publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/password-requirements
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

5 lines
No EOL
392 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>Password Requirements | CMS Information Security &amp; Privacy Group</title><meta name="description" content="How to configure passwords when setting up CMS systems
"/><link rel="canonical" href="https://security.cms.gov/learn/password-requirements"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="Password Requirements | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="How to configure passwords when setting up CMS systems
"/><meta property="og:url" content="https://security.cms.gov/learn/password-requirements"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/password-requirements/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Password Requirements | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="How to configure passwords when setting up CMS systems
"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/password-requirements/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">Password Requirements</h1><p class="hero__description">How to configure passwords when setting up CMS systems
</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#ispg-sec_privacy-policy</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><p>The <a href="https://security.cms.gov/learn/federal-information-systems-management-act-fisma">Federal Information Security Management Act (FISMA)</a> and <a href="https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf">Federal Information Processing Standard (FIPS) Publication 199 Standards for Security Categorization of Federal Information and Information Systems</a> define three levels of potential impact on organizations or individuals in the event of a security breach: low, moderate, and high.&nbsp;</p><p>At CMS, password requirements for CMS systems vary depending on the systems designated impact level. The requirements for standard account management are described below based on impact level.</p><h2>High impact systems</h2><p><strong>General requirements</strong></p><ul><li>Passwords must not contain dictionary names or words.&nbsp;</li></ul><p><strong>Length requirements</strong></p><p>Password length requirements depend on the type of user. Some systems may have more specific requirements on the number of characters allowed.</p><ul><li>Regular users: at least 8 characters</li><li>Administrators or privileged users: at least 15 characters</li></ul><p><strong>Complexity requirements</strong></p><p>The complexity of your password is measured by these four character categories:</p><ul><li>A - Z</li><li>a - z</li><li>0 - 9</li></ul><p>For High Risk systems, use at least 3 of the 3 categories listed above.</p><p><strong>Password history</strong></p><p>You can re-use a password only after you have a “password history” of a certain size — meaning you have used a certain number of new passwords before repeating an old one. The password history size requirements before repeating a password are:</p><ul><li>12 for High Risk systems</li></ul><p><strong>System requirements</strong></p><p>When handling passwords, the system must:</p><ul><li>Store and transmit only encrypted versions of passwords</li><li>Allow the use of a temporary password for first-time system logins, with the directive to immediately change to a permanent password</li></ul><p>For some systems, the operating environment forces a minimum number of changed characters when new passwords are created. In that case, set the value at:</p><ul><li>12 changed characters for High Risk systems</li></ul><h2>Moderate or Low impact systems</h2><p><strong>General requirements</strong></p><ul><li>Passwords must not contain dictionary names or words.&nbsp;</li></ul><p><strong>Length requirements</strong></p><p>Password length requirements depend on the type of user. Some systems may have more specific requirements on the number of characters allowed.</p><ul><li>Regular users: at least 8 characters</li><li>Administrators or privileged users: at least 15 characters</li></ul><p><strong>Complexity requirements</strong></p><p>The complexity of your password is measured by these four character categories:</p><ul><li>A - Z</li><li>a - z</li><li>0 - 9</li></ul><p>For Moderate or Low Risk systems, using more than one category is optional.</p><p><strong>Password history</strong></p><p>You can re-use a password only after you have a “password history” of a certain size — meaning you have used a certain number of new passwords before repeating an old one. The password history size requirements before repeating a password are:</p><ul><li>6 for Moderate or Low impact systems</li></ul><p><strong>System requirements</strong></p><p>When handling passwords, the system must:</p><ul><li>Store and transmit only encrypted versions of passwords</li><li>Allow the use of a temporary password for first-time system logins, with the directive to immediately change to a permanent password</li></ul><p>For some systems, the operating environment forces a minimum number of changed characters when new passwords are created. In that case, set the values at:</p><ul><li>6 changed characters for Moderate or Low Risk systems</li></ul><h2>Non-standard account authentication</h2><p>For non-standard account-authenticator management, refer to the <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/RMH_VIII_3-1_Authentication.pdf">CMS Risk Management Handbook, Vol. 3, Standard 4.3: <em>Non-Standard Authenticator Management</em>.</a></p><h2>Reference</h2><ul><li><a href="https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x">ARS control IA 05(01)</a></li></ul></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/federal-information-security-modernization-act-fisma">Federal Information Security Modernization Act (FISMA)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>FISMA is federal legislation that defines a framework of guidelines and security standards to protect government information and operations</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-fisma-continuous-tracking-system-cfacts">CMS FISMA Continuous Tracking System (CFACTS)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>CFACTS is a CMS database that tracks application security deficiencies and POA&amp;Ms, and supports the ATO process</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"password-requirements\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"password-requirements\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"password-requirements\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"password-requirements\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:T11f1,"])</script><script>self.__next_f.push([1,"\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/federal-information-systems-management-act-fisma\"\u003eFederal Information Security Management Act (FISMA)\u003c/a\u003e and \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFederal Information Processing Standard (FIPS) Publication 199 Standards for Security Categorization of Federal Information and Information Systems\u003c/a\u003e define three levels of potential impact on organizations or individuals in the event of a security breach: low, moderate, and high.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAt CMS, password requirements for CMS systems vary depending on the systems designated impact level. The requirements for standard account management are described below based on impact level.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHigh impact systems\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eGeneral requirements\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePasswords must not contain dictionary names or words.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eLength requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ePassword length requirements depend on the type of user. Some systems may have more specific requirements on the number of characters allowed.\u003c/p\u003e\u003cul\u003e\u003cli\u003eRegular users: at least 8 characters\u003c/li\u003e\u003cli\u003eAdministrators or privileged users: at least 15 characters\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eComplexity requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe complexity of your password is measured by these four character categories:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA - Z\u003c/li\u003e\u003cli\u003ea - z\u003c/li\u003e\u003cli\u003e0 - 9\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor High Risk systems, use at least 3 of the 3 categories listed above.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePassword history\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou can re-use a password only after you have a “password history” of a certain size — meaning you have used a certain number of new passwords before repeating an old one. The password history size requirements before repeating a password are:\u003c/p\u003e\u003cul\u003e\u003cli\u003e12 for High Risk systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSystem requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen handling passwords, the system must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStore and transmit only encrypted versions of passwords\u003c/li\u003e\u003cli\u003eAllow the use of a temporary password for first-time system logins, with the directive to immediately change to a permanent password\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor some systems, the operating environment forces a minimum number of changed characters when new passwords are created. In that case, set the value at:\u003c/p\u003e\u003cul\u003e\u003cli\u003e12 changed characters for High Risk systems\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eModerate or Low impact systems\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eGeneral requirements\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePasswords must not contain dictionary names or words.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eLength requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ePassword length requirements depend on the type of user. Some systems may have more specific requirements on the number of characters allowed.\u003c/p\u003e\u003cul\u003e\u003cli\u003eRegular users: at least 8 characters\u003c/li\u003e\u003cli\u003eAdministrators or privileged users: at least 15 characters\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eComplexity requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe complexity of your password is measured by these four character categories:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA - Z\u003c/li\u003e\u003cli\u003ea - z\u003c/li\u003e\u003cli\u003e0 - 9\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor Moderate or Low Risk systems, using more than one category is optional.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePassword history\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou can re-use a password only after you have a “password history” of a certain size — meaning you have used a certain number of new passwords before repeating an old one. The password history size requirements before repeating a password are:\u003c/p\u003e\u003cul\u003e\u003cli\u003e6 for Moderate or Low impact systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSystem requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen handling passwords, the system must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStore and transmit only encrypted versions of passwords\u003c/li\u003e\u003cli\u003eAllow the use of a temporary password for first-time system logins, with the directive to immediately change to a permanent password\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor some systems, the operating environment forces a minimum number of changed characters when new passwords are created. In that case, set the values at:\u003c/p\u003e\u003cul\u003e\u003cli\u003e6 changed characters for Moderate or Low Risk systems\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eNon-standard account authentication\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eFor non-standard account-authenticator management, refer to the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/RMH_VIII_3-1_Authentication.pdf\"\u003eCMS Risk Management Handbook, Vol. 3, Standard 4.3: \u003cem\u003eNon-Standard Authenticator Management\u003c/em\u003e.\u003c/a\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eReference\u003c/strong\u003e\u003c/h2\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS control IA 05(01)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"19:T11f1,"])</script><script>self.__next_f.push([1,"\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/federal-information-systems-management-act-fisma\"\u003eFederal Information Security Management Act (FISMA)\u003c/a\u003e and \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFederal Information Processing Standard (FIPS) Publication 199 Standards for Security Categorization of Federal Information and Information Systems\u003c/a\u003e define three levels of potential impact on organizations or individuals in the event of a security breach: low, moderate, and high.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAt CMS, password requirements for CMS systems vary depending on the systems designated impact level. The requirements for standard account management are described below based on impact level.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHigh impact systems\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eGeneral requirements\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePasswords must not contain dictionary names or words.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eLength requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ePassword length requirements depend on the type of user. Some systems may have more specific requirements on the number of characters allowed.\u003c/p\u003e\u003cul\u003e\u003cli\u003eRegular users: at least 8 characters\u003c/li\u003e\u003cli\u003eAdministrators or privileged users: at least 15 characters\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eComplexity requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe complexity of your password is measured by these four character categories:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA - Z\u003c/li\u003e\u003cli\u003ea - z\u003c/li\u003e\u003cli\u003e0 - 9\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor High Risk systems, use at least 3 of the 3 categories listed above.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePassword history\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou can re-use a password only after you have a “password history” of a certain size — meaning you have used a certain number of new passwords before repeating an old one. The password history size requirements before repeating a password are:\u003c/p\u003e\u003cul\u003e\u003cli\u003e12 for High Risk systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSystem requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen handling passwords, the system must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStore and transmit only encrypted versions of passwords\u003c/li\u003e\u003cli\u003eAllow the use of a temporary password for first-time system logins, with the directive to immediately change to a permanent password\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor some systems, the operating environment forces a minimum number of changed characters when new passwords are created. In that case, set the value at:\u003c/p\u003e\u003cul\u003e\u003cli\u003e12 changed characters for High Risk systems\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eModerate or Low impact systems\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eGeneral requirements\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePasswords must not contain dictionary names or words.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eLength requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ePassword length requirements depend on the type of user. Some systems may have more specific requirements on the number of characters allowed.\u003c/p\u003e\u003cul\u003e\u003cli\u003eRegular users: at least 8 characters\u003c/li\u003e\u003cli\u003eAdministrators or privileged users: at least 15 characters\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eComplexity requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe complexity of your password is measured by these four character categories:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA - Z\u003c/li\u003e\u003cli\u003ea - z\u003c/li\u003e\u003cli\u003e0 - 9\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor Moderate or Low Risk systems, using more than one category is optional.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePassword history\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou can re-use a password only after you have a “password history” of a certain size — meaning you have used a certain number of new passwords before repeating an old one. The password history size requirements before repeating a password are:\u003c/p\u003e\u003cul\u003e\u003cli\u003e6 for Moderate or Low impact systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSystem requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen handling passwords, the system must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStore and transmit only encrypted versions of passwords\u003c/li\u003e\u003cli\u003eAllow the use of a temporary password for first-time system logins, with the directive to immediately change to a permanent password\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor some systems, the operating environment forces a minimum number of changed characters when new passwords are created. In that case, set the values at:\u003c/p\u003e\u003cul\u003e\u003cli\u003e6 changed characters for Moderate or Low Risk systems\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eNon-standard account authentication\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eFor non-standard account-authenticator management, refer to the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/RMH_VIII_3-1_Authentication.pdf\"\u003eCMS Risk Management Handbook, Vol. 3, Standard 4.3: \u003cem\u003eNon-Standard Authenticator Management\u003c/em\u003e.\u003c/a\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eReference\u003c/strong\u003e\u003c/h2\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS control IA 05(01)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1a:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered even if they are not required to implement because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owners due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the systems mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"1b:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered even if they are not required to implement because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owners due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the systems mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"1e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1d:{\"self\":\"$1e\"}\n21:[\"menu_ui\",\"scheduler\"]\n20:{\"module\":\"$21\"}\n24:[]\n23:{\"available_menus\":\"$24\",\"parent\":\"\"}\n25:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n22:{\"menu_ui\":\"$23\",\"scheduler\":\"$25\"}\n1f:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$20\",\"third_party_settings\":\"$22\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1c:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1d\",\"attributes\":\"$1f\"}\n28:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}\n27:{\"self\":\"$28\"}\n29:{\"display_name\":\"jcallan - retired\"}\n26:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":\"$27\",\"attributes\":\"$29\"}\n2c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n2b:{\"self\":\"$2c\"}\n2d:{\"display_name\":\"meg - retired\"}\n2a:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$2b\",\"attributes\":\"$2d\"}\n30:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}\n2f:{\"self\":\"$30\"}\n32:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n31:{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04"])</script><script>self.__next_f.push([1,":03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$32\"}\n36:{\"drupal_internal__target_id\":\"resource_type\"}\n35:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$36\"}\n38:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"}\n39:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}\n37:{\"related\":\"$38\",\"self\":\"$39\"}\n34:{\"data\":\"$35\",\"links\":\"$37\"}\n3c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"}\n3d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}\n3b:{\"related\":\"$3c\",\"self\":\"$3d\"}\n3a:{\"data\":null,\"links\":\"$3b\"}\n44:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n43:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$44\"}\n42:{\"help\":\"$43\"}\n41:{\"links\":\"$42\"}\n40:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$41\"}\n3f:[\"$40\"]\n46:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"}\n47:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}\n45:{\"related\":\"$46\",\"self\":\"$47\"}\n3e:{\"data\":\"$3f\",\"links\":\"$45\"}\n33:{\"vid\":\"$34\",\"revision_user\":\"$3a\",\"parent\":\"$3e\"}\n2e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":\"$2f\",\"attributes\":\"$31\",\"relationships\":\"$33\"}\n4a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}\n49:{\"self\":\"$4a\"}\n4c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4b:{\"dru"])</script><script>self.__next_f.push([1,"pal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4c\"}\n50:{\"drupal_internal__target_id\":\"topics\"}\n4f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$50\"}\n52:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"}\n53:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}\n51:{\"related\":\"$52\",\"self\":\"$53\"}\n4e:{\"data\":\"$4f\",\"links\":\"$51\"}\n56:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"}\n57:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}\n55:{\"related\":\"$56\",\"self\":\"$57\"}\n54:{\"data\":null,\"links\":\"$55\"}\n5e:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5d:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5e\"}\n5c:{\"help\":\"$5d\"}\n5b:{\"links\":\"$5c\"}\n5a:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$5b\"}\n59:[\"$5a\"]\n60:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"}\n61:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}\n5f:{\"related\":\"$60\",\"self\":\"$61\"}\n58:{\"data\":\"$59\",\"links\":\"$5f\"}\n4d:{\"vid\":\"$4e\",\"revision_user\":\"$54\",\"parent\":\"$58\"}\n48:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":\"$49\",\"attributes\":\"$4b\",\"relationships\":\"$4d\"}\n64:{\"href\":\"https://cybergeek.cms.gov/jsonapi/par"])</script><script>self.__next_f.push([1,"agraph/page_section/42d54085-a88e-4463-92e1-46b5ce7f4e63?resourceVersion=id%3A19127\"}\n63:{\"self\":\"$64\"}\n66:[]\n68:T11f1,"])</script><script>self.__next_f.push([1,"\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/federal-information-systems-management-act-fisma\"\u003eFederal Information Security Management Act (FISMA)\u003c/a\u003e and \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFederal Information Processing Standard (FIPS) Publication 199 Standards for Security Categorization of Federal Information and Information Systems\u003c/a\u003e define three levels of potential impact on organizations or individuals in the event of a security breach: low, moderate, and high.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAt CMS, password requirements for CMS systems vary depending on the systems designated impact level. The requirements for standard account management are described below based on impact level.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHigh impact systems\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eGeneral requirements\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePasswords must not contain dictionary names or words.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eLength requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ePassword length requirements depend on the type of user. Some systems may have more specific requirements on the number of characters allowed.\u003c/p\u003e\u003cul\u003e\u003cli\u003eRegular users: at least 8 characters\u003c/li\u003e\u003cli\u003eAdministrators or privileged users: at least 15 characters\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eComplexity requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe complexity of your password is measured by these four character categories:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA - Z\u003c/li\u003e\u003cli\u003ea - z\u003c/li\u003e\u003cli\u003e0 - 9\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor High Risk systems, use at least 3 of the 3 categories listed above.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePassword history\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou can re-use a password only after you have a “password history” of a certain size — meaning you have used a certain number of new passwords before repeating an old one. The password history size requirements before repeating a password are:\u003c/p\u003e\u003cul\u003e\u003cli\u003e12 for High Risk systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSystem requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen handling passwords, the system must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStore and transmit only encrypted versions of passwords\u003c/li\u003e\u003cli\u003eAllow the use of a temporary password for first-time system logins, with the directive to immediately change to a permanent password\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor some systems, the operating environment forces a minimum number of changed characters when new passwords are created. In that case, set the value at:\u003c/p\u003e\u003cul\u003e\u003cli\u003e12 changed characters for High Risk systems\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eModerate or Low impact systems\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eGeneral requirements\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePasswords must not contain dictionary names or words.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eLength requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ePassword length requirements depend on the type of user. Some systems may have more specific requirements on the number of characters allowed.\u003c/p\u003e\u003cul\u003e\u003cli\u003eRegular users: at least 8 characters\u003c/li\u003e\u003cli\u003eAdministrators or privileged users: at least 15 characters\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eComplexity requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe complexity of your password is measured by these four character categories:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA - Z\u003c/li\u003e\u003cli\u003ea - z\u003c/li\u003e\u003cli\u003e0 - 9\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor Moderate or Low Risk systems, using more than one category is optional.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePassword history\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou can re-use a password only after you have a “password history” of a certain size — meaning you have used a certain number of new passwords before repeating an old one. The password history size requirements before repeating a password are:\u003c/p\u003e\u003cul\u003e\u003cli\u003e6 for Moderate or Low impact systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSystem requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen handling passwords, the system must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStore and transmit only encrypted versions of passwords\u003c/li\u003e\u003cli\u003eAllow the use of a temporary password for first-time system logins, with the directive to immediately change to a permanent password\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor some systems, the operating environment forces a minimum number of changed characters when new passwords are created. In that case, set the values at:\u003c/p\u003e\u003cul\u003e\u003cli\u003e6 changed characters for Moderate or Low Risk systems\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eNon-standard account authentication\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eFor non-standard account-authenticator management, refer to the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/RMH_VIII_3-1_Authentication.pdf\"\u003eCMS Risk Management Handbook, Vol. 3, Standard 4.3: \u003cem\u003eNon-Standard Authenticator Management\u003c/em\u003e.\u003c/a\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eReference\u003c/strong\u003e\u003c/h2\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS control IA 05(01)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"69:T11f1,"])</script><script>self.__next_f.push([1,"\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/federal-information-systems-management-act-fisma\"\u003eFederal Information Security Management Act (FISMA)\u003c/a\u003e and \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFederal Information Processing Standard (FIPS) Publication 199 Standards for Security Categorization of Federal Information and Information Systems\u003c/a\u003e define three levels of potential impact on organizations or individuals in the event of a security breach: low, moderate, and high.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAt CMS, password requirements for CMS systems vary depending on the systems designated impact level. The requirements for standard account management are described below based on impact level.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHigh impact systems\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eGeneral requirements\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePasswords must not contain dictionary names or words.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eLength requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ePassword length requirements depend on the type of user. Some systems may have more specific requirements on the number of characters allowed.\u003c/p\u003e\u003cul\u003e\u003cli\u003eRegular users: at least 8 characters\u003c/li\u003e\u003cli\u003eAdministrators or privileged users: at least 15 characters\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eComplexity requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe complexity of your password is measured by these four character categories:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA - Z\u003c/li\u003e\u003cli\u003ea - z\u003c/li\u003e\u003cli\u003e0 - 9\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor High Risk systems, use at least 3 of the 3 categories listed above.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePassword history\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou can re-use a password only after you have a “password history” of a certain size — meaning you have used a certain number of new passwords before repeating an old one. The password history size requirements before repeating a password are:\u003c/p\u003e\u003cul\u003e\u003cli\u003e12 for High Risk systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSystem requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen handling passwords, the system must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStore and transmit only encrypted versions of passwords\u003c/li\u003e\u003cli\u003eAllow the use of a temporary password for first-time system logins, with the directive to immediately change to a permanent password\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor some systems, the operating environment forces a minimum number of changed characters when new passwords are created. In that case, set the value at:\u003c/p\u003e\u003cul\u003e\u003cli\u003e12 changed characters for High Risk systems\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eModerate or Low impact systems\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eGeneral requirements\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePasswords must not contain dictionary names or words.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eLength requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ePassword length requirements depend on the type of user. Some systems may have more specific requirements on the number of characters allowed.\u003c/p\u003e\u003cul\u003e\u003cli\u003eRegular users: at least 8 characters\u003c/li\u003e\u003cli\u003eAdministrators or privileged users: at least 15 characters\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eComplexity requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe complexity of your password is measured by these four character categories:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA - Z\u003c/li\u003e\u003cli\u003ea - z\u003c/li\u003e\u003cli\u003e0 - 9\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor Moderate or Low Risk systems, using more than one category is optional.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePassword history\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou can re-use a password only after you have a “password history” of a certain size — meaning you have used a certain number of new passwords before repeating an old one. The password history size requirements before repeating a password are:\u003c/p\u003e\u003cul\u003e\u003cli\u003e6 for Moderate or Low impact systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSystem requirements\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen handling passwords, the system must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStore and transmit only encrypted versions of passwords\u003c/li\u003e\u003cli\u003eAllow the use of a temporary password for first-time system logins, with the directive to immediately change to a permanent password\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor some systems, the operating environment forces a minimum number of changed characters when new passwords are created. In that case, set the values at:\u003c/p\u003e\u003cul\u003e\u003cli\u003e6 changed characters for Moderate or Low Risk systems\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eNon-standard account authentication\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eFor non-standard account-authenticator management, refer to the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/RMH_VIII_3-1_Authentication.pdf\"\u003eCMS Risk Management Handbook, Vol. 3, Standard 4.3: \u003cem\u003eNon-Standard Authenticator Management\u003c/em\u003e.\u003c/a\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eReference\u003c/strong\u003e\u003c/h2\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS control IA 05(01)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"67:{\"value\":\"$68\",\"format\":\"body_text\",\"processed\":\"$69\"}\n65:{\"drupal_internal__id\":2901,\"drupal_internal__revision_id\":19127,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-05-01T16:32:51+00:00\",\"parent_id\":\"911\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$66\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$67\"}\n6d:{\"drupal_internal__target_id\":\"page_section\"}\n6c:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$6d\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/42d54085-a88e-4463-92e1-46b5ce7f4e63/paragraph_type?resourceVersion=id%3A19127\"}\n70:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/42d54085-a88e-4463-92e1-46b5ce7f4e63/relationships/paragraph_type?resourceVersion=id%3A19127\"}\n6e:{\"related\":\"$6f\",\"self\":\"$70\"}\n6b:{\"data\":\"$6c\",\"links\":\"$6e\"}\n73:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/42d54085-a88e-4463-92e1-46b5ce7f4e63/field_specialty_item?resourceVersion=id%3A19127\"}\n74:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/42d54085-a88e-4463-92e1-46b5ce7f4e63/relationships/field_specialty_item?resourceVersion=id%3A19127\"}\n72:{\"related\":\"$73\",\"self\":\"$74\"}\n71:{\"data\":null,\"links\":\"$72\"}\n6a:{\"paragraph_type\":\"$6b\",\"field_specialty_item\":\"$71\"}\n62:{\"type\":\"paragraph--page_section\",\"id\":\"42d54085-a88e-4463-92e1-46b5ce7f4e63\",\"links\":\"$63\",\"attributes\":\"$65\",\"relationships\":\"$6a\"}\n77:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bda9c180-ead9-4b1c-9bad-c3e2192c9608?resourceVersion=id%3A19128\"}\n76:{\"self\":\"$77\"}\n79:[]\n78:{\"drupal_internal__id\":2906,\"drupal_internal__revision_id\":19128,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-05-01T16:32:51+00:00\",\"parent_id\":\"911\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$79\",\"default_langcode\":true,\"revision_translation_affected\":true}\n7d:{\"drupal_internal__target_id\":\"internal_link\"}\n7c:{\"type\":\"paragraphs_"])</script><script>self.__next_f.push([1,"type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$7d\"}\n7f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bda9c180-ead9-4b1c-9bad-c3e2192c9608/paragraph_type?resourceVersion=id%3A19128\"}\n80:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bda9c180-ead9-4b1c-9bad-c3e2192c9608/relationships/paragraph_type?resourceVersion=id%3A19128\"}\n7e:{\"related\":\"$7f\",\"self\":\"$80\"}\n7b:{\"data\":\"$7c\",\"links\":\"$7e\"}\n83:{\"drupal_internal__target_id\":631}\n82:{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"meta\":\"$83\"}\n85:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bda9c180-ead9-4b1c-9bad-c3e2192c9608/field_link?resourceVersion=id%3A19128\"}\n86:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bda9c180-ead9-4b1c-9bad-c3e2192c9608/relationships/field_link?resourceVersion=id%3A19128\"}\n84:{\"related\":\"$85\",\"self\":\"$86\"}\n81:{\"data\":\"$82\",\"links\":\"$84\"}\n7a:{\"paragraph_type\":\"$7b\",\"field_link\":\"$81\"}\n75:{\"type\":\"paragraph--internal_link\",\"id\":\"bda9c180-ead9-4b1c-9bad-c3e2192c9608\",\"links\":\"$76\",\"attributes\":\"$78\",\"relationships\":\"$7a\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/edda93d2-3864-4522-a266-22b4affe097f?resourceVersion=id%3A19129\"}\n88:{\"self\":\"$89\"}\n8b:[]\n8a:{\"drupal_internal__id\":2911,\"drupal_internal__revision_id\":19129,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-05-01T16:33:01+00:00\",\"parent_id\":\"911\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$8b\",\"default_langcode\":true,\"revision_translation_affected\":true}\n8f:{\"drupal_internal__target_id\":\"internal_link\"}\n8e:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$8f\"}\n91:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/edda93d2-3864-4522-a266-22b4affe097f/paragraph_type?resourceVersion=id%3A19129\"}\n92:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/edda93d2-3864-4522-a266-22b4affe097f/relationships/paragra"])</script><script>self.__next_f.push([1,"ph_type?resourceVersion=id%3A19129\"}\n90:{\"related\":\"$91\",\"self\":\"$92\"}\n8d:{\"data\":\"$8e\",\"links\":\"$90\"}\n95:{\"drupal_internal__target_id\":316}\n94:{\"type\":\"node--explainer\",\"id\":\"a0111527-6756-4576-8c52-5a7f3a032b20\",\"meta\":\"$95\"}\n97:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/edda93d2-3864-4522-a266-22b4affe097f/field_link?resourceVersion=id%3A19129\"}\n98:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/edda93d2-3864-4522-a266-22b4affe097f/relationships/field_link?resourceVersion=id%3A19129\"}\n96:{\"related\":\"$97\",\"self\":\"$98\"}\n93:{\"data\":\"$94\",\"links\":\"$96\"}\n8c:{\"paragraph_type\":\"$8d\",\"field_link\":\"$93\"}\n87:{\"type\":\"paragraph--internal_link\",\"id\":\"edda93d2-3864-4522-a266-22b4affe097f\",\"links\":\"$88\",\"attributes\":\"$8a\",\"relationships\":\"$8c\"}\n9b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c564b568-108c-488a-ac37-42265ce7a222?resourceVersion=id%3A19130\"}\n9a:{\"self\":\"$9b\"}\n9d:[]\n9c:{\"drupal_internal__id\":2916,\"drupal_internal__revision_id\":19130,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-05-01T16:33:14+00:00\",\"parent_id\":\"911\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$9d\",\"default_langcode\":true,\"revision_translation_affected\":true}\na1:{\"drupal_internal__target_id\":\"internal_link\"}\na0:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$a1\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c564b568-108c-488a-ac37-42265ce7a222/paragraph_type?resourceVersion=id%3A19130\"}\na4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c564b568-108c-488a-ac37-42265ce7a222/relationships/paragraph_type?resourceVersion=id%3A19130\"}\na2:{\"related\":\"$a3\",\"self\":\"$a4\"}\n9f:{\"data\":\"$a0\",\"links\":\"$a2\"}\na7:{\"drupal_internal__target_id\":261}\na6:{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"meta\":\"$a7\"}\na9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c564b568-108c-488a-ac37-42265ce7a222/field_link?resourceVers"])</script><script>self.__next_f.push([1,"ion=id%3A19130\"}\naa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c564b568-108c-488a-ac37-42265ce7a222/relationships/field_link?resourceVersion=id%3A19130\"}\na8:{\"related\":\"$a9\",\"self\":\"$aa\"}\na5:{\"data\":\"$a6\",\"links\":\"$a8\"}\n9e:{\"paragraph_type\":\"$9f\",\"field_link\":\"$a5\"}\n99:{\"type\":\"paragraph--internal_link\",\"id\":\"c564b568-108c-488a-ac37-42265ce7a222\",\"links\":\"$9a\",\"attributes\":\"$9c\",\"relationships\":\"$9e\"}\nad:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb?resourceVersion=id%3A5771\"}\nac:{\"self\":\"$ad\"}\naf:{\"alias\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"pid\":621,\"langcode\":\"en\"}\nb1:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered even if they are not required to implement because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owners due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the systems mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"b2:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered even if they are not required to implement because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owners due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the systems mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"b0:{\"value\":\"$b1\",\"format\":\"body_text\",\"processed\":\"$b2\",\"summary\":\"\"}\nb5:[]\nb4:{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2) \",\"options\":\"$b5\",\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"}\nb7:[]\nb6:{\"uri\":\"entity:node/681\",\"title\":\"CMS Security and Privacy Handbooks\",\"options\":\"$b7\",\"url\":\"/learn/cms-security-and-privacy-handbooks\"}\nb3:[\"$b4\",\"$b6\"]\nb8:{\"value\":\"Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eStandards for the minimum security and privacy controls required to mitigate risk for CMS information systems\u003c/p\u003e\\n\"}\nae:{\"drupal_internal__nid\":631,\"drupal_internal__vid\":5771,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T16:01:58+00:00\",\"status\":true,\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"created\":\"2023-01-17T18:18:03+00:00\",\"changed\":\"2024-08-05T16:01:58+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$af\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$b0\",\"field_contact_email\":\"CISO@cms.hhs.org\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2022-04-22\",\"field_related_resources\":\"$b3\",\"field_short_description\":\"$b8\"}\nbc:{\"drupal_internal__target_id\":\"library\"}\nbb:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":\"$bc\"}\nbe:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/node_type?resourceVersion=id%3A5771\"}\nbf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/node_type?resourceVersion=id%3A5771\"}\nbd:{\"related\":\"$be\",\"self\":\"$bf\"}\nba:{\"data\":\"$bb\",\"links\":\"$bd\"}\nc2:{\"drupal_internal__target_id\":159}\nc1:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":\"$c2\"}\nc"])</script><script>self.__next_f.push([1,"4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/revision_uid?resourceVersion=id%3A5771\"}\nc5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/revision_uid?resourceVersion=id%3A5771\"}\nc3:{\"related\":\"$c4\",\"self\":\"$c5\"}\nc0:{\"data\":\"$c1\",\"links\":\"$c3\"}\nc8:{\"drupal_internal__target_id\":6}\nc7:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$c8\"}\nca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/uid?resourceVersion=id%3A5771\"}\ncb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/uid?resourceVersion=id%3A5771\"}\nc9:{\"related\":\"$ca\",\"self\":\"$cb\"}\nc6:{\"data\":\"$c7\",\"links\":\"$c9\"}\nce:{\"drupal_internal__target_id\":96}\ncd:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"meta\":\"$ce\"}\nd0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_resource_type?resourceVersion=id%3A5771\"}\nd1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_resource_type?resourceVersion=id%3A5771\"}\ncf:{\"related\":\"$d0\",\"self\":\"$d1\"}\ncc:{\"data\":\"$cd\",\"links\":\"$cf\"}\nd5:{\"drupal_internal__target_id\":66}\nd4:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$d5\"}\nd7:{\"drupal_internal__target_id\":81}\nd6:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\"$d7\"}\nd9:{\"drupal_internal__target_id\":61}\nd8:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$d9\"}\ndb:{\"drupal_internal__target_id\":76}\nda:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$db\"}\ndd:{\"drupal_internal__target_id\":71}\ndc:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$dd\"}\nd3:[\"$d4\",\"$d6\",\"$d8\",\"$da\",\"$dc\"]\ndf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/libra"])</script><script>self.__next_f.push([1,"ry/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_roles?resourceVersion=id%3A5771\"}\ne0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_roles?resourceVersion=id%3A5771\"}\nde:{\"related\":\"$df\",\"self\":\"$e0\"}\nd2:{\"data\":\"$d3\",\"links\":\"$de\"}\ne4:{\"drupal_internal__target_id\":16}\ne3:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$e4\"}\ne6:{\"drupal_internal__target_id\":36}\ne5:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$e6\"}\ne2:[\"$e3\",\"$e5\"]\ne8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_topics?resourceVersion=id%3A5771\"}\ne9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_topics?resourceVersion=id%3A5771\"}\ne7:{\"related\":\"$e8\",\"self\":\"$e9\"}\ne1:{\"data\":\"$e2\",\"links\":\"$e7\"}\nb9:{\"node_type\":\"$ba\",\"revision_uid\":\"$c0\",\"uid\":\"$c6\",\"field_resource_type\":\"$cc\",\"field_roles\":\"$d2\",\"field_topics\":\"$e1\"}\nab:{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"links\":\"$ac\",\"attributes\":\"$ae\",\"relationships\":\"$b9\"}\nec:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20?resourceVersion=id%3A5748\"}\neb:{\"self\":\"$ec\"}\nee:{\"alias\":\"/learn/federal-information-security-modernization-act-fisma\",\"pid\":306,\"langcode\":\"en\"}\nef:{\"value\":\"FISMA is federal legislation that defines a framework of guidelines and security standards to protect government information and operations\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eFISMA is federal legislation that defines a framework of guidelines and security standards to protect government information and operations\u003c/p\u003e\\n\"}\nf0:[\"#ispg-sec_privacy-policy\"]\ned:{\"drupal_internal__nid\":316,\"drupal_internal__vid\":5748,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T15:50:25+00:00\",\"status\":true,\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"created\":\"2022-08-29T15:11:08+00:00\",\"changed\":\""])</script><script>self.__next_f.push([1,"2024-08-05T15:50:25+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$ee\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$ef\",\"field_slack_channel\":\"$f0\"}\nf4:{\"drupal_internal__target_id\":\"explainer\"}\nf3:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$f4\"}\nf6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/node_type?resourceVersion=id%3A5748\"}\nf7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/node_type?resourceVersion=id%3A5748\"}\nf5:{\"related\":\"$f6\",\"self\":\"$f7\"}\nf2:{\"data\":\"$f3\",\"links\":\"$f5\"}\nfa:{\"drupal_internal__target_id\":159}\nf9:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":\"$fa\"}\nfc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/revision_uid?resourceVersion=id%3A5748\"}\nfd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/revision_uid?resourceVersion=id%3A5748\"}\nfb:{\"related\":\"$fc\",\"self\":\"$fd\"}\nf8:{\"data\":\"$f9\",\"links\":\"$fb\"}\n100:{\"drupal_internal__target_id\":26}\nff:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$100\"}\n102:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/uid?resourceVersion=id%3A5748\"}\n103:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/uid?resourceVersion=id%3A5748\"}\n101:{\"related\":\"$102\",\"self\":\"$103\"}\nfe:{\"data\":\"$ff\",\"links\":\"$101\"}\n107:{\"target_revision_id\":19016,\"drupal_internal__target_id\":1146}\n106:{\"type\":\"paragraph--page_section\",\"id\":\"4ffd074a-8ca7-41ad-8c6c-d270330af3fa\",\"meta\":\"$1"])</script><script>self.__next_f.push([1,"07\"}\n105:[\"$106\"]\n109:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_page_section?resourceVersion=id%3A5748\"}\n10a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_page_section?resourceVersion=id%3A5748\"}\n108:{\"related\":\"$109\",\"self\":\"$10a\"}\n104:{\"data\":\"$105\",\"links\":\"$108\"}\n10e:{\"target_revision_id\":19017,\"drupal_internal__target_id\":1941}\n10d:{\"type\":\"paragraph--internal_link\",\"id\":\"3d88d941-7844-4a24-8d87-b884cf205f36\",\"meta\":\"$10e\"}\n110:{\"target_revision_id\":19018,\"drupal_internal__target_id\":1946}\n10f:{\"type\":\"paragraph--internal_link\",\"id\":\"5087f368-5c99-41a5-b39b-e27bc9df3950\",\"meta\":\"$110\"}\n112:{\"target_revision_id\":19019,\"drupal_internal__target_id\":1951}\n111:{\"type\":\"paragraph--internal_link\",\"id\":\"4b2ee6b4-cbfd-46c8-a65f-9b2b18e1a793\",\"meta\":\"$112\"}\n114:{\"target_revision_id\":19020,\"drupal_internal__target_id\":3517}\n113:{\"type\":\"paragraph--internal_link\",\"id\":\"dd735dee-c392-4312-bc59-7a2163ad21a6\",\"meta\":\"$114\"}\n116:{\"target_revision_id\":19021,\"drupal_internal__target_id\":3518}\n115:{\"type\":\"paragraph--internal_link\",\"id\":\"b88a7b64-a818-4f85-b969-a2f77482f8ce\",\"meta\":\"$116\"}\n10c:[\"$10d\",\"$10f\",\"$111\",\"$113\",\"$115\"]\n118:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_related_collection?resourceVersion=id%3A5748\"}\n119:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_related_collection?resourceVersion=id%3A5748\"}\n117:{\"related\":\"$118\",\"self\":\"$119\"}\n10b:{\"data\":\"$10c\",\"links\":\"$117\"}\n11c:{\"drupal_internal__target_id\":131}\n11b:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$11c\"}\n11e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_resource_type?resourceVersion=id%3A5748\"}\n11f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relations"])</script><script>self.__next_f.push([1,"hips/field_resource_type?resourceVersion=id%3A5748\"}\n11d:{\"related\":\"$11e\",\"self\":\"$11f\"}\n11a:{\"data\":\"$11b\",\"links\":\"$11d\"}\n123:{\"drupal_internal__target_id\":66}\n122:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$123\"}\n125:{\"drupal_internal__target_id\":81}\n124:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\"$125\"}\n127:{\"drupal_internal__target_id\":61}\n126:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$127\"}\n129:{\"drupal_internal__target_id\":76}\n128:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$129\"}\n12b:{\"drupal_internal__target_id\":71}\n12a:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$12b\"}\n121:[\"$122\",\"$124\",\"$126\",\"$128\",\"$12a\"]\n12d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_roles?resourceVersion=id%3A5748\"}\n12e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_roles?resourceVersion=id%3A5748\"}\n12c:{\"related\":\"$12d\",\"self\":\"$12e\"}\n120:{\"data\":\"$121\",\"links\":\"$12c\"}\n132:{\"drupal_internal__target_id\":21}\n131:{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":\"$132\"}\n130:[\"$131\"]\n134:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_topics?resourceVersion=id%3A5748\"}\n135:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_topics?resourceVersion=id%3A5748\"}\n133:{\"related\":\"$134\",\"self\":\"$135\"}\n12f:{\"data\":\"$130\",\"links\":\"$133\"}\nf1:{\"node_type\":\"$f2\",\"revision_uid\":\"$f8\",\"uid\":\"$fe\",\"field_page_section\":\"$104\",\"field_related_collection\":\"$10b\",\"field_resource_type\":\"$11a\",\"field_roles\":\"$120\",\"field_topics\":\"$12f\"}\nea:{\"type\":\"node--explainer\",\"id\":\"a0111527-6756-4576-8c52-5a7f3a032b20\",\"links\":\"$eb\",\"attributes\":\"$ed\",\"relationships\":\"$f1\"}\n138:{\"href\":\"https://cyberg"])</script><script>self.__next_f.push([1,"eek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b?resourceVersion=id%3A5999\"}\n137:{\"self\":\"$138\"}\n13a:{\"alias\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"pid\":251,\"langcode\":\"en\"}\n13b:{\"value\":\"CFACTS is a CMS database that tracks application security deficiencies and POA\u0026Ms, and supports the ATO process\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCFACTS is a CMS database that tracks application security deficiencies and POA\u0026amp;Ms, and supports the ATO process\u003c/p\u003e\\n\"}\n13c:[\"#cfacts_community\"]\n139:{\"drupal_internal__nid\":261,\"drupal_internal__vid\":5999,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-05T18:41:37+00:00\",\"status\":true,\"title\":\"CMS FISMA Continuous Tracking System (CFACTS)\",\"created\":\"2022-08-26T14:57:02+00:00\",\"changed\":\"2024-12-05T18:41:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$13a\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ciso@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":\"$13b\",\"field_slack_channel\":\"$13c\"}\n140:{\"drupal_internal__target_id\":\"explainer\"}\n13f:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$140\"}\n142:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/node_type?resourceVersion=id%3A5999\"}\n143:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/node_type?resourceVersion=id%3A5999\"}\n141:{\"related\":\"$142\",\"self\":\"$143\"}\n13e:{\"data\":\"$13f\",\"links\":\"$141\"}\n146:{\"drupal_internal__target_id\":159}\n145:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":\"$146\"}\n148:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/revision_uid?resourceVersion=id%3A5999\"}\n149:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explain"])</script><script>self.__next_f.push([1,"er/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/revision_uid?resourceVersion=id%3A5999\"}\n147:{\"related\":\"$148\",\"self\":\"$149\"}\n144:{\"data\":\"$145\",\"links\":\"$147\"}\n14c:{\"drupal_internal__target_id\":26}\n14b:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$14c\"}\n14e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/uid?resourceVersion=id%3A5999\"}\n14f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/uid?resourceVersion=id%3A5999\"}\n14d:{\"related\":\"$14e\",\"self\":\"$14f\"}\n14a:{\"data\":\"$14b\",\"links\":\"$14d\"}\n153:{\"target_revision_id\":19655,\"drupal_internal__target_id\":2101}\n152:{\"type\":\"paragraph--page_section\",\"id\":\"963db416-cca0-421d-8c3e-40c8e2ce190f\",\"meta\":\"$153\"}\n155:{\"target_revision_id\":19660,\"drupal_internal__target_id\":446}\n154:{\"type\":\"paragraph--page_section\",\"id\":\"9b87eb1d-cb43-472b-9b5b-8618d2688563\",\"meta\":\"$155\"}\n157:{\"target_revision_id\":19666,\"drupal_internal__target_id\":1781}\n156:{\"type\":\"paragraph--page_section\",\"id\":\"122a8de9-c38d-492b-bc93-b43b270f2933\",\"meta\":\"$157\"}\n159:{\"target_revision_id\":19667,\"drupal_internal__target_id\":3468}\n158:{\"type\":\"paragraph--page_section\",\"id\":\"594617c8-824a-4962-aa08-fdf8dd4677fb\",\"meta\":\"$159\"}\n151:[\"$152\",\"$154\",\"$156\",\"$158\"]\n15b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_page_section?resourceVersion=id%3A5999\"}\n15c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_page_section?resourceVersion=id%3A5999\"}\n15a:{\"related\":\"$15b\",\"self\":\"$15c\"}\n150:{\"data\":\"$151\",\"links\":\"$15a\"}\n160:{\"target_revision_id\":19668,\"drupal_internal__target_id\":1816}\n15f:{\"type\":\"paragraph--internal_link\",\"id\":\"76dcb171-ae0a-42ba-b330-b93b63633cdd\",\"meta\":\"$160\"}\n162:{\"target_revision_id\":19669,\"drupal_internal__target_id\":1821}\n161:{\"type\":\"paragraph--internal_link\",\"id\":\"7f340091-9774-491a-817d-0cdfaf0c72d1\",\"meta\":\"$162\"}\n164:{\"target_r"])</script><script>self.__next_f.push([1,"evision_id\":19670,\"drupal_internal__target_id\":1826}\n163:{\"type\":\"paragraph--internal_link\",\"id\":\"4b7486bb-57c5-440b-b07c-54deb80f1ca1\",\"meta\":\"$164\"}\n166:{\"target_revision_id\":19671,\"drupal_internal__target_id\":1831}\n165:{\"type\":\"paragraph--internal_link\",\"id\":\"d72a41d1-1d17-452f-9375-aea58d84e8e7\",\"meta\":\"$166\"}\n168:{\"target_revision_id\":19672,\"drupal_internal__target_id\":3462}\n167:{\"type\":\"paragraph--internal_link\",\"id\":\"726e3057-d549-4d7d-80c7-0f4c5d5f8007\",\"meta\":\"$168\"}\n16a:{\"target_revision_id\":19673,\"drupal_internal__target_id\":3463}\n169:{\"type\":\"paragraph--internal_link\",\"id\":\"dbde5fa8-5137-4df4-af83-a4330e0778c7\",\"meta\":\"$16a\"}\n15e:[\"$15f\",\"$161\",\"$163\",\"$165\",\"$167\",\"$169\"]\n16c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_related_collection?resourceVersion=id%3A5999\"}\n16d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_related_collection?resourceVersion=id%3A5999\"}\n16b:{\"related\":\"$16c\",\"self\":\"$16d\"}\n15d:{\"data\":\"$15e\",\"links\":\"$16b\"}\n170:{\"drupal_internal__target_id\":121}\n16f:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$170\"}\n172:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_resource_type?resourceVersion=id%3A5999\"}\n173:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_resource_type?resourceVersion=id%3A5999\"}\n171:{\"related\":\"$172\",\"self\":\"$173\"}\n16e:{\"data\":\"$16f\",\"links\":\"$171\"}\n177:{\"drupal_internal__target_id\":66}\n176:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$177\"}\n179:{\"drupal_internal__target_id\":61}\n178:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$179\"}\n17b:{\"drupal_internal__target_id\":76}\n17a:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$17b\"}\n17d:{\"drupal_internal__target_id\":71}\n17c:{\"typ"])</script><script>self.__next_f.push([1,"e\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$17d\"}\n175:[\"$176\",\"$178\",\"$17a\",\"$17c\"]\n17f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_roles?resourceVersion=id%3A5999\"}\n180:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_roles?resourceVersion=id%3A5999\"}\n17e:{\"related\":\"$17f\",\"self\":\"$180\"}\n174:{\"data\":\"$175\",\"links\":\"$17e\"}\n184:{\"drupal_internal__target_id\":36}\n183:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$184\"}\n186:{\"drupal_internal__target_id\":11}\n185:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$186\"}\n182:[\"$183\",\"$185\"]\n188:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_topics?resourceVersion=id%3A5999\"}\n189:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_topics?resourceVersion=id%3A5999\"}\n187:{\"related\":\"$188\",\"self\":\"$189\"}\n181:{\"data\":\"$182\",\"links\":\"$187\"}\n13d:{\"node_type\":\"$13e\",\"revision_uid\":\"$144\",\"uid\":\"$14a\",\"field_page_section\":\"$150\",\"field_related_collection\":\"$15d\",\"field_resource_type\":\"$16e\",\"field_roles\":\"$174\",\"field_topics\":\"$181\"}\n136:{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"links\":\"$137\",\"attributes\":\"$139\",\"relationships\":\"$13d\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"35d18a01-1231-42bf-9ba3-87b77b1318e5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5?resourceVersion=id%3A5769\"}},\"attributes\":{\"drupal_internal__nid\":911,\"drupal_internal__vid\":5769,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T16:01:04+00:00\",\"status\":true,\"title\":\"Password Requirements\",\"created\":\"2023-05-01T16:29:50+00:00\",\"changed\":\"2024-08-05T16:01:04+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/password-requirements\",\"pid\":826,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"How to configure passwords when setting up CMS systems\\r\\n\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eHow to configure passwords when setting up CMS systems\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-sec_privacy-policy\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/node_type?resourceVersion=id%3A5769\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/relationships/node_type?resourceVersion=id%3A5769\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/revision_uid?resourceVersion=id%3A5769\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/relationships/revision_uid?resourceVersion=id%3A5769\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/uid?resourceVersion=id%3A5769\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/relationships/uid?resourceVersion=id%3A5769\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"42d54085-a88e-4463-92e1-46b5ce7f4e63\",\"meta\":{\"target_revision_id\":19127,\"drupal_internal__target_id\":2901}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/field_page_section?resourceVersion=id%3A5769\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/relationships/field_page_section?resourceVersion=id%3A5769\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"bda9c180-ead9-4b1c-9bad-c3e2192c9608\",\"meta\":{\"target_revision_id\":19128,\"drupal_internal__target_id\":2906}},{\"type\":\"paragraph--internal_link\",\"id\":\"edda93d2-3864-4522-a266-22b4affe097f\",\"meta\":{\"target_revision_id\":19129,\"drupal_internal__target_id\":2911}},{\"type\":\"paragraph--internal_link\",\"id\":\"c564b568-108c-488a-ac37-42265ce7a222\",\"meta\":{\"target_revision_id\":19130,\"drupal_internal__target_id\":2916}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/field_related_collection?resourceVersion=id%3A5769\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/relationships/field_related_collection?resourceVersion=id%3A5769\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/field_resource_type?resourceVersion=id%3A5769\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/relationships/field_resource_type?resourceVersion=id%3A5769\"}}},\"field_roles\":{\"data\":[],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/field_roles?resourceVersion=id%3A5769\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/relationships/field_roles?resourceVersion=id%3A5769\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/field_topics?resourceVersion=id%3A5769\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35d18a01-1231-42bf-9ba3-87b77b1318e5/relationships/field_topics?resourceVersion=id%3A5769\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}},\"attributes\":{\"display_name\":\"jcallan - retired\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}},\"attributes\":{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}},\"attributes\":{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"42d54085-a88e-4463-92e1-46b5ce7f4e63\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/42d54085-a88e-4463-92e1-46b5ce7f4e63?resourceVersion=id%3A19127\"}},\"attributes\":{\"drupal_internal__id\":2901,\"drupal_internal__revision_id\":19127,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-05-01T16:32:51+00:00\",\"parent_id\":\"911\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/42d54085-a88e-4463-92e1-46b5ce7f4e63/paragraph_type?resourceVersion=id%3A19127\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/42d54085-a88e-4463-92e1-46b5ce7f4e63/relationships/paragraph_type?resourceVersion=id%3A19127\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/42d54085-a88e-4463-92e1-46b5ce7f4e63/field_specialty_item?resourceVersion=id%3A19127\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/42d54085-a88e-4463-92e1-46b5ce7f4e63/relationships/field_specialty_item?resourceVersion=id%3A19127\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"bda9c180-ead9-4b1c-9bad-c3e2192c9608\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bda9c180-ead9-4b1c-9bad-c3e2192c9608?resourceVersion=id%3A19128\"}},\"attributes\":{\"drupal_internal__id\":2906,\"drupal_internal__revision_id\":19128,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-05-01T16:32:51+00:00\",\"parent_id\":\"911\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bda9c180-ead9-4b1c-9bad-c3e2192c9608/paragraph_type?resourceVersion=id%3A19128\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bda9c180-ead9-4b1c-9bad-c3e2192c9608/relationships/paragraph_type?resourceVersion=id%3A19128\"}}},\"field_link\":{\"data\":{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"meta\":{\"drupal_internal__target_id\":631}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bda9c180-ead9-4b1c-9bad-c3e2192c9608/field_link?resourceVersion=id%3A19128\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bda9c180-ead9-4b1c-9bad-c3e2192c9608/relationships/field_link?resourceVersion=id%3A19128\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"edda93d2-3864-4522-a266-22b4affe097f\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/edda93d2-3864-4522-a266-22b4affe097f?resourceVersion=id%3A19129\"}},\"attributes\":{\"drupal_internal__id\":2911,\"drupal_internal__revision_id\":19129,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-05-01T16:33:01+00:00\",\"parent_id\":\"911\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/edda93d2-3864-4522-a266-22b4affe097f/paragraph_type?resourceVersion=id%3A19129\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/edda93d2-3864-4522-a266-22b4affe097f/relationships/paragraph_type?resourceVersion=id%3A19129\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"a0111527-6756-4576-8c52-5a7f3a032b20\",\"meta\":{\"drupal_internal__target_id\":316}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/edda93d2-3864-4522-a266-22b4affe097f/field_link?resourceVersion=id%3A19129\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/edda93d2-3864-4522-a266-22b4affe097f/relationships/field_link?resourceVersion=id%3A19129\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"c564b568-108c-488a-ac37-42265ce7a222\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c564b568-108c-488a-ac37-42265ce7a222?resourceVersion=id%3A19130\"}},\"attributes\":{\"drupal_internal__id\":2916,\"drupal_internal__revision_id\":19130,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-05-01T16:33:14+00:00\",\"parent_id\":\"911\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c564b568-108c-488a-ac37-42265ce7a222/paragraph_type?resourceVersion=id%3A19130\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c564b568-108c-488a-ac37-42265ce7a222/relationships/paragraph_type?resourceVersion=id%3A19130\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"meta\":{\"drupal_internal__target_id\":261}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c564b568-108c-488a-ac37-42265ce7a222/field_link?resourceVersion=id%3A19130\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c564b568-108c-488a-ac37-42265ce7a222/relationships/field_link?resourceVersion=id%3A19130\"}}}}},{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb?resourceVersion=id%3A5771\"}},\"attributes\":{\"drupal_internal__nid\":631,\"drupal_internal__vid\":5771,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T16:01:58+00:00\",\"status\":true,\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"created\":\"2023-01-17T18:18:03+00:00\",\"changed\":\"2024-08-05T16:01:58+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"pid\":621,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.org\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2022-04-22\",\"field_related_resources\":[{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2) \",\"options\":[],\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"},{\"uri\":\"entity:node/681\",\"title\":\"CMS Security and Privacy Handbooks\",\"options\":[],\"url\":\"/learn/cms-security-and-privacy-handbooks\"}],\"field_short_description\":{\"value\":\"Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eStandards for the minimum security and privacy controls required to mitigate risk for CMS information systems\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/node_type?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/node_type?resourceVersion=id%3A5771\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/revision_uid?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/revision_uid?resourceVersion=id%3A5771\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/uid?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/uid?resourceVersion=id%3A5771\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"meta\":{\"drupal_internal__target_id\":96}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_resource_type?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_resource_type?resourceVersion=id%3A5771\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_roles?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_roles?resourceVersion=id%3A5771\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_topics?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_topics?resourceVersion=id%3A5771\"}}}}},{\"type\":\"node--explainer\",\"id\":\"a0111527-6756-4576-8c52-5a7f3a032b20\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20?resourceVersion=id%3A5748\"}},\"attributes\":{\"drupal_internal__nid\":316,\"drupal_internal__vid\":5748,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T15:50:25+00:00\",\"status\":true,\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"created\":\"2022-08-29T15:11:08+00:00\",\"changed\":\"2024-08-05T15:50:25+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/federal-information-security-modernization-act-fisma\",\"pid\":306,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"FISMA is federal legislation that defines a framework of guidelines and security standards to protect government information and operations\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eFISMA is federal legislation that defines a framework of guidelines and security standards to protect government information and operations\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-sec_privacy-policy\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/node_type?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/node_type?resourceVersion=id%3A5748\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/revision_uid?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/revision_uid?resourceVersion=id%3A5748\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/uid?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/uid?resourceVersion=id%3A5748\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"4ffd074a-8ca7-41ad-8c6c-d270330af3fa\",\"meta\":{\"target_revision_id\":19016,\"drupal_internal__target_id\":1146}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_page_section?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_page_section?resourceVersion=id%3A5748\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"3d88d941-7844-4a24-8d87-b884cf205f36\",\"meta\":{\"target_revision_id\":19017,\"drupal_internal__target_id\":1941}},{\"type\":\"paragraph--internal_link\",\"id\":\"5087f368-5c99-41a5-b39b-e27bc9df3950\",\"meta\":{\"target_revision_id\":19018,\"drupal_internal__target_id\":1946}},{\"type\":\"paragraph--internal_link\",\"id\":\"4b2ee6b4-cbfd-46c8-a65f-9b2b18e1a793\",\"meta\":{\"target_revision_id\":19019,\"drupal_internal__target_id\":1951}},{\"type\":\"paragraph--internal_link\",\"id\":\"dd735dee-c392-4312-bc59-7a2163ad21a6\",\"meta\":{\"target_revision_id\":19020,\"drupal_internal__target_id\":3517}},{\"type\":\"paragraph--internal_link\",\"id\":\"b88a7b64-a818-4f85-b969-a2f77482f8ce\",\"meta\":{\"target_revision_id\":19021,\"drupal_internal__target_id\":3518}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_related_collection?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_related_collection?resourceVersion=id%3A5748\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_resource_type?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_resource_type?resourceVersion=id%3A5748\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_roles?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_roles?resourceVersion=id%3A5748\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":{\"drupal_internal__target_id\":21}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_topics?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_topics?resourceVersion=id%3A5748\"}}}}},{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b?resourceVersion=id%3A5999\"}},\"attributes\":{\"drupal_internal__nid\":261,\"drupal_internal__vid\":5999,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-05T18:41:37+00:00\",\"status\":true,\"title\":\"CMS FISMA Continuous Tracking System (CFACTS)\",\"created\":\"2022-08-26T14:57:02+00:00\",\"changed\":\"2024-12-05T18:41:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"pid\":251,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ciso@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":{\"value\":\"CFACTS is a CMS database that tracks application security deficiencies and POA\u0026Ms, and supports the ATO process\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCFACTS is a CMS database that tracks application security deficiencies and POA\u0026amp;Ms, and supports the ATO process\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cfacts_community\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/node_type?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/node_type?resourceVersion=id%3A5999\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/revision_uid?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/revision_uid?resourceVersion=id%3A5999\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/uid?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/uid?resourceVersion=id%3A5999\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"963db416-cca0-421d-8c3e-40c8e2ce190f\",\"meta\":{\"target_revision_id\":19655,\"drupal_internal__target_id\":2101}},{\"type\":\"paragraph--page_section\",\"id\":\"9b87eb1d-cb43-472b-9b5b-8618d2688563\",\"meta\":{\"target_revision_id\":19660,\"drupal_internal__target_id\":446}},{\"type\":\"paragraph--page_section\",\"id\":\"122a8de9-c38d-492b-bc93-b43b270f2933\",\"meta\":{\"target_revision_id\":19666,\"drupal_internal__target_id\":1781}},{\"type\":\"paragraph--page_section\",\"id\":\"594617c8-824a-4962-aa08-fdf8dd4677fb\",\"meta\":{\"target_revision_id\":19667,\"drupal_internal__target_id\":3468}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_page_section?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_page_section?resourceVersion=id%3A5999\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"76dcb171-ae0a-42ba-b330-b93b63633cdd\",\"meta\":{\"target_revision_id\":19668,\"drupal_internal__target_id\":1816}},{\"type\":\"paragraph--internal_link\",\"id\":\"7f340091-9774-491a-817d-0cdfaf0c72d1\",\"meta\":{\"target_revision_id\":19669,\"drupal_internal__target_id\":1821}},{\"type\":\"paragraph--internal_link\",\"id\":\"4b7486bb-57c5-440b-b07c-54deb80f1ca1\",\"meta\":{\"target_revision_id\":19670,\"drupal_internal__target_id\":1826}},{\"type\":\"paragraph--internal_link\",\"id\":\"d72a41d1-1d17-452f-9375-aea58d84e8e7\",\"meta\":{\"target_revision_id\":19671,\"drupal_internal__target_id\":1831}},{\"type\":\"paragraph--internal_link\",\"id\":\"726e3057-d549-4d7d-80c7-0f4c5d5f8007\",\"meta\":{\"target_revision_id\":19672,\"drupal_internal__target_id\":3462}},{\"type\":\"paragraph--internal_link\",\"id\":\"dbde5fa8-5137-4df4-af83-a4330e0778c7\",\"meta\":{\"target_revision_id\":19673,\"drupal_internal__target_id\":3463}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_related_collection?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_related_collection?resourceVersion=id%3A5999\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_resource_type?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_resource_type?resourceVersion=id%3A5999\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_roles?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_roles?resourceVersion=id%3A5999\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_topics?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_topics?resourceVersion=id%3A5999\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1c\",\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\":\"$26\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$2a\",\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\":\"$2e\",\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\":\"$48\",\"42d54085-a88e-4463-92e1-46b5ce7f4e63\":\"$62\",\"bda9c180-ead9-4b1c-9bad-c3e2192c9608\":\"$75\",\"edda93d2-3864-4522-a266-22b4affe097f\":\"$87\",\"c564b568-108c-488a-ac37-42265ce7a222\":\"$99\",\"5077403d-f7aa-4bc8-b274-7af05e7134bb\":\"$ab\",\"a0111527-6756-4576-8c52-5a7f3a032b20\":\"$ea\",\"de0901ae-4ea5-491c-badd-90a32da3989b\":\"$136\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Password Requirements | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"How to configure passwords when setting up CMS systems\\r\\n\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/password-requirements\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"Password Requirements | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"How to configure passwords when setting up CMS systems\\r\\n\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/password-requirements\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/password-requirements/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"Password Requirements | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"How to configure passwords when setting up CMS systems\\r\\n\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/password-requirements/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n4:null"])</script><script>self.__next_f.push([1,"\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink