\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/5a00832f-f53f-42e9-bcfe-20b3a03db922/paragraph_type?resourceVersion=id%3A19168\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/5a00832f-f53f-42e9-bcfe-20b3a03db922/relationships/paragraph_type?resourceVersion=id%3A19168\"}}},\"field_process_list_item\":{\"data\":[{\"type\":\"paragraph--process_list_item\",\"id\":\"8fd40376-7435-486e-8349-b5d170510f05\",\"meta\":{\"target_revision_id\":19162,\"drupal_internal__target_id\":2341}},{\"type\":\"paragraph--process_list_item\",\"id\":\"62b8fb6b-a4f8-4043-8ffe-51da6dfb4720\",\"meta\":{\"target_revision_id\":19163,\"drupal_internal__target_id\":2356}},{\"type\":\"paragraph--process_list_item\",\"id\":\"de1e111d-bb99-44d6-a1a6-b3c92b895371\",\"meta\":{\"target_revision_id\":19164,\"drupal_internal__target_id\":2361}},{\"type\":\"paragraph--process_list_item\",\"id\":\"9da16e13-7938-4288-afa1-3ada5fc77270\",\"meta\":{\"target_revision_id\":19165,\"drupal_internal__target_id\":2366}},{\"type\":\"paragraph--process_list_item\",\"id\":\"8bea1337-54bc-44cd-ae45-705accdd579f\",\"meta\":{\"target_revision_id\":19166,\"drupal_internal__target_id\":2371}},{\"type\":\"paragraph--process_list_item\",\"id\":\"8c05f7ef-2515-47e1-876f-73f19caf2858\",\"meta\":{\"target_revision_id\":19167,\"drupal_internal__target_id\":2376}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/5a00832f-f53f-42e9-bcfe-20b3a03db922/field_process_list_item?resourceVersion=id%3A19168\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/5a00832f-f53f-42e9-bcfe-20b3a03db922/relationships/field_process_list_item?resourceVersion=id%3A19168\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"aecadbee-307a-44a7-bfcc-aeca5ef14e74\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/aecadbee-307a-44a7-bfcc-aeca5ef14e74?resourceVersion=id%3A19170\"}},\"attributes\":{\"drupal_internal__id\":2381,\"drupal_internal__revision_id\":19170,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:22:32+00:00\",\"parent_id\":\"2386\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":null,\"field_call_out_link_text\":\"Learn more and schedule\",\"field_call_out_text\":{\"value\":\"CSRAP is one of the fundamentals of the OA Program. Find out more about this service and schedule your test. \\r\\n\\r\\n\\r\\n\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCSRAP is one of the fundamentals of the OA Program. Find out more about this service and schedule your test.\u003c/p\u003e\\n\"},\"field_header\":\"Learn more about CSRAP \"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/aecadbee-307a-44a7-bfcc-aeca5ef14e74/paragraph_type?resourceVersion=id%3A19170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/aecadbee-307a-44a7-bfcc-aeca5ef14e74/relationships/paragraph_type?resourceVersion=id%3A19170\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"8fd40376-7435-486e-8349-b5d170510f05\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8fd40376-7435-486e-8349-b5d170510f05?resourceVersion=id%3A19162\"}},\"attributes\":{\"drupal_internal__id\":2341,\"drupal_internal__revision_id\":19162,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-06T21:18:30+00:00\",\"parent_id\":\"2346\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eThe criteria above determines if your system is eligible for OA. The OA Team works to identify systems that meet the requirements for OA. As a System/Business Owner, you may receive proactive outreach from the OA Team if your system qualifies. System/Business Owners can also look at their specific system and reach out to the OA Team to request OA Program onboarding.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe criteria above determines if your system is eligible for OA. The OA Team works to identify systems that meet the requirements for OA. As a System/Business Owner, you may receive proactive outreach from the OA Team if your system qualifies. System/Business Owners can also look at their specific system and reach out to the OA Team to request OA Program onboarding.\u003c/p\u003e\"},\"field_list_item_title\":\"Determine if your system qualifies \"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8fd40376-7435-486e-8349-b5d170510f05/paragraph_type?resourceVersion=id%3A19162\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8fd40376-7435-486e-8349-b5d170510f05/relationships/paragraph_type?resourceVersion=id%3A19162\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"62b8fb6b-a4f8-4043-8ffe-51da6dfb4720\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/62b8fb6b-a4f8-4043-8ffe-51da6dfb4720?resourceVersion=id%3A19163\"}},\"attributes\":{\"drupal_internal__id\":2356,\"drupal_internal__revision_id\":19163,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:19:54+00:00\",\"parent_id\":\"2346\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eCMS information systems that have met the OA requirements will receive an OA onboarding invitation email. This email has instructions to get your system started with OA. Your tasks will include: letting the OA Team know you are interested in joining the program, obtaining the appropriate job codes, and working with your ISSO to stay in communication with the OA Team throughout the process.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eCMS information systems that have met the OA requirements will receive an OA onboarding invitation email. This email has instructions to get your system started with OA. Your tasks will include: letting the OA Team know you are interested in joining the program, obtaining the appropriate job codes, and working with your ISSO to stay in communication with the OA Team throughout the process.\u003c/p\u003e\"},\"field_list_item_title\":\"Receive OA candidate email\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/62b8fb6b-a4f8-4043-8ffe-51da6dfb4720/paragraph_type?resourceVersion=id%3A19163\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/62b8fb6b-a4f8-4043-8ffe-51da6dfb4720/relationships/paragraph_type?resourceVersion=id%3A19163\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"de1e111d-bb99-44d6-a1a6-b3c92b895371\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/de1e111d-bb99-44d6-a1a6-b3c92b895371?resourceVersion=id%3A19164\"}},\"attributes\":{\"drupal_internal__id\":2361,\"drupal_internal__revision_id\":19164,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:20:38+00:00\",\"parent_id\":\"2346\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eThe candidate email will include a welcome package for review by the System/Business Owner and ISSO that includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026nbsp;Details on how to maintain OA status\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe process for non-compliance\u003c/li\u003e\u003cli\u003eAn \u003cstrong\u003eOA Onboarding Memo\u003c/strong\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese artifacts must be reviewed by the System/Business Owner and the ISSO prior to joining OA. While reviewing these artifacts, the ISSO will ensure that all information in CFACTS is correct to date.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe candidate email will include a welcome package for review by the System/Business Owner and ISSO that includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026nbsp;Details on how to maintain OA status\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe process for non-compliance\u003c/li\u003e\u003cli\u003eAn \u003cstrong\u003eOA Onboarding Memo\u003c/strong\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese artifacts must be reviewed by the System/Business Owner and the ISSO prior to joining OA. While reviewing these artifacts, the ISSO will ensure that all information in CFACTS is correct to date.\u003c/p\u003e\"},\"field_list_item_title\":\"Review OA welcome package\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/de1e111d-bb99-44d6-a1a6-b3c92b895371/paragraph_type?resourceVersion=id%3A19164\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/de1e111d-bb99-44d6-a1a6-b3c92b895371/relationships/paragraph_type?resourceVersion=id%3A19164\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"9da16e13-7938-4288-afa1-3ada5fc77270\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/9da16e13-7938-4288-afa1-3ada5fc77270?resourceVersion=id%3A19165\"}},\"attributes\":{\"drupal_internal__id\":2366,\"drupal_internal__revision_id\":19165,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:20:48+00:00\",\"parent_id\":\"2346\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eThe ISSO will submit the signed memo into the ATO Request workflow in CMS Connect. The letter must be added as an attachment, and the certification form checkbox must be selected, as the memo takes its place.\u0026nbsp; The CRA will change the OA Status field to OA Onboarding for that system in CFACTS.\u0026nbsp; The System/Business Owner and ISSO must also participate in an ISPG-led Threat Modeling session during onboarding.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe ISSO will submit the signed memo into the ATO Request workflow in CMS Connect. The letter must be added as an attachment, and the certification form checkbox must be selected, as the memo takes its place.\u0026nbsp; The CRA will change the OA Status field to OA Onboarding for that system in CFACTS.\u0026nbsp; The System/Business Owner and ISSO must also participate in an ISPG-led Threat Modeling session during onboarding.\u003c/p\u003e\"},\"field_list_item_title\":\"Submit system for OA status\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/9da16e13-7938-4288-afa1-3ada5fc77270/paragraph_type?resourceVersion=id%3A19165\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/9da16e13-7938-4288-afa1-3ada5fc77270/relationships/paragraph_type?resourceVersion=id%3A19165\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"8bea1337-54bc-44cd-ae45-705accdd579f\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8bea1337-54bc-44cd-ae45-705accdd579f?resourceVersion=id%3A19166\"}},\"attributes\":{\"drupal_internal__id\":2371,\"drupal_internal__revision_id\":19166,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:21:02+00:00\",\"parent_id\":\"2346\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eThe CRA confirms the system is ready for onboarding and routes the \u003cstrong\u003eOA Onboarding Memo\u003c/strong\u003e to Authorizing Official (AO) for signature. The AO will return the signed letter to the CRA.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe CRA confirms the system is ready for onboarding and routes the \u003cstrong\u003eOA Onboarding Memo\u003c/strong\u003e to Authorizing Official (AO) for signature. The AO will return the signed letter to the CRA.\u003c/p\u003e\"},\"field_list_item_title\":\"Receive Authorizing Official signature\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8bea1337-54bc-44cd-ae45-705accdd579f/paragraph_type?resourceVersion=id%3A19166\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8bea1337-54bc-44cd-ae45-705accdd579f/relationships/paragraph_type?resourceVersion=id%3A19166\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"8c05f7ef-2515-47e1-876f-73f19caf2858\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8c05f7ef-2515-47e1-876f-73f19caf2858?resourceVersion=id%3A19167\"}},\"attributes\":{\"drupal_internal__id\":2376,\"drupal_internal__revision_id\":19167,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:21:31+00:00\",\"parent_id\":\"2346\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eThe CRA uploads the signed OA letter to CFACTS and notifies the System/Business Owner that the system has been placed into OA. The CRA changes the system OA Status in CFACTS to OA Member. It is now the responsibility of the System/Business Owner and the ISSO\u0026nbsp; to maintain compliance.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe CRA uploads the signed OA letter to CFACTS and notifies the System/Business Owner that the system has been placed into OA. The CRA changes the system OA Status in CFACTS to OA Member. It is now the responsibility of the System/Business Owner and the ISSO\u0026nbsp; to maintain compliance.\u003c/p\u003e\"},\"field_list_item_title\":\"Confirm OA status in CFACTS\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8c05f7ef-2515-47e1-876f-73f19caf2858/paragraph_type?resourceVersion=id%3A19167\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8c05f7ef-2515-47e1-876f-73f19caf2858/relationships/paragraph_type?resourceVersion=id%3A19167\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"de5326cf-552a-427c-9781-a4912ad4e45a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de5326cf-552a-427c-9781-a4912ad4e45a?resourceVersion=id%3A19173\"}},\"attributes\":{\"drupal_internal__id\":2466,\"drupal_internal__revision_id\":19173,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:36:46+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de5326cf-552a-427c-9781-a4912ad4e45a/paragraph_type?resourceVersion=id%3A19173\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de5326cf-552a-427c-9781-a4912ad4e45a/relationships/paragraph_type?resourceVersion=id%3A19173\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"meta\":{\"drupal_internal__target_id\":201}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de5326cf-552a-427c-9781-a4912ad4e45a/field_link?resourceVersion=id%3A19173\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de5326cf-552a-427c-9781-a4912ad4e45a/relationships/field_link?resourceVersion=id%3A19173\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"b5f6c429-201a-4f5f-ae6e-05b6e235ddbc\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b5f6c429-201a-4f5f-ae6e-05b6e235ddbc?resourceVersion=id%3A19174\"}},\"attributes\":{\"drupal_internal__id\":2471,\"drupal_internal__revision_id\":19174,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:36:52+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b5f6c429-201a-4f5f-ae6e-05b6e235ddbc/paragraph_type?resourceVersion=id%3A19174\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b5f6c429-201a-4f5f-ae6e-05b6e235ddbc/relationships/paragraph_type?resourceVersion=id%3A19174\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"meta\":{\"drupal_internal__target_id\":246}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b5f6c429-201a-4f5f-ae6e-05b6e235ddbc/field_link?resourceVersion=id%3A19174\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b5f6c429-201a-4f5f-ae6e-05b6e235ddbc/relationships/field_link?resourceVersion=id%3A19174\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"5a2be300-e6a0-41ff-9db9-5b88b77f18f2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5a2be300-e6a0-41ff-9db9-5b88b77f18f2?resourceVersion=id%3A19175\"}},\"attributes\":{\"drupal_internal__id\":2476,\"drupal_internal__revision_id\":19175,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:37:16+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5a2be300-e6a0-41ff-9db9-5b88b77f18f2/paragraph_type?resourceVersion=id%3A19175\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5a2be300-e6a0-41ff-9db9-5b88b77f18f2/relationships/paragraph_type?resourceVersion=id%3A19175\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"meta\":{\"drupal_internal__target_id\":676}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5a2be300-e6a0-41ff-9db9-5b88b77f18f2/field_link?resourceVersion=id%3A19175\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5a2be300-e6a0-41ff-9db9-5b88b77f18f2/relationships/field_link?resourceVersion=id%3A19175\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"a7539e73-da37-44b0-ad17-9c481c5e89e9\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7539e73-da37-44b0-ad17-9c481c5e89e9?resourceVersion=id%3A19176\"}},\"attributes\":{\"drupal_internal__id\":2481,\"drupal_internal__revision_id\":19176,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:37:22+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7539e73-da37-44b0-ad17-9c481c5e89e9/paragraph_type?resourceVersion=id%3A19176\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7539e73-da37-44b0-ad17-9c481c5e89e9/relationships/paragraph_type?resourceVersion=id%3A19176\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"2bfd3478-c381-432c-a7ec-53fa803668ee\",\"meta\":{\"drupal_internal__target_id\":276}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7539e73-da37-44b0-ad17-9c481c5e89e9/field_link?resourceVersion=id%3A19176\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7539e73-da37-44b0-ad17-9c481c5e89e9/relationships/field_link?resourceVersion=id%3A19176\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"4f862230-6bb8-4954-b295-52e00e609ba5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4f862230-6bb8-4954-b295-52e00e609ba5?resourceVersion=id%3A19177\"}},\"attributes\":{\"drupal_internal__id\":2486,\"drupal_internal__revision_id\":19177,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:37:39+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4f862230-6bb8-4954-b295-52e00e609ba5/paragraph_type?resourceVersion=id%3A19177\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4f862230-6bb8-4954-b295-52e00e609ba5/relationships/paragraph_type?resourceVersion=id%3A19177\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"meta\":{\"drupal_internal__target_id\":261}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4f862230-6bb8-4954-b295-52e00e609ba5/field_link?resourceVersion=id%3A19177\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4f862230-6bb8-4954-b295-52e00e609ba5/relationships/field_link?resourceVersion=id%3A19177\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"8f0f75de-c261-41da-9ef7-06ccd80efb66\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8f0f75de-c261-41da-9ef7-06ccd80efb66?resourceVersion=id%3A19178\"}},\"attributes\":{\"drupal_internal__id\":2491,\"drupal_internal__revision_id\":19178,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-07T14:38:08+00:00\",\"parent_id\":\"771\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8f0f75de-c261-41da-9ef7-06ccd80efb66/paragraph_type?resourceVersion=id%3A19178\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8f0f75de-c261-41da-9ef7-06ccd80efb66/relationships/paragraph_type?resourceVersion=id%3A19178\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"meta\":{\"drupal_internal__target_id\":206}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8f0f75de-c261-41da-9ef7-06ccd80efb66/field_link?resourceVersion=id%3A19178\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8f0f75de-c261-41da-9ef7-06ccd80efb66/relationships/field_link?resourceVersion=id%3A19178\"}}}}},{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320?resourceVersion=id%3A5941\"}},\"attributes\":{\"drupal_internal__nid\":201,\"drupal_internal__vid\":5941,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-17T14:04:35+00:00\",\"status\":true,\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"created\":\"2022-08-25T18:58:52+00:00\",\"changed\":\"2024-10-07T20:27:11+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"pid\":191,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CSRAP@cms.hhs.gov\",\"field_contact_name\":\"CSRAP Team\",\"field_short_description\":{\"value\":\"A streamlined risk-based control(s) testing methodology designed to relieve operational burden.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA streamlined risk-based control(s) testing methodology designed to relieve operational burden.\u003c/p\u003e\\n\"},\"field_slack_channel\":[]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/node_type?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/node_type?resourceVersion=id%3A5941\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"39240c69-3096-49cd-a07c-3843b6c48c5f\",\"meta\":{\"drupal_internal__target_id\":95}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/revision_uid?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/revision_uid?resourceVersion=id%3A5941\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/uid?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/uid?resourceVersion=id%3A5941\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"f36fb6d1-0795-400f-8a15-36d1979118b0\",\"meta\":{\"target_revision_id\":19433,\"drupal_internal__target_id\":3501}},{\"type\":\"paragraph--page_section\",\"id\":\"eb5b28d8-8825-43c5-a889-513068f48fd8\",\"meta\":{\"target_revision_id\":19434,\"drupal_internal__target_id\":611}},{\"type\":\"paragraph--page_section\",\"id\":\"269aaf52-85f1-411f-a67e-e9d9ad620d8a\",\"meta\":{\"target_revision_id\":19435,\"drupal_internal__target_id\":651}},{\"type\":\"paragraph--page_section\",\"id\":\"3a3615ff-9d53-40d6-8291-fd4516dbc893\",\"meta\":{\"target_revision_id\":19442,\"drupal_internal__target_id\":3502}},{\"type\":\"paragraph--page_section\",\"id\":\"cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa\",\"meta\":{\"target_revision_id\":19443,\"drupal_internal__target_id\":3503}},{\"type\":\"paragraph--page_section\",\"id\":\"a46d03b7-7478-40f1-a7da-3171ffcfaa2d\",\"meta\":{\"target_revision_id\":19444,\"drupal_internal__target_id\":3504}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_page_section?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_page_section?resourceVersion=id%3A5941\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"28dbad4c-79e6-4f83-bc5e-965ba6aa4926\",\"meta\":{\"target_revision_id\":19445,\"drupal_internal__target_id\":656}},{\"type\":\"paragraph--internal_link\",\"id\":\"9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2\",\"meta\":{\"target_revision_id\":19446,\"drupal_internal__target_id\":661}},{\"type\":\"paragraph--internal_link\",\"id\":\"77c203ce-2da8-4200-986c-1093acc2ff5a\",\"meta\":{\"target_revision_id\":19447,\"drupal_internal__target_id\":671}},{\"type\":\"paragraph--internal_link\",\"id\":\"50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a\",\"meta\":{\"target_revision_id\":19448,\"drupal_internal__target_id\":676}},{\"type\":\"paragraph--internal_link\",\"id\":\"c4a332dc-02ea-48f6-9c08-c12ca06e62b5\",\"meta\":{\"target_revision_id\":19449,\"drupal_internal__target_id\":681}},{\"type\":\"paragraph--internal_link\",\"id\":\"5cc61db4-e2f7-43ad-b914-3661d73886e9\",\"meta\":{\"target_revision_id\":19450,\"drupal_internal__target_id\":3505}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_related_collection?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_related_collection?resourceVersion=id%3A5941\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_resource_type?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_resource_type?resourceVersion=id%3A5941\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_roles?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_roles?resourceVersion=id%3A5941\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_topics?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_topics?resourceVersion=id%3A5941\"}}}}},{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58?resourceVersion=id%3A5668\"}},\"attributes\":{\"drupal_internal__nid\":246,\"drupal_internal__vid\":5668,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-12T15:23:53+00:00\",\"status\":true,\"title\":\"CMS Cloud Services\",\"created\":\"2022-08-26T14:47:12+00:00\",\"changed\":\"2024-07-12T15:23:53+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-cloud-services\",\"pid\":236,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cloudsupport@cms.hhs.gov\",\"field_contact_name\":\"CMS Cloud Support\",\"field_short_description\":{\"value\":\"Platform-As-A-Service with tools, security, and support services designed specifically for CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003ePlatform-As-A-Service with tools, security, and support services designed specifically for CMS\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cms-cloud-security-forum\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/node_type?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/node_type?resourceVersion=id%3A5668\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/revision_uid?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/revision_uid?resourceVersion=id%3A5668\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/uid?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/uid?resourceVersion=id%3A5668\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"15f8e7ab-00f6-4c17-b433-659267271131\",\"meta\":{\"target_revision_id\":18519,\"drupal_internal__target_id\":1371}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_page_section?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_page_section?resourceVersion=id%3A5668\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"b48e2348-59b0-42a6-9f44-62af8a94ddf1\",\"meta\":{\"target_revision_id\":18520,\"drupal_internal__target_id\":1376}},{\"type\":\"paragraph--internal_link\",\"id\":\"17ea04ed-0987-43ea-b494-7c051ddfcd28\",\"meta\":{\"target_revision_id\":18521,\"drupal_internal__target_id\":1381}},{\"type\":\"paragraph--internal_link\",\"id\":\"ae49a5b4-3922-4f8d-bbe5-624b243b4637\",\"meta\":{\"target_revision_id\":18522,\"drupal_internal__target_id\":1391}},{\"type\":\"paragraph--internal_link\",\"id\":\"3ebbf63a-35a8-4c15-8002-2b41f7ef528a\",\"meta\":{\"target_revision_id\":18523,\"drupal_internal__target_id\":1396}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_related_collection?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_related_collection?resourceVersion=id%3A5668\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_resource_type?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_resource_type?resourceVersion=id%3A5668\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_roles?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_roles?resourceVersion=id%3A5668\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_topics?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_topics?resourceVersion=id%3A5668\"}}}}},{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08?resourceVersion=id%3A5525\"}},\"attributes\":{\"drupal_internal__nid\":676,\"drupal_internal__vid\":5525,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-04T17:13:19+00:00\",\"status\":true,\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"created\":\"2023-02-04T14:55:07+00:00\",\"changed\":\"2024-06-04T17:13:19+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"pid\":666,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CDMPMO@cms.hhs.gov\",\"field_contact_name\":\"CDM team\",\"field_short_description\":{\"value\":\"Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eAutomated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cyber-risk-management\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/node_type?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/node_type?resourceVersion=id%3A5525\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":{\"drupal_internal__target_id\":107}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/revision_uid?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/revision_uid?resourceVersion=id%3A5525\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/uid?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/uid?resourceVersion=id%3A5525\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"8b7bda2b-e3dc-4760-9901-27255f14ff41\",\"meta\":{\"target_revision_id\":17929,\"drupal_internal__target_id\":546}},{\"type\":\"paragraph--page_section\",\"id\":\"8e76f588-fd94-4439-b7e3-73c8b83e3500\",\"meta\":{\"target_revision_id\":17930,\"drupal_internal__target_id\":551}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_page_section?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_page_section?resourceVersion=id%3A5525\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"bc285af3-dba7-4a12-8881-a8fed446dded\",\"meta\":{\"target_revision_id\":17931,\"drupal_internal__target_id\":1891}},{\"type\":\"paragraph--internal_link\",\"id\":\"1bc4b03f-652f-4fbf-8024-43e830b4b0a3\",\"meta\":{\"target_revision_id\":17932,\"drupal_internal__target_id\":1896}},{\"type\":\"paragraph--internal_link\",\"id\":\"05f865ef-4960-439b-9fca-9e7d70dfbe39\",\"meta\":{\"target_revision_id\":17933,\"drupal_internal__target_id\":1906}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_related_collection?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_related_collection?resourceVersion=id%3A5525\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_resource_type?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_resource_type?resourceVersion=id%3A5525\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_roles?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_roles?resourceVersion=id%3A5525\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_topics?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_topics?resourceVersion=id%3A5525\"}}}}},{\"type\":\"node--explainer\",\"id\":\"2bfd3478-c381-432c-a7ec-53fa803668ee\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee?resourceVersion=id%3A6081\"}},\"attributes\":{\"drupal_internal__nid\":276,\"drupal_internal__vid\":6081,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-15T19:24:02+00:00\",\"status\":true,\"title\":\"Cyber Risk Reports (CRR)\",\"created\":\"2022-08-26T15:05:42+00:00\",\"changed\":\"2025-01-14T20:34:25+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cyber-risk-reports\",\"pid\":266,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CRMPMO@cms.hhs.gov\",\"field_contact_name\":\"CRM Team\",\"field_short_description\":{\"value\":\"Reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eReports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cyber-risk-management\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/node_type?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/node_type?resourceVersion=id%3A6081\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":{\"drupal_internal__target_id\":107}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/revision_uid?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/revision_uid?resourceVersion=id%3A6081\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/uid?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/uid?resourceVersion=id%3A6081\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"99eb2a67-6873-48f2-9027-a58a87a1ef43\",\"meta\":{\"target_revision_id\":19976,\"drupal_internal__target_id\":1041}},{\"type\":\"paragraph--page_section\",\"id\":\"55411c7e-d16e-4e24-9ec0-e61d07f1aaab\",\"meta\":{\"target_revision_id\":19981,\"drupal_internal__target_id\":1051}},{\"type\":\"paragraph--page_section\",\"id\":\"1ed92f8d-8be4-41a2-bc9c-e012801a98bf\",\"meta\":{\"target_revision_id\":19986,\"drupal_internal__target_id\":1061}},{\"type\":\"paragraph--page_section\",\"id\":\"9ab563ca-90a0-4ff0-a86c-2b0de01421c2\",\"meta\":{\"target_revision_id\":19996,\"drupal_internal__target_id\":1071}},{\"type\":\"paragraph--page_section\",\"id\":\"d2de38a5-dc24-41cd-9344-bb7d2240b7f4\",\"meta\":{\"target_revision_id\":20006,\"drupal_internal__target_id\":1091}},{\"type\":\"paragraph--page_section\",\"id\":\"8383a3b3-7807-40a8-96f7-0197052ff373\",\"meta\":{\"target_revision_id\":20016,\"drupal_internal__target_id\":1101}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_page_section?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_page_section?resourceVersion=id%3A6081\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"b0c313be-306b-48cd-b0bf-8a70f2bae7fb\",\"meta\":{\"target_revision_id\":20021,\"drupal_internal__target_id\":1911}},{\"type\":\"paragraph--internal_link\",\"id\":\"32ab944d-d8c2-480b-b01e-85fa1a7eaf17\",\"meta\":{\"target_revision_id\":20026,\"drupal_internal__target_id\":1916}},{\"type\":\"paragraph--internal_link\",\"id\":\"21220e28-a46b-469f-9033-3e3482d07b4e\",\"meta\":{\"target_revision_id\":20031,\"drupal_internal__target_id\":3386}},{\"type\":\"paragraph--internal_link\",\"id\":\"1dc73a64-e5a5-419e-9363-9e91887427be\",\"meta\":{\"target_revision_id\":20036,\"drupal_internal__target_id\":3387}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_related_collection?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_related_collection?resourceVersion=id%3A6081\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_resource_type?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_resource_type?resourceVersion=id%3A6081\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_roles?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_roles?resourceVersion=id%3A6081\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_topics?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_topics?resourceVersion=id%3A6081\"}}}}},{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b?resourceVersion=id%3A5999\"}},\"attributes\":{\"drupal_internal__nid\":261,\"drupal_internal__vid\":5999,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-05T18:41:37+00:00\",\"status\":true,\"title\":\"CMS FISMA Continuous Tracking System (CFACTS)\",\"created\":\"2022-08-26T14:57:02+00:00\",\"changed\":\"2024-12-05T18:41:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"pid\":251,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ciso@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":{\"value\":\"CFACTS is a CMS database that tracks application security deficiencies and POA\u0026Ms, and supports the ATO process\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCFACTS is a CMS database that tracks application security deficiencies and POA\u0026amp;Ms, and supports the ATO process\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cfacts_community\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/node_type?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/node_type?resourceVersion=id%3A5999\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/revision_uid?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/revision_uid?resourceVersion=id%3A5999\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/uid?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/uid?resourceVersion=id%3A5999\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"963db416-cca0-421d-8c3e-40c8e2ce190f\",\"meta\":{\"target_revision_id\":19655,\"drupal_internal__target_id\":2101}},{\"type\":\"paragraph--page_section\",\"id\":\"9b87eb1d-cb43-472b-9b5b-8618d2688563\",\"meta\":{\"target_revision_id\":19660,\"drupal_internal__target_id\":446}},{\"type\":\"paragraph--page_section\",\"id\":\"122a8de9-c38d-492b-bc93-b43b270f2933\",\"meta\":{\"target_revision_id\":19666,\"drupal_internal__target_id\":1781}},{\"type\":\"paragraph--page_section\",\"id\":\"594617c8-824a-4962-aa08-fdf8dd4677fb\",\"meta\":{\"target_revision_id\":19667,\"drupal_internal__target_id\":3468}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_page_section?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_page_section?resourceVersion=id%3A5999\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"76dcb171-ae0a-42ba-b330-b93b63633cdd\",\"meta\":{\"target_revision_id\":19668,\"drupal_internal__target_id\":1816}},{\"type\":\"paragraph--internal_link\",\"id\":\"7f340091-9774-491a-817d-0cdfaf0c72d1\",\"meta\":{\"target_revision_id\":19669,\"drupal_internal__target_id\":1821}},{\"type\":\"paragraph--internal_link\",\"id\":\"4b7486bb-57c5-440b-b07c-54deb80f1ca1\",\"meta\":{\"target_revision_id\":19670,\"drupal_internal__target_id\":1826}},{\"type\":\"paragraph--internal_link\",\"id\":\"d72a41d1-1d17-452f-9375-aea58d84e8e7\",\"meta\":{\"target_revision_id\":19671,\"drupal_internal__target_id\":1831}},{\"type\":\"paragraph--internal_link\",\"id\":\"726e3057-d549-4d7d-80c7-0f4c5d5f8007\",\"meta\":{\"target_revision_id\":19672,\"drupal_internal__target_id\":3462}},{\"type\":\"paragraph--internal_link\",\"id\":\"dbde5fa8-5137-4df4-af83-a4330e0778c7\",\"meta\":{\"target_revision_id\":19673,\"drupal_internal__target_id\":3463}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_related_collection?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_related_collection?resourceVersion=id%3A5999\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_resource_type?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_resource_type?resourceVersion=id%3A5999\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_roles?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_roles?resourceVersion=id%3A5999\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_topics?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_topics?resourceVersion=id%3A5999\"}}}}},{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2?resourceVersion=id%3A5737\"}},\"attributes\":{\"drupal_internal__nid\":206,\"drupal_internal__vid\":5737,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-31T17:37:48+00:00\",\"status\":true,\"title\":\"Authorization to Operate (ATO)\",\"created\":\"2022-08-25T19:06:37+00:00\",\"changed\":\"2024-07-31T17:37:48+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/authorization-operate-ato\",\"pid\":196,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Testing and documenting system security and compliance to gain approval to operate the system at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting and documenting system security and compliance to gain approval to operate the system at CMS\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cra-help\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/node_type?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/node_type?resourceVersion=id%3A5737\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/revision_uid?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/revision_uid?resourceVersion=id%3A5737\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/uid?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/uid?resourceVersion=id%3A5737\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"d94629f9-9668-41dd-bce7-a4f267239c07\",\"meta\":{\"target_revision_id\":18928,\"drupal_internal__target_id\":711}},{\"type\":\"paragraph--page_section\",\"id\":\"243e2d3f-f903-438c-8b1f-aee53390b1df\",\"meta\":{\"target_revision_id\":18929,\"drupal_internal__target_id\":736}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_page_section?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_page_section?resourceVersion=id%3A5737\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"6f904ac4-c80e-47d9-b786-ee79256befed\",\"meta\":{\"target_revision_id\":18930,\"drupal_internal__target_id\":3376}},{\"type\":\"paragraph--internal_link\",\"id\":\"e20959d7-2a7b-4a01-b985-cfa5363233f5\",\"meta\":{\"target_revision_id\":18931,\"drupal_internal__target_id\":1306}},{\"type\":\"paragraph--internal_link\",\"id\":\"dba9b926-f657-43ce-bc94-0a2d803430c6\",\"meta\":{\"target_revision_id\":18932,\"drupal_internal__target_id\":1316}},{\"type\":\"paragraph--internal_link\",\"id\":\"44f7083e-9341-42a5-85dc-a9043cdccdce\",\"meta\":{\"target_revision_id\":18933,\"drupal_internal__target_id\":2521}},{\"type\":\"paragraph--internal_link\",\"id\":\"bd0366d9-64ce-401f-9453-bf38aa8054a1\",\"meta\":{\"target_revision_id\":18934,\"drupal_internal__target_id\":3444}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_related_collection?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_related_collection?resourceVersion=id%3A5737\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_resource_type?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_resource_type?resourceVersion=id%3A5737\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_roles?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_roles?resourceVersion=id%3A5737\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_topics?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_topics?resourceVersion=id%3A5737\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1e\",\"e352e203-fe9c-47ba-af75-2c7f8302fca8\":\"$28\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$2c\",\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\":\"$30\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$4a\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$64\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$7e\",\"65ef6410-4066-4db4-be03-c8eb26b63305\":\"$98\",\"0bc7c1d0-b569-4514-b66c-367457dead7e\":\"$b2\",\"8e64b2f7-d23c-4782-b0e3-e3b850374054\":\"$cc\",\"53ba39d8-a757-47cf-9d7e-e7a23389889e\":\"$e1\",\"123ffcec-1914-4725-a582-5c61bd8c9241\":\"$f4\",\"e5ef118a-a42b-4cfb-b5a6-cebc127739d3\":\"$109\",\"ae0c6c13-8abb-443d-a45e-6cbaf3437a4c\":\"$11c\",\"5a00832f-f53f-42e9-bcfe-20b3a03db922\":\"$12b\",\"aecadbee-307a-44a7-bfcc-aeca5ef14e74\":\"$148\",\"8fd40376-7435-486e-8349-b5d170510f05\":\"$155\",\"62b8fb6b-a4f8-4043-8ffe-51da6dfb4720\":\"$162\",\"de1e111d-bb99-44d6-a1a6-b3c92b895371\":\"$16f\",\"9da16e13-7938-4288-afa1-3ada5fc77270\":\"$17c\",\"8bea1337-54bc-44cd-ae45-705accdd579f\":\"$189\",\"8c05f7ef-2515-47e1-876f-73f19caf2858\":\"$196\",\"de5326cf-552a-427c-9781-a4912ad4e45a\":\"$1a3\",\"b5f6c429-201a-4f5f-ae6e-05b6e235ddbc\":\"$1b5\",\"5a2be300-e6a0-41ff-9db9-5b88b77f18f2\":\"$1c7\",\"a7539e73-da37-44b0-ad17-9c481c5e89e9\":\"$1d9\",\"4f862230-6bb8-4954-b295-52e00e609ba5\":\"$1eb\",\"8f0f75de-c261-41da-9ef7-06ccd80efb66\":\"$1fd\",\"a74e943d-f87d-4688-81e7-65a4013fa320\":\"$20f\",\"42018625-2456-415e-bd2c-f1c061290d58\":\"$265\",\"1f32f891-d557-40ae-84b5-2cecc9300e08\":\"$2ab\",\"2bfd3478-c381-432c-a7ec-53fa803668ee\":\"$2f1\",\"de0901ae-4ea5-491c-badd-90a32da3989b\":\"$343\",\"defa7277-790b-4bbd-b6ee-cc539e121df2\":\"$397\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Ongoing Authorization (OA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/ongoing-authorization-oa\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"Ongoing Authorization (OA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/ongoing-authorization-oa\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/ongoing-authorization-oa/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"Ongoing Authorization (OA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/ongoing-authorization-oa/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink