publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/penetration-testing
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
364 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>Penetration Testing (PenTesting) | CMS Information Security &amp; Privacy Group</title><meta name="description" content="Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection"/><link rel="canonical" href="https://security.cms.gov/learn/penetration-testing-pentesting"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="Penetration Testing (PenTesting) | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection"/><meta property="og:url" content="https://security.cms.gov/learn/penetration-testing-pentesting"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/penetration-testing-pentesting/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Penetration Testing (PenTesting) | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/penetration-testing-pentesting/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">Penetration Testing (PenTesting)</h1><p class="hero__description">Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">Penetration Testing Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:cmspentestmanagement@cms.hhs.gov">cmspentestmanagement@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#ccic_sec_eng_and_soc</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What is Penetration Testing?&nbsp;</h2><p>Penetration Testing, also known as PenTesting, is the process of identifying and exploiting vulnerabilities in a system. It helps to identify areas where security has been compromised or could be compromised in the future. These tests can help CMS to improve its overall information security posture by exposing weaknesses and providing guidance on steps that can be taken to reduce the risk of attack. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. It often involves launching real attacks on real systems and data, using tools and techniques commonly employed by attackers. Penetration testing can help you determine:</p><ul><li>How well the system tolerates real-world attack patterns</li><li>The likely level of sophistication an attacker needs to successfully compromise the system</li><li>Additional countermeasures that could mitigate threats against the system</li><li>How combinations of vulnerabilities can be used to exploit systems, networks, or applications</li><li>The defenders ability to detect attacks and respond appropriately</li><li>The overall security posture of the target system</li><li>Gaps in the implementation of security measures</li></ul><h2>What types of PenTesting exist?&nbsp;</h2><p>All teams at CMS have the ability to choose either internal or external PenTesting.&nbsp;</p><p>Internal and External PenTesting also known as <strong>Penetration Testing as a Service (PTaaS) </strong> is managed by the <strong>Penetration Testing Team </strong>through the CMS Cybersecurity Integration Center (CCIC). This service offers an in-depth examination of security infrastructure carried out by competent security researchers. It also utilizes automated tools to simulate attacks, gain unauthorized access to systems, and elevate privileges.&nbsp;</p><p>Third Party Non-CCIC PenTesting Service also known as <strong>Penetration Testing Self Service (PTSS) </strong> is managed by private contractors or providers outside of CMS. With this model, internal CMS Teams connect with automated testing tools to assess their systems.&nbsp;</p><p>While both options meet the technical requirements for FISMA systems, its preferred that CMS Teams use the resources provided by the CCIC to conduct their PenTesting. The internal PTaaS is offered to CMS teams at no cost, and your team will benefit from direct support from engineers from the Penetration Testing Team.&nbsp;</p></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>Schedule your PenTest</h1><p>* Contact the CMS Penetration Testing Team to schedule your system&#x27;s PenTest today. Please email the PenTest team to obtain the most-up-to-date pentest request form.</p><p><a href="mailto:cmspentestmanagement@cms.hhs.gov">Email the team</a></p></section><div class="text-block text-block--theme-explainer"><h2>Who manages the PenTesting process?</h2><p>Within your team, the Information System Security Officer (ISSO), Cyber Risk Advisor (CRA), and the System/Business Owner are the primary individuals responsible for the management of the PenTesting process. The Penetration Testing Team assists in the process of uploading the required files to CFACTS once the test is complete.&nbsp;</p><h3>Information System Security Officer (ISSO)</h3><p>The following actions are completed by ISSOs during the PenTesting process:&nbsp;</p><ul><li>Emails the PenTest mailbox to make the initial request for a PenTest</li><li>Fills out the Penetration Testing Intake Form provided by the PenTest Coordinator&nbsp;</li><li>Participates in all meetings with the Penetration Testing Team</li><li>In the event that the PenTest produces findings that warrant a <a href="/learn/plan-action-and-milestones-poam">Plan of Action and Milestones (POA&amp;M)</a>, the ISSO assists in the remediation process</li></ul><h3>Cyber Risk Advisor (CRA)</h3><p>The CRA is responsible for the following portions of the PenTesting process:</p><ul><li>Serves an information resource for the ISSO</li><li>When necessary, assists ISSO in the collection of system-specific information and materials&nbsp;</li><li>Confirms that the final PenTest results have been accurately uploaded to <a href="/learn/cms-fisma-continuous-tracking-system-cfacts">CFACTS</a>&nbsp;</li></ul><h3>System/Business Owner</h3><p>The System/Business Owner completes the following activities in support of PenTesting:&nbsp;</p><ul><li>Participates in all meetings with the Penetration Testing Team&nbsp;</li><li>Works with the Penetration Testing team to discuss test results and the discovery of all findings</li><li>Mitigates findings within one (1) week, focusing first on the highest risk findings</li><li>Manages the POA&amp;M process in the event of findings that warrant a POA&amp;M</li></ul><h3>Penetration Testing Team&nbsp;</h3><p>The Penetration Testing Team is responsible for the following actions:&nbsp;</p><ul><li>Responds to the initial request from the ISSO or CRA&nbsp;</li><li>Schedules kick-off meeting with the ISSO, CRA, System/Business Owner, and any Contractors to determine the scope of the Penetration Test</li><li>Works with the System Team to determine how the system will be tested, an agreement that facilitates testing in a controlled manner that addresses potential and realized impacts on CMS operations while allowing for the most useful test results possible</li><li>Coordinates test timeline, scope, and strategy and documents a test plan</li><li>Executes test activities based on the test plan</li><li>Delivers status updates during test execution</li><li>Categorizes, prioritizes, and reports on findings and recommendations for remediation</li><li>Debriefs and collaborates with the System Team on findings and recommendations</li><li>Assists the System Teams ISSO and CRA in creating the CAAT file that is uploaded to CFACTS&nbsp;</li></ul><h2>How do I schedule a PenTest?&nbsp;</h2><p>Scheduling your PenTest with the Penetration Testing Team is easy. Just follow these steps:&nbsp;</p><ul><li>The ISSO or CRA contacts the Penetration testing team via email to request a pentest. Please email the pentest team to obtain the most-up-to-date pentest request form.</li><li>The ISSO or CRA fills out and submits the Word document intake form provided by the pentest team.</li><li>The PenTest Coordinator works with the ISSO and project team to review the submitted intake form via email.&nbsp;</li><li>The PenTest team arranges a meeting to discuss the process and inform the ISSO and System/Business Owner of what to expect.</li></ul><p>To avoid delays, the project should contact a PenTest Coordinator to request the assessment at least 3 months before the <a href="/learn/authorization-operate-ato">ATO</a> deadline.</p><h2>What are the results of PenTesting?</h2><p>Immediately following a PenTest, the following actions occur:&nbsp;</p><ul><li>The PenTest team will notify the System Team of any issues. If an issue is not sufficiently resolved/mitigated within 5 days for critical and 25 days for all other, the team is issued a Plan of Action and Milestones (POA&amp;M) to manage it</li><li>When the test results are finalized, the PenTest team uploads a completed CAAT spreadsheet to CFACTS and notifies all parties</li><li>The CISO mailbox is also notified that the CAAT spreadsheet is complete and available on CFACTS</li><li>After positive identification of security assessment, all findings/ weaknesses must be documented in a POA&amp;M and remediated/ mitigated within the following remediation timelines:<ul><li>Critical within 15 calendar days</li><li>High 30 days</li><li>Moderate within 90 days</li><li>Low within 365 days</li></ul></li></ul><p>Please note that, per the <a href="/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risks and Safeguards (ARS)</a>, System Owners must, “Correct identified security-related information system flaws on production equipment within 5 days (5) business days for critical and all others within (25) calendar days.”</p></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Testing and documenting system security and compliance to gain approval to operate the system at CMS</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cybersecurity-risk-assessment-program-csrap">Cybersecurity and Risk Assessment Program (CSRAP)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>A streamlined risk-based control(s) testing methodology designed to relieve operational burden.</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-fisma-continuous-tracking-system-cfacts">CMS FISMA Continuous Tracking System (CFACTS)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>CFACTS is a CMS database that tracks application security deficiencies and POA&amp;Ms, and supports the ATO process</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/plan-action-and-milestones-poam">Plan of Action and Milestones (POA&amp;M)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>A corrective action plan roadmap to address system weaknesses and the resources required to fix them</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-cybersecurity-integration-center-ccic">CMS Cybersecurity Integration Center (CCIC)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>The CCIC uses data to address incidents through risk management and monitoring activities across CMS </p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/posts/cms-cybersecurity-integration-center-ccic-red-team-engagements">CMS Cybersecurity Integration Center (CCIC) Red Team Engagements</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>CCIC Red Team Engagements help strengthen your system&#x27;s defenses against real-world threat actors</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"penetration-testing-pentesting\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"penetration-testing-pentesting\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"penetration-testing-pentesting\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"penetration-testing-pentesting\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:Ta02,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is Penetration Testing?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePenetration Testing, also known as PenTesting, is the process of identifying and exploiting vulnerabilities in a system. It helps to identify areas where security has been compromised or could be compromised in the future. These tests can help CMS to improve its overall information security posture by exposing weaknesses and providing guidance on steps that can be taken to reduce the risk of attack. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. It often involves launching real attacks on real systems and data, using tools and techniques commonly employed by attackers. Penetration testing can help you determine:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHow well the system tolerates real-world attack patterns\u003c/li\u003e\u003cli\u003eThe likely level of sophistication an attacker needs to successfully compromise the system\u003c/li\u003e\u003cli\u003eAdditional countermeasures that could mitigate threats against the system\u003c/li\u003e\u003cli\u003eHow combinations of vulnerabilities can be used to exploit systems, networks, or applications\u003c/li\u003e\u003cli\u003eThe defenders ability to detect attacks and respond appropriately\u003c/li\u003e\u003cli\u003eThe overall security posture of the target system\u003c/li\u003e\u003cli\u003eGaps in the implementation of security measures\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWhat types of PenTesting exist?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAll teams at CMS have the ability to choose either internal or external PenTesting.\u0026nbsp;\u003c/p\u003e\u003cp\u003eInternal and External PenTesting also known as \u003cstrong\u003ePenetration Testing as a Service (PTaaS) \u003c/strong\u003e is managed by the \u003cstrong\u003ePenetration Testing Team \u003c/strong\u003ethrough the CMS Cybersecurity Integration Center (CCIC). This service offers an in-depth examination of security infrastructure carried out by competent security researchers. It also utilizes automated tools to simulate attacks, gain unauthorized access to systems, and elevate privileges.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThird Party Non-CCIC PenTesting Service also known as \u003cstrong\u003ePenetration Testing Self Service (PTSS) \u003c/strong\u003e is managed by private contractors or providers outside of CMS. With this model, internal CMS Teams connect with automated testing tools to assess their systems.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhile both options meet the technical requirements for FISMA systems, its preferred that CMS Teams use the resources provided by the CCIC to conduct their PenTesting. The internal PTaaS is offered to CMS teams at no cost, and your team will benefit from direct support from engineers from the Penetration Testing Team.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:Ta02,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is Penetration Testing?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePenetration Testing, also known as PenTesting, is the process of identifying and exploiting vulnerabilities in a system. It helps to identify areas where security has been compromised or could be compromised in the future. These tests can help CMS to improve its overall information security posture by exposing weaknesses and providing guidance on steps that can be taken to reduce the risk of attack. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. It often involves launching real attacks on real systems and data, using tools and techniques commonly employed by attackers. Penetration testing can help you determine:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHow well the system tolerates real-world attack patterns\u003c/li\u003e\u003cli\u003eThe likely level of sophistication an attacker needs to successfully compromise the system\u003c/li\u003e\u003cli\u003eAdditional countermeasures that could mitigate threats against the system\u003c/li\u003e\u003cli\u003eHow combinations of vulnerabilities can be used to exploit systems, networks, or applications\u003c/li\u003e\u003cli\u003eThe defenders ability to detect attacks and respond appropriately\u003c/li\u003e\u003cli\u003eThe overall security posture of the target system\u003c/li\u003e\u003cli\u003eGaps in the implementation of security measures\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWhat types of PenTesting exist?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAll teams at CMS have the ability to choose either internal or external PenTesting.\u0026nbsp;\u003c/p\u003e\u003cp\u003eInternal and External PenTesting also known as \u003cstrong\u003ePenetration Testing as a Service (PTaaS) \u003c/strong\u003e is managed by the \u003cstrong\u003ePenetration Testing Team \u003c/strong\u003ethrough the CMS Cybersecurity Integration Center (CCIC). This service offers an in-depth examination of security infrastructure carried out by competent security researchers. It also utilizes automated tools to simulate attacks, gain unauthorized access to systems, and elevate privileges.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThird Party Non-CCIC PenTesting Service also known as \u003cstrong\u003ePenetration Testing Self Service (PTSS) \u003c/strong\u003e is managed by private contractors or providers outside of CMS. With this model, internal CMS Teams connect with automated testing tools to assess their systems.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhile both options meet the technical requirements for FISMA systems, its preferred that CMS Teams use the resources provided by the CCIC to conduct their PenTesting. The internal PTaaS is offered to CMS teams at no cost, and your team will benefit from direct support from engineers from the Penetration Testing Team.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1a:T14a9,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWho manages the PenTesting process?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWithin your team, the Information System Security Officer (ISSO), Cyber Risk Advisor (CRA), and the System/Business Owner are the primary individuals responsible for the management of the PenTesting process. The Penetration Testing Team assists in the process of uploading the required files to CFACTS once the test is complete.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe following actions are completed by ISSOs during the PenTesting process:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmails the PenTest mailbox to make the initial request for a PenTest\u003c/li\u003e\u003cli\u003eFills out the Penetration Testing Intake Form provided by the PenTest Coordinator\u0026nbsp;\u003c/li\u003e\u003cli\u003eParticipates in all meetings with the Penetration Testing Team\u003c/li\u003e\u003cli\u003eIn the event that the PenTest produces findings that warrant a \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e, the ISSO assists in the remediation process\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCyber Risk Advisor (CRA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CRA is responsible for the following portions of the PenTesting process:\u003c/p\u003e\u003cul\u003e\u003cli\u003eServes an information resource for the ISSO\u003c/li\u003e\u003cli\u003eWhen necessary, assists ISSO in the collection of system-specific information and materials\u0026nbsp;\u003c/li\u003e\u003cli\u003eConfirms that the final PenTest results have been accurately uploaded to \u003ca href=\"/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eSystem/Business Owner\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe System/Business Owner completes the following activities in support of PenTesting:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eParticipates in all meetings with the Penetration Testing Team\u0026nbsp;\u003c/li\u003e\u003cli\u003eWorks with the Penetration Testing team to discuss test results and the discovery of all findings\u003c/li\u003e\u003cli\u003eMitigates findings within one (1) week, focusing first on the highest risk findings\u003c/li\u003e\u003cli\u003eManages the POA\u0026amp;M process in the event of findings that warrant a POA\u0026amp;M\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003ePenetration Testing Team\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Penetration Testing Team is responsible for the following actions:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eResponds to the initial request from the ISSO or CRA\u0026nbsp;\u003c/li\u003e\u003cli\u003eSchedules kick-off meeting with the ISSO, CRA, System/Business Owner, and any Contractors to determine the scope of the Penetration Test\u003c/li\u003e\u003cli\u003eWorks with the System Team to determine how the system will be tested, an agreement that facilitates testing in a controlled manner that addresses potential and realized impacts on CMS operations while allowing for the most useful test results possible\u003c/li\u003e\u003cli\u003eCoordinates test timeline, scope, and strategy and documents a test plan\u003c/li\u003e\u003cli\u003eExecutes test activities based on the test plan\u003c/li\u003e\u003cli\u003eDelivers status updates during test execution\u003c/li\u003e\u003cli\u003eCategorizes, prioritizes, and reports on findings and recommendations for remediation\u003c/li\u003e\u003cli\u003eDebriefs and collaborates with the System Team on findings and recommendations\u003c/li\u003e\u003cli\u003eAssists the System Teams ISSO and CRA in creating the CAAT file that is uploaded to CFACTS\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eHow do I schedule a PenTest?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eScheduling your PenTest with the Penetration Testing Team is easy. Just follow these steps:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ISSO or CRA contacts the Penetration testing team via email to request a pentest. Please email the pentest team to obtain the most-up-to-date pentest request form.\u003c/li\u003e\u003cli\u003eThe ISSO or CRA fills out and submits the Word document intake form provided by the pentest team.\u003c/li\u003e\u003cli\u003eThe PenTest Coordinator works with the ISSO and project team to review the submitted intake form via email.\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe PenTest team arranges a meeting to discuss the process and inform the ISSO and System/Business Owner of what to expect.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eTo avoid delays, the project should contact a PenTest Coordinator to request the assessment at least 3 months before the \u003ca href=\"/learn/authorization-operate-ato\"\u003eATO\u003c/a\u003e deadline.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat are the results of PenTesting?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eImmediately following a PenTest, the following actions occur:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe PenTest team will notify the System Team of any issues. If an issue is not sufficiently resolved/mitigated within 5 days for critical and 25 days for all other, the team is issued a Plan of Action and Milestones (POA\u0026amp;M) to manage it\u003c/li\u003e\u003cli\u003eWhen the test results are finalized, the PenTest team uploads a completed CAAT spreadsheet to CFACTS and notifies all parties\u003c/li\u003e\u003cli\u003eThe CISO mailbox is also notified that the CAAT spreadsheet is complete and available on CFACTS\u003c/li\u003e\u003cli\u003eAfter positive identification of security assessment, all findings/ weaknesses must be documented in a POA\u0026amp;M and remediated/ mitigated within the following remediation timelines:\u003cul\u003e\u003cli\u003eCritical within 15 calendar days\u003c/li\u003e\u003cli\u003eHigh 30 days\u003c/li\u003e\u003cli\u003eModerate within 90 days\u003c/li\u003e\u003cli\u003eLow within 365 days\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ePlease note that, per the \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risks and Safeguards (ARS)\u003c/a\u003e, System Owners must, “Correct identified security-related information system flaws on production equipment within 5 days (5) business days for critical and all others within (25) calendar days.”\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1b:T14a9,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWho manages the PenTesting process?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWithin your team, the Information System Security Officer (ISSO), Cyber Risk Advisor (CRA), and the System/Business Owner are the primary individuals responsible for the management of the PenTesting process. The Penetration Testing Team assists in the process of uploading the required files to CFACTS once the test is complete.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe following actions are completed by ISSOs during the PenTesting process:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmails the PenTest mailbox to make the initial request for a PenTest\u003c/li\u003e\u003cli\u003eFills out the Penetration Testing Intake Form provided by the PenTest Coordinator\u0026nbsp;\u003c/li\u003e\u003cli\u003eParticipates in all meetings with the Penetration Testing Team\u003c/li\u003e\u003cli\u003eIn the event that the PenTest produces findings that warrant a \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e, the ISSO assists in the remediation process\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCyber Risk Advisor (CRA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CRA is responsible for the following portions of the PenTesting process:\u003c/p\u003e\u003cul\u003e\u003cli\u003eServes an information resource for the ISSO\u003c/li\u003e\u003cli\u003eWhen necessary, assists ISSO in the collection of system-specific information and materials\u0026nbsp;\u003c/li\u003e\u003cli\u003eConfirms that the final PenTest results have been accurately uploaded to \u003ca href=\"/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eSystem/Business Owner\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe System/Business Owner completes the following activities in support of PenTesting:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eParticipates in all meetings with the Penetration Testing Team\u0026nbsp;\u003c/li\u003e\u003cli\u003eWorks with the Penetration Testing team to discuss test results and the discovery of all findings\u003c/li\u003e\u003cli\u003eMitigates findings within one (1) week, focusing first on the highest risk findings\u003c/li\u003e\u003cli\u003eManages the POA\u0026amp;M process in the event of findings that warrant a POA\u0026amp;M\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003ePenetration Testing Team\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Penetration Testing Team is responsible for the following actions:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eResponds to the initial request from the ISSO or CRA\u0026nbsp;\u003c/li\u003e\u003cli\u003eSchedules kick-off meeting with the ISSO, CRA, System/Business Owner, and any Contractors to determine the scope of the Penetration Test\u003c/li\u003e\u003cli\u003eWorks with the System Team to determine how the system will be tested, an agreement that facilitates testing in a controlled manner that addresses potential and realized impacts on CMS operations while allowing for the most useful test results possible\u003c/li\u003e\u003cli\u003eCoordinates test timeline, scope, and strategy and documents a test plan\u003c/li\u003e\u003cli\u003eExecutes test activities based on the test plan\u003c/li\u003e\u003cli\u003eDelivers status updates during test execution\u003c/li\u003e\u003cli\u003eCategorizes, prioritizes, and reports on findings and recommendations for remediation\u003c/li\u003e\u003cli\u003eDebriefs and collaborates with the System Team on findings and recommendations\u003c/li\u003e\u003cli\u003eAssists the System Teams ISSO and CRA in creating the CAAT file that is uploaded to CFACTS\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eHow do I schedule a PenTest?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eScheduling your PenTest with the Penetration Testing Team is easy. Just follow these steps:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ISSO or CRA contacts the Penetration testing team via email to request a pentest. Please email the pentest team to obtain the most-up-to-date pentest request form.\u003c/li\u003e\u003cli\u003eThe ISSO or CRA fills out and submits the Word document intake form provided by the pentest team.\u003c/li\u003e\u003cli\u003eThe PenTest Coordinator works with the ISSO and project team to review the submitted intake form via email.\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe PenTest team arranges a meeting to discuss the process and inform the ISSO and System/Business Owner of what to expect.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eTo avoid delays, the project should contact a PenTest Coordinator to request the assessment at least 3 months before the \u003ca href=\"/learn/authorization-operate-ato\"\u003eATO\u003c/a\u003e deadline.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat are the results of PenTesting?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eImmediately following a PenTest, the following actions occur:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe PenTest team will notify the System Team of any issues. If an issue is not sufficiently resolved/mitigated within 5 days for critical and 25 days for all other, the team is issued a Plan of Action and Milestones (POA\u0026amp;M) to manage it\u003c/li\u003e\u003cli\u003eWhen the test results are finalized, the PenTest team uploads a completed CAAT spreadsheet to CFACTS and notifies all parties\u003c/li\u003e\u003cli\u003eThe CISO mailbox is also notified that the CAAT spreadsheet is complete and available on CFACTS\u003c/li\u003e\u003cli\u003eAfter positive identification of security assessment, all findings/ weaknesses must be documented in a POA\u0026amp;M and remediated/ mitigated within the following remediation timelines:\u003cul\u003e\u003cli\u003eCritical within 15 calendar days\u003c/li\u003e\u003cli\u003eHigh 30 days\u003c/li\u003e\u003cli\u003eModerate within 90 days\u003c/li\u003e\u003cli\u003eLow within 365 days\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ePlease note that, per the \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risks and Safeguards (ARS)\u003c/a\u003e, System Owners must, “Correct identified security-related information system flaws on production equipment within 5 days (5) business days for critical and all others within (25) calendar days.”\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1c:T2708,"])</script><script>self.__next_f.push([1,"\u003cp\u003eIn today's digital landscape, organizations face an ever-evolving array of cyber threats that can compromise their critical data assets. As technology advances, so do the tactics employed by malicious actors seeking to infiltrate networks, steal sensitive information, and cause damage. To counter these threats, it is crucial for organizations to assess their security posture comprehensively and proactively. This is where the Red Team Engagements come into play.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat are Red Team Engagements?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eRed Team Engagements are highly targeted assessments designed to simulate real-world threat scenarios. Unlike traditional penetration tests that focus on identifying vulnerabilities, Red Team Engagements take a more holistic approach. They go beyond simply finding weaknesses in defenses and delve into the realms of defense, detection, and response. By emulating the Tactics, Techniques, and Procedures (TTPs) of actual adversaries, Red Teams challenge an organization's security measures, testing its ability to detect and respond to potential threats.\u003c/p\u003e\u003cp\u003eIn essence, while penetration testing focuses on the technological aspects of defense, Red Team Engagements aim to improve the detection capabilities of the defenders themselves, the people responsible for safeguarding the system.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow do Red Team Engagements work?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eRed Team Engagements require collaboration between the System team and the CMS Cybersecurity Integration Center (CCIC) team. Business owners and cyber risk advisors work together to define the scope of the engagement, including identifying the system's boundaries, gathering necessary credentials, and scheduling the engagement.\u003c/p\u003e\u003cp\u003eDuring the engagement, the Red Team assumes the role of a threat actor who has already gained initial access to the system. Over the course of approximately one month, the team executes a series of MITRE ATT\u0026amp;CK TTPs commonly employed by real-world adversaries. They start slowly and subtly, gradually increasing their activity and noise to assess the system's resilience.\u003c/p\u003e\u003cp\u003eNote: Red Team Engagements do not involve social engineering attacks such as phishing or impersonation. Instead, the focus is on testing the system's ability to detect and respond to an advanced and persistent threat.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eBenefits of Red Team Engagements\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eRegularly conducting Red Team Engagements offers several benefits to organizations looking to enhance their security posture:\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003eStrengthened Defenses\u003c/strong\u003e: By identifying weaknesses and vulnerabilities, Red Team Engagements enable organizations to bolster their defenses proactively. They provide valuable insights into potential entry points and the effectiveness of existing security measures.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEarly Detection\u003c/strong\u003e: Red Team Engagements test the system's ability to detect attacks at an early stage. By simulating real-world threat scenarios, organizations can fine-tune their monitoring and detection capabilities, allowing them to respond swiftly to potential breaches.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eDamage Limitation\u003c/strong\u003e: By uncovering vulnerabilities and weaknesses, organizations can address them promptly, minimizing the potential damage that a real-world attack might cause. Red Team Engagements help organizations stay one step ahead of malicious actors.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImproved Security Stance\u003c/strong\u003e: Red Team Engagements contribute to an overall improvement in an organization's security stance. By continuously challenging and refining their defenses, organizations can maintain a strong security posture that evolves with emerging threats.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eFAQs about Red Team Engagements\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eTo provide further clarity, let's address some frequently asked questions about Red Team Engagements:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ1: Who should be involved in the Red Team Engagements - and what support is needed from our end?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eUnlike traditional penetration tests, Red Team Engagements involve the active participation of upper leadership and system personnel. It is highly encouraged for upper leadership to be involved on the system's end. This approach ensures that the engagement remains as \"low profile\" as possible, allowing the Red Team to effectively test the system's ability to detect and respond to their activity.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ2: Is there a risk of potential downtime for the system?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of a Red Team Engagement is not to cause any damage to the systems or disrupt their operations. The majority of techniques and tactics employed during the engagement should not cause any downtime for the given system. The focus is on identifying vulnerabilities and weaknesses without affecting the system's availability.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ3: What documentation is provided at the end of the engagement?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAt the conclusion of the Red Team Engagement, the CCIC Penetration Team will produce and deliver the following documents:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRed Team Engagement Final Report: This high-level report outlines the overall results of the engagement, providing a summary of key findings and recommendations.\u003c/li\u003e\u003cli\u003eRed Team Engagement Full Report: This in-depth documentation outlines the entire engagement, from the scope of the assessment to detailed recommendations for better securing the system/environment. It provides a comprehensive analysis of the findings and includes actionable steps for improvement.\u003c/li\u003e\u003cli\u003eRed Team Log: This document outlines the specific actions performed by each tester during the engagement, detailing their activities on a given system at a specific time. The Red Team Log provides system maintainers, developers, and security professionals with all the necessary details to replicate and understand the methodologies used during the engagement.\u003c/li\u003e\u003cli\u003eVulnerability Findings: This documentation highlights specific vulnerabilities discovered during the engagement. It includes steps to reproduce the vulnerabilities and recommendations for their remediation.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eQ4: What level of support is needed from our team during the engagement?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBefore the engagement starts, the CCIC Penetration Team will work with your team to gather the IP addresses/Hosts that are within the scope. Additionally, they may request a \"Low\" level user account for the target system(s). Once the engagement is underway, the only additional support that may be needed is if the Red Team is detected and the system initiates the incident response process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ5: What happens if vulnerabilities are discovered?\u003c/strong\u003e\u0026nbsp;\u003c/h3\u003e\u003cp\u003eWhile the primary focus of Red Team Engagements is not on discovering vulnerabilities, if any are discovered, the CCIC Penetration Team will follow the normal process for addressing them. They will work with the system's stakeholders to properly remediate the vulnerabilities. Critical findings must be remediated within 15 calendar days, High findings within 30 calendar days, Moderate findings within 90 calendar days, and Low findings within 365 calendar days before being submitted to the CMS\u0026nbsp;FISMA Controls Tracking System (CFACTS).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ6: In which environment will the testing occur?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf the monitoring and detection capabilities of a lower environment are the same as the production environment, the Red Team prefers to conduct the test in the lower environment. However, if there are differences, it is recommended to perform the test in the production environment. This allows the Red Team to provide the most accurate and realistic results possible, considering the actual production system.\u003c/p\u003e\u003cp\u003eBy conducting Red Team Engagements, you can proactively assess your security defenses, enhance your detection capabilities, and improve your overall security stance. With the collaboration between the System team and the CMS Cybersecurity Integration Center (CCIC) team, a stronger and more resilient cybersecurity posture can be achieved to protect critical data assets from real-world threat actors.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eInterested in learning more?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eTo learn more about Red Team Engagements, penetration testing, and other cybersecurity measures, you're invited to attend the CCIC Final Friday Frequently asked questions (CF3) session that takes place once a quarter. If youre interested in attending, we encourage you to send us an e-mail at \u003ca href=\"mailto:cmspentestteam@cms.hhs.gov\"\u003ecmspentestmanagement@cms.hhs.gov\u003c/a\u003e and we will be happy to add you to the e-mail invite for the upcoming session. This comprehensive discussion is designed to answer key questions about the cybersecurity landscape, and specifically the role of CCIC penetration testing, different types of testing, the process of reporting findings, the role of Red Teaming, and much more.\u003c/p\u003e\u003cp\u003eWe highly recommend tuning in to this valuable session to boost your understanding of how to secure your systems effectively. The information provided will empower you to make more informed decisions about your cybersecurity strategy, enhancing your ability to protect your organization from evolving cyber threats.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAvailability of this service at CMS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis service is available at the CMS Cybersecurity Integration Center (CCIC). To request a Red Team Engagement, you can contact the CMS CCIC Penetration Team via email at \u003ca href=\"mailto:cmspentestteam@cms.hhs.gov\"\u003ecmspentestmanagement@cms.hhs.gov\u003c/a\u003e. The team will guide you through the process, providing you with a PenTest Request form and scheduling a call to gather additional details.\u003c/p\u003e\u003cp\u003eRemember, the strength of your cybersecurity posture relies heavily on being proactive. Regular security assessments like Red Team Engagements are an excellent way to identify potential weaknesses before they can be exploited, enabling you to maintain a robust and effective defense against real-world cyber threats.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1d:T2708,"])</script><script>self.__next_f.push([1,"\u003cp\u003eIn today's digital landscape, organizations face an ever-evolving array of cyber threats that can compromise their critical data assets. As technology advances, so do the tactics employed by malicious actors seeking to infiltrate networks, steal sensitive information, and cause damage. To counter these threats, it is crucial for organizations to assess their security posture comprehensively and proactively. This is where the Red Team Engagements come into play.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat are Red Team Engagements?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eRed Team Engagements are highly targeted assessments designed to simulate real-world threat scenarios. Unlike traditional penetration tests that focus on identifying vulnerabilities, Red Team Engagements take a more holistic approach. They go beyond simply finding weaknesses in defenses and delve into the realms of defense, detection, and response. By emulating the Tactics, Techniques, and Procedures (TTPs) of actual adversaries, Red Teams challenge an organization's security measures, testing its ability to detect and respond to potential threats.\u003c/p\u003e\u003cp\u003eIn essence, while penetration testing focuses on the technological aspects of defense, Red Team Engagements aim to improve the detection capabilities of the defenders themselves, the people responsible for safeguarding the system.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow do Red Team Engagements work?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eRed Team Engagements require collaboration between the System team and the CMS Cybersecurity Integration Center (CCIC) team. Business owners and cyber risk advisors work together to define the scope of the engagement, including identifying the system's boundaries, gathering necessary credentials, and scheduling the engagement.\u003c/p\u003e\u003cp\u003eDuring the engagement, the Red Team assumes the role of a threat actor who has already gained initial access to the system. Over the course of approximately one month, the team executes a series of MITRE ATT\u0026amp;CK TTPs commonly employed by real-world adversaries. They start slowly and subtly, gradually increasing their activity and noise to assess the system's resilience.\u003c/p\u003e\u003cp\u003eNote: Red Team Engagements do not involve social engineering attacks such as phishing or impersonation. Instead, the focus is on testing the system's ability to detect and respond to an advanced and persistent threat.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eBenefits of Red Team Engagements\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eRegularly conducting Red Team Engagements offers several benefits to organizations looking to enhance their security posture:\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003eStrengthened Defenses\u003c/strong\u003e: By identifying weaknesses and vulnerabilities, Red Team Engagements enable organizations to bolster their defenses proactively. They provide valuable insights into potential entry points and the effectiveness of existing security measures.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEarly Detection\u003c/strong\u003e: Red Team Engagements test the system's ability to detect attacks at an early stage. By simulating real-world threat scenarios, organizations can fine-tune their monitoring and detection capabilities, allowing them to respond swiftly to potential breaches.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eDamage Limitation\u003c/strong\u003e: By uncovering vulnerabilities and weaknesses, organizations can address them promptly, minimizing the potential damage that a real-world attack might cause. Red Team Engagements help organizations stay one step ahead of malicious actors.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImproved Security Stance\u003c/strong\u003e: Red Team Engagements contribute to an overall improvement in an organization's security stance. By continuously challenging and refining their defenses, organizations can maintain a strong security posture that evolves with emerging threats.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eFAQs about Red Team Engagements\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eTo provide further clarity, let's address some frequently asked questions about Red Team Engagements:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ1: Who should be involved in the Red Team Engagements - and what support is needed from our end?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eUnlike traditional penetration tests, Red Team Engagements involve the active participation of upper leadership and system personnel. It is highly encouraged for upper leadership to be involved on the system's end. This approach ensures that the engagement remains as \"low profile\" as possible, allowing the Red Team to effectively test the system's ability to detect and respond to their activity.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ2: Is there a risk of potential downtime for the system?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of a Red Team Engagement is not to cause any damage to the systems or disrupt their operations. The majority of techniques and tactics employed during the engagement should not cause any downtime for the given system. The focus is on identifying vulnerabilities and weaknesses without affecting the system's availability.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ3: What documentation is provided at the end of the engagement?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAt the conclusion of the Red Team Engagement, the CCIC Penetration Team will produce and deliver the following documents:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRed Team Engagement Final Report: This high-level report outlines the overall results of the engagement, providing a summary of key findings and recommendations.\u003c/li\u003e\u003cli\u003eRed Team Engagement Full Report: This in-depth documentation outlines the entire engagement, from the scope of the assessment to detailed recommendations for better securing the system/environment. It provides a comprehensive analysis of the findings and includes actionable steps for improvement.\u003c/li\u003e\u003cli\u003eRed Team Log: This document outlines the specific actions performed by each tester during the engagement, detailing their activities on a given system at a specific time. The Red Team Log provides system maintainers, developers, and security professionals with all the necessary details to replicate and understand the methodologies used during the engagement.\u003c/li\u003e\u003cli\u003eVulnerability Findings: This documentation highlights specific vulnerabilities discovered during the engagement. It includes steps to reproduce the vulnerabilities and recommendations for their remediation.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eQ4: What level of support is needed from our team during the engagement?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBefore the engagement starts, the CCIC Penetration Team will work with your team to gather the IP addresses/Hosts that are within the scope. Additionally, they may request a \"Low\" level user account for the target system(s). Once the engagement is underway, the only additional support that may be needed is if the Red Team is detected and the system initiates the incident response process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ5: What happens if vulnerabilities are discovered?\u003c/strong\u003e\u0026nbsp;\u003c/h3\u003e\u003cp\u003eWhile the primary focus of Red Team Engagements is not on discovering vulnerabilities, if any are discovered, the CCIC Penetration Team will follow the normal process for addressing them. They will work with the system's stakeholders to properly remediate the vulnerabilities. Critical findings must be remediated within 15 calendar days, High findings within 30 calendar days, Moderate findings within 90 calendar days, and Low findings within 365 calendar days before being submitted to the CMS\u0026nbsp;FISMA Controls Tracking System (CFACTS).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ6: In which environment will the testing occur?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf the monitoring and detection capabilities of a lower environment are the same as the production environment, the Red Team prefers to conduct the test in the lower environment. However, if there are differences, it is recommended to perform the test in the production environment. This allows the Red Team to provide the most accurate and realistic results possible, considering the actual production system.\u003c/p\u003e\u003cp\u003eBy conducting Red Team Engagements, you can proactively assess your security defenses, enhance your detection capabilities, and improve your overall security stance. With the collaboration between the System team and the CMS Cybersecurity Integration Center (CCIC) team, a stronger and more resilient cybersecurity posture can be achieved to protect critical data assets from real-world threat actors.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eInterested in learning more?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eTo learn more about Red Team Engagements, penetration testing, and other cybersecurity measures, you're invited to attend the CCIC Final Friday Frequently asked questions (CF3) session that takes place once a quarter. If youre interested in attending, we encourage you to send us an e-mail at \u003ca href=\"mailto:cmspentestteam@cms.hhs.gov\"\u003ecmspentestmanagement@cms.hhs.gov\u003c/a\u003e and we will be happy to add you to the e-mail invite for the upcoming session. This comprehensive discussion is designed to answer key questions about the cybersecurity landscape, and specifically the role of CCIC penetration testing, different types of testing, the process of reporting findings, the role of Red Teaming, and much more.\u003c/p\u003e\u003cp\u003eWe highly recommend tuning in to this valuable session to boost your understanding of how to secure your systems effectively. The information provided will empower you to make more informed decisions about your cybersecurity strategy, enhancing your ability to protect your organization from evolving cyber threats.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAvailability of this service at CMS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis service is available at the CMS Cybersecurity Integration Center (CCIC). To request a Red Team Engagement, you can contact the CMS CCIC Penetration Team via email at \u003ca href=\"mailto:cmspentestteam@cms.hhs.gov\"\u003ecmspentestmanagement@cms.hhs.gov\u003c/a\u003e. The team will guide you through the process, providing you with a PenTest Request form and scheduling a call to gather additional details.\u003c/p\u003e\u003cp\u003eRemember, the strength of your cybersecurity posture relies heavily on being proactive. Regular security assessments like Red Team Engagements are an excellent way to identify potential weaknesses before they can be exploited, enabling you to maintain a robust and effective defense against real-world cyber threats.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"20:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1f:{\"self\":\"$20\"}\n23:[\"menu_ui\",\"scheduler\"]\n22:{\"module\":\"$23\"}\n26:[]\n25:{\"available_menus\":\"$26\",\"parent\":\"\"}\n27:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n24:{\"menu_ui\":\"$25\",\"scheduler\":\"$27\"}\n21:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$22\",\"third_party_settings\":\"$24\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1e:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1f\",\"attributes\":\"$21\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/94466ab9-93ba-4374-964a-cac08e0505c1\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"jcuenca\"}\n28:{\"type\":\"user--user\",\"id\":\"94466ab9-93ba-4374-964a-cac08e0505c1\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n2d:{\"self\":\"$2e\"}\n2f:{\"display_name\":\"meg - retired\"}\n2c:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$2d\",\"attributes\":\"$2f\"}\n32:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4?resourceVersion=id%3A121\"}\n31:{\"self\":\"$32\"}\n34:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n33:{\"drupal_internal__tid\":121,\"drupal_internal__revision_id\":121,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:12+00:00\",\"status\":true,\"name\":\"Tools / Services\",\"description\":null,\"weight\":5,\"changed\":\"2023-06-14T19:04:09+00:00\",\"d"])</script><script>self.__next_f.push([1,"efault_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$34\"}\n38:{\"drupal_internal__target_id\":\"resource_type\"}\n37:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$38\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/vid?resourceVersion=id%3A121\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/vid?resourceVersion=id%3A121\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n36:{\"data\":\"$37\",\"links\":\"$39\"}\n3e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/revision_user?resourceVersion=id%3A121\"}\n3f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/revision_user?resourceVersion=id%3A121\"}\n3d:{\"related\":\"$3e\",\"self\":\"$3f\"}\n3c:{\"data\":null,\"links\":\"$3d\"}\n46:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n45:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$46\"}\n44:{\"help\":\"$45\"}\n43:{\"links\":\"$44\"}\n42:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$43\"}\n41:[\"$42\"]\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/parent?resourceVersion=id%3A121\"}\n49:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/parent?resourceVersion=id%3A121\"}\n47:{\"related\":\"$48\",\"self\":\"$49\"}\n40:{\"data\":\"$41\",\"links\":\"$47\"}\n35:{\"vid\":\"$36\",\"revision_user\":\"$3c\",\"parent\":\"$40\"}\n30:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"links\":\"$31\",\"attributes\":\"$33\",\"relationships\":\"$35\"}\n4c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n4b:{\"self\":\"$4c\"}\n4e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4d:{\"drupal_internal__"])</script><script>self.__next_f.push([1,"tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4e\"}\n52:{\"drupal_internal__target_id\":\"roles\"}\n51:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$52\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n50:{\"data\":\"$51\",\"links\":\"$53\"}\n58:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n59:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n57:{\"related\":\"$58\",\"self\":\"$59\"}\n56:{\"data\":null,\"links\":\"$57\"}\n60:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$60\"}\n5e:{\"help\":\"$5f\"}\n5d:{\"links\":\"$5e\"}\n5c:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$5d\"}\n5b:[\"$5c\"]\n62:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n63:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n61:{\"related\":\"$62\",\"self\":\"$63\"}\n5a:{\"data\":\"$5b\",\"links\":\"$61\"}\n4f:{\"vid\":\"$50\",\"revision_user\":\"$56\",\"parent\":\"$5a\"}\n4a:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$4b\",\"attributes\":\"$4d\",\"relationships\":\"$4f\"}\n66:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a1"])</script><script>self.__next_f.push([1,"8463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n65:{\"self\":\"$66\"}\n68:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n67:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$68\"}\n6c:{\"drupal_internal__target_id\":\"roles\"}\n6b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$6c\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6a:{\"data\":\"$6b\",\"links\":\"$6d\"}\n72:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n73:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n71:{\"related\":\"$72\",\"self\":\"$73\"}\n70:{\"data\":null,\"links\":\"$71\"}\n7a:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n79:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$7a\"}\n78:{\"help\":\"$79\"}\n77:{\"links\":\"$78\"}\n76:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$77\"}\n75:[\"$76\"]\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n7d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n7b:{\"related\":\"$7c\",\"self\":\"$7d\"}\n74:{\"data\":\"$75\",\"links\":\"$7b\"}\n69:{\"vid\":\"$6a\",\"revision_user\":\"$70\",\"parent\":\"$74\"}\n64:{\"type\":\"taxonomy_term--roles\",\"id\":\""])</script><script>self.__next_f.push([1,"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$65\",\"attributes\":\"$67\",\"relationships\":\"$69\"}\n80:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n7f:{\"self\":\"$80\"}\n82:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n81:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$82\"}\n86:{\"drupal_internal__target_id\":\"roles\"}\n85:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$86\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n84:{\"data\":\"$85\",\"links\":\"$87\"}\n8c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n8d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n8b:{\"related\":\"$8c\",\"self\":\"$8d\"}\n8a:{\"data\":null,\"links\":\"$8b\"}\n94:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n93:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$94\"}\n92:{\"help\":\"$93\"}\n91:{\"links\":\"$92\"}\n90:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$91\"}\n8f:[\"$90\"]\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n97:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n95:{\"related\":\"$"])</script><script>self.__next_f.push([1,"96\",\"self\":\"$97\"}\n8e:{\"data\":\"$8f\",\"links\":\"$95\"}\n83:{\"vid\":\"$84\",\"revision_user\":\"$8a\",\"parent\":\"$8e\"}\n7e:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$7f\",\"attributes\":\"$81\",\"relationships\":\"$83\"}\n9a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\n99:{\"self\":\"$9a\"}\n9c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n9b:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$9c\"}\na0:{\"drupal_internal__target_id\":\"roles\"}\n9f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$a0\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\n9e:{\"data\":\"$9f\",\"links\":\"$a1\"}\na6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\na7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\na5:{\"related\":\"$a6\",\"self\":\"$a7\"}\na4:{\"data\":null,\"links\":\"$a5\"}\nae:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nad:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$ae\"}\nac:{\"help\":\"$ad\"}\nab:{\"links\":\"$ac\"}\naa:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$ab\"}\na9:[\"$aa\"]\nb0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\nb1:{\"href\":\"https://cybergeek.cms"])</script><script>self.__next_f.push([1,".gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\naf:{\"related\":\"$b0\",\"self\":\"$b1\"}\na8:{\"data\":\"$a9\",\"links\":\"$af\"}\n9d:{\"vid\":\"$9e\",\"revision_user\":\"$a4\",\"parent\":\"$a8\"}\n98:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$99\",\"attributes\":\"$9b\",\"relationships\":\"$9d\"}\nb4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674?resourceVersion=id%3A6\"}\nb3:{\"self\":\"$b4\"}\nb6:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb5:{\"drupal_internal__tid\":6,\"drupal_internal__revision_id\":6,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:04:59+00:00\",\"status\":true,\"name\":\"Assessments \u0026 Audits\",\"description\":null,\"weight\":1,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b6\"}\nba:{\"drupal_internal__target_id\":\"topics\"}\nb9:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$ba\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/vid?resourceVersion=id%3A6\"}\nbd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/vid?resourceVersion=id%3A6\"}\nbb:{\"related\":\"$bc\",\"self\":\"$bd\"}\nb8:{\"data\":\"$b9\",\"links\":\"$bb\"}\nc0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/revision_user?resourceVersion=id%3A6\"}\nc1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/revision_user?resourceVersion=id%3A6\"}\nbf:{\"related\":\"$c0\",\"self\":\"$c1\"}\nbe:{\"data\":null,\"links\":\"$bf\"}\nc8:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc7:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c8\"}\nc6:{\"help\":\"$c7\"}\nc5:{\"links\":\"$c6\"}\nc4:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$c5\"}\nc3:[\"$c4\"]\nca:{\"href\":\"https://cybergee"])</script><script>self.__next_f.push([1,"k.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/parent?resourceVersion=id%3A6\"}\ncb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/parent?resourceVersion=id%3A6\"}\nc9:{\"related\":\"$ca\",\"self\":\"$cb\"}\nc2:{\"data\":\"$c3\",\"links\":\"$c9\"}\nb7:{\"vid\":\"$b8\",\"revision_user\":\"$be\",\"parent\":\"$c2\"}\nb2:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"links\":\"$b3\",\"attributes\":\"$b5\",\"relationships\":\"$b7\"}\nce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5?resourceVersion=id%3A46\"}\ncd:{\"self\":\"$ce\"}\nd0:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\ncf:{\"drupal_internal__tid\":46,\"drupal_internal__revision_id\":46,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:13+00:00\",\"status\":true,\"name\":\"Security Operations\",\"description\":null,\"weight\":6,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$d0\"}\nd4:{\"drupal_internal__target_id\":\"topics\"}\nd3:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$d4\"}\nd6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/vid?resourceVersion=id%3A46\"}\nd7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/vid?resourceVersion=id%3A46\"}\nd5:{\"related\":\"$d6\",\"self\":\"$d7\"}\nd2:{\"data\":\"$d3\",\"links\":\"$d5\"}\nda:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/revision_user?resourceVersion=id%3A46\"}\ndb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/revision_user?resourceVersion=id%3A46\"}\nd9:{\"related\":\"$da\",\"self\":\"$db\"}\nd8:{\"data\":null,\"links\":\"$d9\"}\ne2:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\ne1:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\""])</script><script>self.__next_f.push([1,":\"$e2\"}\ne0:{\"help\":\"$e1\"}\ndf:{\"links\":\"$e0\"}\nde:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$df\"}\ndd:[\"$de\"]\ne4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/parent?resourceVersion=id%3A46\"}\ne5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/parent?resourceVersion=id%3A46\"}\ne3:{\"related\":\"$e4\",\"self\":\"$e5\"}\ndc:{\"data\":\"$dd\",\"links\":\"$e3\"}\nd1:{\"vid\":\"$d2\",\"revision_user\":\"$d8\",\"parent\":\"$dc\"}\ncc:{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"links\":\"$cd\",\"attributes\":\"$cf\",\"relationships\":\"$d1\"}\ne8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ce3ee98-23ca-4e7f-aba7-eb85e992ee97?resourceVersion=id%3A19217\"}\ne7:{\"self\":\"$e8\"}\nea:[]\nec:Ta02,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is Penetration Testing?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePenetration Testing, also known as PenTesting, is the process of identifying and exploiting vulnerabilities in a system. It helps to identify areas where security has been compromised or could be compromised in the future. These tests can help CMS to improve its overall information security posture by exposing weaknesses and providing guidance on steps that can be taken to reduce the risk of attack. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. It often involves launching real attacks on real systems and data, using tools and techniques commonly employed by attackers. Penetration testing can help you determine:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHow well the system tolerates real-world attack patterns\u003c/li\u003e\u003cli\u003eThe likely level of sophistication an attacker needs to successfully compromise the system\u003c/li\u003e\u003cli\u003eAdditional countermeasures that could mitigate threats against the system\u003c/li\u003e\u003cli\u003eHow combinations of vulnerabilities can be used to exploit systems, networks, or applications\u003c/li\u003e\u003cli\u003eThe defenders ability to detect attacks and respond appropriately\u003c/li\u003e\u003cli\u003eThe overall security posture of the target system\u003c/li\u003e\u003cli\u003eGaps in the implementation of security measures\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWhat types of PenTesting exist?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAll teams at CMS have the ability to choose either internal or external PenTesting.\u0026nbsp;\u003c/p\u003e\u003cp\u003eInternal and External PenTesting also known as \u003cstrong\u003ePenetration Testing as a Service (PTaaS) \u003c/strong\u003e is managed by the \u003cstrong\u003ePenetration Testing Team \u003c/strong\u003ethrough the CMS Cybersecurity Integration Center (CCIC). This service offers an in-depth examination of security infrastructure carried out by competent security researchers. It also utilizes automated tools to simulate attacks, gain unauthorized access to systems, and elevate privileges.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThird Party Non-CCIC PenTesting Service also known as \u003cstrong\u003ePenetration Testing Self Service (PTSS) \u003c/strong\u003e is managed by private contractors or providers outside of CMS. With this model, internal CMS Teams connect with automated testing tools to assess their systems.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhile both options meet the technical requirements for FISMA systems, its preferred that CMS Teams use the resources provided by the CCIC to conduct their PenTesting. The internal PTaaS is offered to CMS teams at no cost, and your team will benefit from direct support from engineers from the Penetration Testing Team.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"ed:Ta02,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is Penetration Testing?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePenetration Testing, also known as PenTesting, is the process of identifying and exploiting vulnerabilities in a system. It helps to identify areas where security has been compromised or could be compromised in the future. These tests can help CMS to improve its overall information security posture by exposing weaknesses and providing guidance on steps that can be taken to reduce the risk of attack. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. It often involves launching real attacks on real systems and data, using tools and techniques commonly employed by attackers. Penetration testing can help you determine:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHow well the system tolerates real-world attack patterns\u003c/li\u003e\u003cli\u003eThe likely level of sophistication an attacker needs to successfully compromise the system\u003c/li\u003e\u003cli\u003eAdditional countermeasures that could mitigate threats against the system\u003c/li\u003e\u003cli\u003eHow combinations of vulnerabilities can be used to exploit systems, networks, or applications\u003c/li\u003e\u003cli\u003eThe defenders ability to detect attacks and respond appropriately\u003c/li\u003e\u003cli\u003eThe overall security posture of the target system\u003c/li\u003e\u003cli\u003eGaps in the implementation of security measures\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWhat types of PenTesting exist?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAll teams at CMS have the ability to choose either internal or external PenTesting.\u0026nbsp;\u003c/p\u003e\u003cp\u003eInternal and External PenTesting also known as \u003cstrong\u003ePenetration Testing as a Service (PTaaS) \u003c/strong\u003e is managed by the \u003cstrong\u003ePenetration Testing Team \u003c/strong\u003ethrough the CMS Cybersecurity Integration Center (CCIC). This service offers an in-depth examination of security infrastructure carried out by competent security researchers. It also utilizes automated tools to simulate attacks, gain unauthorized access to systems, and elevate privileges.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThird Party Non-CCIC PenTesting Service also known as \u003cstrong\u003ePenetration Testing Self Service (PTSS) \u003c/strong\u003e is managed by private contractors or providers outside of CMS. With this model, internal CMS Teams connect with automated testing tools to assess their systems.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhile both options meet the technical requirements for FISMA systems, its preferred that CMS Teams use the resources provided by the CCIC to conduct their PenTesting. The internal PTaaS is offered to CMS teams at no cost, and your team will benefit from direct support from engineers from the Penetration Testing Team.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"eb:{\"value\":\"$ec\",\"format\":\"body_text\",\"processed\":\"$ed\"}\ne9:{\"drupal_internal__id\":501,\"drupal_internal__revision_id\":19217,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-02T16:39:14+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$ea\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$eb\"}\nf1:{\"drupal_internal__target_id\":\"page_section\"}\nf0:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$f1\"}\nf3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ce3ee98-23ca-4e7f-aba7-eb85e992ee97/paragraph_type?resourceVersion=id%3A19217\"}\nf4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ce3ee98-23ca-4e7f-aba7-eb85e992ee97/relationships/paragraph_type?resourceVersion=id%3A19217\"}\nf2:{\"related\":\"$f3\",\"self\":\"$f4\"}\nef:{\"data\":\"$f0\",\"links\":\"$f2\"}\nf7:{\"target_revision_id\":19216,\"drupal_internal__target_id\":2541}\nf6:{\"type\":\"paragraph--call_out_box\",\"id\":\"5c56be77-6e63-4713-80cb-8efc2966a029\",\"meta\":\"$f7\"}\nf9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ce3ee98-23ca-4e7f-aba7-eb85e992ee97/field_specialty_item?resourceVersion=id%3A19217\"}\nfa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ce3ee98-23ca-4e7f-aba7-eb85e992ee97/relationships/field_specialty_item?resourceVersion=id%3A19217\"}\nf8:{\"related\":\"$f9\",\"self\":\"$fa\"}\nf5:{\"data\":\"$f6\",\"links\":\"$f8\"}\nee:{\"paragraph_type\":\"$ef\",\"field_specialty_item\":\"$f5\"}\ne6:{\"type\":\"paragraph--page_section\",\"id\":\"9ce3ee98-23ca-4e7f-aba7-eb85e992ee97\",\"links\":\"$e7\",\"attributes\":\"$e9\",\"relationships\":\"$ee\"}\nfd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7b5e13a5-a70b-4570-8feb-183ff1d4fae9?resourceVersion=id%3A19218\"}\nfc:{\"self\":\"$fd\"}\nff:[]\n101:T14a9,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWho manages the PenTesting process?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWithin your team, the Information System Security Officer (ISSO), Cyber Risk Advisor (CRA), and the System/Business Owner are the primary individuals responsible for the management of the PenTesting process. The Penetration Testing Team assists in the process of uploading the required files to CFACTS once the test is complete.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe following actions are completed by ISSOs during the PenTesting process:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmails the PenTest mailbox to make the initial request for a PenTest\u003c/li\u003e\u003cli\u003eFills out the Penetration Testing Intake Form provided by the PenTest Coordinator\u0026nbsp;\u003c/li\u003e\u003cli\u003eParticipates in all meetings with the Penetration Testing Team\u003c/li\u003e\u003cli\u003eIn the event that the PenTest produces findings that warrant a \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e, the ISSO assists in the remediation process\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCyber Risk Advisor (CRA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CRA is responsible for the following portions of the PenTesting process:\u003c/p\u003e\u003cul\u003e\u003cli\u003eServes an information resource for the ISSO\u003c/li\u003e\u003cli\u003eWhen necessary, assists ISSO in the collection of system-specific information and materials\u0026nbsp;\u003c/li\u003e\u003cli\u003eConfirms that the final PenTest results have been accurately uploaded to \u003ca href=\"/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eSystem/Business Owner\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe System/Business Owner completes the following activities in support of PenTesting:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eParticipates in all meetings with the Penetration Testing Team\u0026nbsp;\u003c/li\u003e\u003cli\u003eWorks with the Penetration Testing team to discuss test results and the discovery of all findings\u003c/li\u003e\u003cli\u003eMitigates findings within one (1) week, focusing first on the highest risk findings\u003c/li\u003e\u003cli\u003eManages the POA\u0026amp;M process in the event of findings that warrant a POA\u0026amp;M\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003ePenetration Testing Team\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Penetration Testing Team is responsible for the following actions:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eResponds to the initial request from the ISSO or CRA\u0026nbsp;\u003c/li\u003e\u003cli\u003eSchedules kick-off meeting with the ISSO, CRA, System/Business Owner, and any Contractors to determine the scope of the Penetration Test\u003c/li\u003e\u003cli\u003eWorks with the System Team to determine how the system will be tested, an agreement that facilitates testing in a controlled manner that addresses potential and realized impacts on CMS operations while allowing for the most useful test results possible\u003c/li\u003e\u003cli\u003eCoordinates test timeline, scope, and strategy and documents a test plan\u003c/li\u003e\u003cli\u003eExecutes test activities based on the test plan\u003c/li\u003e\u003cli\u003eDelivers status updates during test execution\u003c/li\u003e\u003cli\u003eCategorizes, prioritizes, and reports on findings and recommendations for remediation\u003c/li\u003e\u003cli\u003eDebriefs and collaborates with the System Team on findings and recommendations\u003c/li\u003e\u003cli\u003eAssists the System Teams ISSO and CRA in creating the CAAT file that is uploaded to CFACTS\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eHow do I schedule a PenTest?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eScheduling your PenTest with the Penetration Testing Team is easy. Just follow these steps:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ISSO or CRA contacts the Penetration testing team via email to request a pentest. Please email the pentest team to obtain the most-up-to-date pentest request form.\u003c/li\u003e\u003cli\u003eThe ISSO or CRA fills out and submits the Word document intake form provided by the pentest team.\u003c/li\u003e\u003cli\u003eThe PenTest Coordinator works with the ISSO and project team to review the submitted intake form via email.\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe PenTest team arranges a meeting to discuss the process and inform the ISSO and System/Business Owner of what to expect.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eTo avoid delays, the project should contact a PenTest Coordinator to request the assessment at least 3 months before the \u003ca href=\"/learn/authorization-operate-ato\"\u003eATO\u003c/a\u003e deadline.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat are the results of PenTesting?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eImmediately following a PenTest, the following actions occur:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe PenTest team will notify the System Team of any issues. If an issue is not sufficiently resolved/mitigated within 5 days for critical and 25 days for all other, the team is issued a Plan of Action and Milestones (POA\u0026amp;M) to manage it\u003c/li\u003e\u003cli\u003eWhen the test results are finalized, the PenTest team uploads a completed CAAT spreadsheet to CFACTS and notifies all parties\u003c/li\u003e\u003cli\u003eThe CISO mailbox is also notified that the CAAT spreadsheet is complete and available on CFACTS\u003c/li\u003e\u003cli\u003eAfter positive identification of security assessment, all findings/ weaknesses must be documented in a POA\u0026amp;M and remediated/ mitigated within the following remediation timelines:\u003cul\u003e\u003cli\u003eCritical within 15 calendar days\u003c/li\u003e\u003cli\u003eHigh 30 days\u003c/li\u003e\u003cli\u003eModerate within 90 days\u003c/li\u003e\u003cli\u003eLow within 365 days\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ePlease note that, per the \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risks and Safeguards (ARS)\u003c/a\u003e, System Owners must, “Correct identified security-related information system flaws on production equipment within 5 days (5) business days for critical and all others within (25) calendar days.”\u003c/p\u003e"])</script><script>self.__next_f.push([1,"102:T14a9,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWho manages the PenTesting process?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWithin your team, the Information System Security Officer (ISSO), Cyber Risk Advisor (CRA), and the System/Business Owner are the primary individuals responsible for the management of the PenTesting process. The Penetration Testing Team assists in the process of uploading the required files to CFACTS once the test is complete.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe following actions are completed by ISSOs during the PenTesting process:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmails the PenTest mailbox to make the initial request for a PenTest\u003c/li\u003e\u003cli\u003eFills out the Penetration Testing Intake Form provided by the PenTest Coordinator\u0026nbsp;\u003c/li\u003e\u003cli\u003eParticipates in all meetings with the Penetration Testing Team\u003c/li\u003e\u003cli\u003eIn the event that the PenTest produces findings that warrant a \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e, the ISSO assists in the remediation process\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCyber Risk Advisor (CRA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CRA is responsible for the following portions of the PenTesting process:\u003c/p\u003e\u003cul\u003e\u003cli\u003eServes an information resource for the ISSO\u003c/li\u003e\u003cli\u003eWhen necessary, assists ISSO in the collection of system-specific information and materials\u0026nbsp;\u003c/li\u003e\u003cli\u003eConfirms that the final PenTest results have been accurately uploaded to \u003ca href=\"/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eSystem/Business Owner\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe System/Business Owner completes the following activities in support of PenTesting:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eParticipates in all meetings with the Penetration Testing Team\u0026nbsp;\u003c/li\u003e\u003cli\u003eWorks with the Penetration Testing team to discuss test results and the discovery of all findings\u003c/li\u003e\u003cli\u003eMitigates findings within one (1) week, focusing first on the highest risk findings\u003c/li\u003e\u003cli\u003eManages the POA\u0026amp;M process in the event of findings that warrant a POA\u0026amp;M\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003ePenetration Testing Team\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Penetration Testing Team is responsible for the following actions:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eResponds to the initial request from the ISSO or CRA\u0026nbsp;\u003c/li\u003e\u003cli\u003eSchedules kick-off meeting with the ISSO, CRA, System/Business Owner, and any Contractors to determine the scope of the Penetration Test\u003c/li\u003e\u003cli\u003eWorks with the System Team to determine how the system will be tested, an agreement that facilitates testing in a controlled manner that addresses potential and realized impacts on CMS operations while allowing for the most useful test results possible\u003c/li\u003e\u003cli\u003eCoordinates test timeline, scope, and strategy and documents a test plan\u003c/li\u003e\u003cli\u003eExecutes test activities based on the test plan\u003c/li\u003e\u003cli\u003eDelivers status updates during test execution\u003c/li\u003e\u003cli\u003eCategorizes, prioritizes, and reports on findings and recommendations for remediation\u003c/li\u003e\u003cli\u003eDebriefs and collaborates with the System Team on findings and recommendations\u003c/li\u003e\u003cli\u003eAssists the System Teams ISSO and CRA in creating the CAAT file that is uploaded to CFACTS\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eHow do I schedule a PenTest?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eScheduling your PenTest with the Penetration Testing Team is easy. Just follow these steps:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ISSO or CRA contacts the Penetration testing team via email to request a pentest. Please email the pentest team to obtain the most-up-to-date pentest request form.\u003c/li\u003e\u003cli\u003eThe ISSO or CRA fills out and submits the Word document intake form provided by the pentest team.\u003c/li\u003e\u003cli\u003eThe PenTest Coordinator works with the ISSO and project team to review the submitted intake form via email.\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe PenTest team arranges a meeting to discuss the process and inform the ISSO and System/Business Owner of what to expect.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eTo avoid delays, the project should contact a PenTest Coordinator to request the assessment at least 3 months before the \u003ca href=\"/learn/authorization-operate-ato\"\u003eATO\u003c/a\u003e deadline.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat are the results of PenTesting?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eImmediately following a PenTest, the following actions occur:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe PenTest team will notify the System Team of any issues. If an issue is not sufficiently resolved/mitigated within 5 days for critical and 25 days for all other, the team is issued a Plan of Action and Milestones (POA\u0026amp;M) to manage it\u003c/li\u003e\u003cli\u003eWhen the test results are finalized, the PenTest team uploads a completed CAAT spreadsheet to CFACTS and notifies all parties\u003c/li\u003e\u003cli\u003eThe CISO mailbox is also notified that the CAAT spreadsheet is complete and available on CFACTS\u003c/li\u003e\u003cli\u003eAfter positive identification of security assessment, all findings/ weaknesses must be documented in a POA\u0026amp;M and remediated/ mitigated within the following remediation timelines:\u003cul\u003e\u003cli\u003eCritical within 15 calendar days\u003c/li\u003e\u003cli\u003eHigh 30 days\u003c/li\u003e\u003cli\u003eModerate within 90 days\u003c/li\u003e\u003cli\u003eLow within 365 days\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ePlease note that, per the \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risks and Safeguards (ARS)\u003c/a\u003e, System Owners must, “Correct identified security-related information system flaws on production equipment within 5 days (5) business days for critical and all others within (25) calendar days.”\u003c/p\u003e"])</script><script>self.__next_f.push([1,"100:{\"value\":\"$101\",\"format\":\"body_text\",\"processed\":\"$102\"}\nfe:{\"drupal_internal__id\":2546,\"drupal_internal__revision_id\":19218,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-14T13:16:04+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$ff\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$100\"}\n106:{\"drupal_internal__target_id\":\"page_section\"}\n105:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$106\"}\n108:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7b5e13a5-a70b-4570-8feb-183ff1d4fae9/paragraph_type?resourceVersion=id%3A19218\"}\n109:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7b5e13a5-a70b-4570-8feb-183ff1d4fae9/relationships/paragraph_type?resourceVersion=id%3A19218\"}\n107:{\"related\":\"$108\",\"self\":\"$109\"}\n104:{\"data\":\"$105\",\"links\":\"$107\"}\n10c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7b5e13a5-a70b-4570-8feb-183ff1d4fae9/field_specialty_item?resourceVersion=id%3A19218\"}\n10d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7b5e13a5-a70b-4570-8feb-183ff1d4fae9/relationships/field_specialty_item?resourceVersion=id%3A19218\"}\n10b:{\"related\":\"$10c\",\"self\":\"$10d\"}\n10a:{\"data\":null,\"links\":\"$10b\"}\n103:{\"paragraph_type\":\"$104\",\"field_specialty_item\":\"$10a\"}\nfb:{\"type\":\"paragraph--page_section\",\"id\":\"7b5e13a5-a70b-4570-8feb-183ff1d4fae9\",\"links\":\"$fc\",\"attributes\":\"$fe\",\"relationships\":\"$103\"}\n110:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/5c56be77-6e63-4713-80cb-8efc2966a029?resourceVersion=id%3A19216\"}\n10f:{\"self\":\"$110\"}\n112:[]\n114:[]\n113:{\"uri\":\"mailto:cmspentestmanagement@cms.hhs.gov\",\"title\":\"\",\"options\":\"$114\",\"url\":\"mailto:cmspentestmanagement@cms.hhs.gov\"}\n115:{\"value\":\"* Contact the CMS Penetration Testing Team to schedule your system's PenTest today. Please email the PenTest team to obtain the most-up-to-date pentest request form.\",\"format\":\"plain_text\",\"processed\":\"\u003c"])</script><script>self.__next_f.push([1,"p\u003e* Contact the CMS Penetration Testing Team to schedule your system\u0026#039;s PenTest today. Please email the PenTest team to obtain the most-up-to-date pentest request form.\u003c/p\u003e\\n\"}\n111:{\"drupal_internal__id\":2541,\"drupal_internal__revision_id\":19216,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-14T13:16:46+00:00\",\"parent_id\":\"501\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$112\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":\"$113\",\"field_call_out_link_text\":\"Email the team\",\"field_call_out_text\":\"$115\",\"field_header\":\"Schedule your PenTest\"}\n119:{\"drupal_internal__target_id\":\"call_out_box\"}\n118:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$119\"}\n11b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/5c56be77-6e63-4713-80cb-8efc2966a029/paragraph_type?resourceVersion=id%3A19216\"}\n11c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/5c56be77-6e63-4713-80cb-8efc2966a029/relationships/paragraph_type?resourceVersion=id%3A19216\"}\n11a:{\"related\":\"$11b\",\"self\":\"$11c\"}\n117:{\"data\":\"$118\",\"links\":\"$11a\"}\n116:{\"paragraph_type\":\"$117\"}\n10e:{\"type\":\"paragraph--call_out_box\",\"id\":\"5c56be77-6e63-4713-80cb-8efc2966a029\",\"links\":\"$10f\",\"attributes\":\"$111\",\"relationships\":\"$116\"}\n11f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7c47ed1-07a0-4487-8538-27c56a8e48d2?resourceVersion=id%3A19219\"}\n11e:{\"self\":\"$11f\"}\n121:[]\n120:{\"drupal_internal__id\":2021,\"drupal_internal__revision_id\":19219,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:09:59+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$121\",\"default_langcode\":true,\"revision_translation_affected\":true}\n125:{\"drupal_internal__target_id\":\"internal_link\"}\n124:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$125\"}\n127:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal"])</script><script>self.__next_f.push([1,"_link/a7c47ed1-07a0-4487-8538-27c56a8e48d2/paragraph_type?resourceVersion=id%3A19219\"}\n128:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7c47ed1-07a0-4487-8538-27c56a8e48d2/relationships/paragraph_type?resourceVersion=id%3A19219\"}\n126:{\"related\":\"$127\",\"self\":\"$128\"}\n123:{\"data\":\"$124\",\"links\":\"$126\"}\n12b:{\"drupal_internal__target_id\":206}\n12a:{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"meta\":\"$12b\"}\n12d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7c47ed1-07a0-4487-8538-27c56a8e48d2/field_link?resourceVersion=id%3A19219\"}\n12e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7c47ed1-07a0-4487-8538-27c56a8e48d2/relationships/field_link?resourceVersion=id%3A19219\"}\n12c:{\"related\":\"$12d\",\"self\":\"$12e\"}\n129:{\"data\":\"$12a\",\"links\":\"$12c\"}\n122:{\"paragraph_type\":\"$123\",\"field_link\":\"$129\"}\n11d:{\"type\":\"paragraph--internal_link\",\"id\":\"a7c47ed1-07a0-4487-8538-27c56a8e48d2\",\"links\":\"$11e\",\"attributes\":\"$120\",\"relationships\":\"$122\"}\n131:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44807064-0310-448f-8f66-09ee2ff9b17d?resourceVersion=id%3A19220\"}\n130:{\"self\":\"$131\"}\n133:[]\n132:{\"drupal_internal__id\":2026,\"drupal_internal__revision_id\":19220,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:10:52+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$133\",\"default_langcode\":true,\"revision_translation_affected\":true}\n137:{\"drupal_internal__target_id\":\"internal_link\"}\n136:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$137\"}\n139:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44807064-0310-448f-8f66-09ee2ff9b17d/paragraph_type?resourceVersion=id%3A19220\"}\n13a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44807064-0310-448f-8f66-09ee2ff9b17d/relationships/paragraph_type?resourceVersion=id%3A19220\"}\n138:{\"related\":\"$139\",\"self\":\"$13a\"}\n135:{\"data\":\"$136\",\"links\":\"$138\""])</script><script>self.__next_f.push([1,"}\n13d:{\"drupal_internal__target_id\":201}\n13c:{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"meta\":\"$13d\"}\n13f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44807064-0310-448f-8f66-09ee2ff9b17d/field_link?resourceVersion=id%3A19220\"}\n140:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44807064-0310-448f-8f66-09ee2ff9b17d/relationships/field_link?resourceVersion=id%3A19220\"}\n13e:{\"related\":\"$13f\",\"self\":\"$140\"}\n13b:{\"data\":\"$13c\",\"links\":\"$13e\"}\n134:{\"paragraph_type\":\"$135\",\"field_link\":\"$13b\"}\n12f:{\"type\":\"paragraph--internal_link\",\"id\":\"44807064-0310-448f-8f66-09ee2ff9b17d\",\"links\":\"$130\",\"attributes\":\"$132\",\"relationships\":\"$134\"}\n143:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb?resourceVersion=id%3A19221\"}\n142:{\"self\":\"$143\"}\n145:[]\n144:{\"drupal_internal__id\":2031,\"drupal_internal__revision_id\":19221,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:10:59+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$145\",\"default_langcode\":true,\"revision_translation_affected\":true}\n149:{\"drupal_internal__target_id\":\"internal_link\"}\n148:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$149\"}\n14b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb/paragraph_type?resourceVersion=id%3A19221\"}\n14c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb/relationships/paragraph_type?resourceVersion=id%3A19221\"}\n14a:{\"related\":\"$14b\",\"self\":\"$14c\"}\n147:{\"data\":\"$148\",\"links\":\"$14a\"}\n14f:{\"drupal_internal__target_id\":261}\n14e:{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"meta\":\"$14f\"}\n151:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb/field_link?resourceVersion=id%3A19221\"}\n152:{\"href\":\"https://cybergeek.cms.gov/jsonap"])</script><script>self.__next_f.push([1,"i/paragraph/internal_link/825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb/relationships/field_link?resourceVersion=id%3A19221\"}\n150:{\"related\":\"$151\",\"self\":\"$152\"}\n14d:{\"data\":\"$14e\",\"links\":\"$150\"}\n146:{\"paragraph_type\":\"$147\",\"field_link\":\"$14d\"}\n141:{\"type\":\"paragraph--internal_link\",\"id\":\"825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb\",\"links\":\"$142\",\"attributes\":\"$144\",\"relationships\":\"$146\"}\n155:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d631ecf-4c48-46d2-b8f2-5db69fd03245?resourceVersion=id%3A19222\"}\n154:{\"self\":\"$155\"}\n157:[]\n156:{\"drupal_internal__id\":2036,\"drupal_internal__revision_id\":19222,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:11:10+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$157\",\"default_langcode\":true,\"revision_translation_affected\":true}\n15b:{\"drupal_internal__target_id\":\"internal_link\"}\n15a:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$15b\"}\n15d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d631ecf-4c48-46d2-b8f2-5db69fd03245/paragraph_type?resourceVersion=id%3A19222\"}\n15e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d631ecf-4c48-46d2-b8f2-5db69fd03245/relationships/paragraph_type?resourceVersion=id%3A19222\"}\n15c:{\"related\":\"$15d\",\"self\":\"$15e\"}\n159:{\"data\":\"$15a\",\"links\":\"$15c\"}\n161:{\"drupal_internal__target_id\":396}\n160:{\"type\":\"node--explainer\",\"id\":\"6586d174-482d-43d2-9d86-2f0a42dc8a81\",\"meta\":\"$161\"}\n163:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d631ecf-4c48-46d2-b8f2-5db69fd03245/field_link?resourceVersion=id%3A19222\"}\n164:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d631ecf-4c48-46d2-b8f2-5db69fd03245/relationships/field_link?resourceVersion=id%3A19222\"}\n162:{\"related\":\"$163\",\"self\":\"$164\"}\n15f:{\"data\":\"$160\",\"links\":\"$162\"}\n158:{\"paragraph_type\":\"$159\",\"field_link\":\"$15f\"}\n153:{\"type\":\"paragraph--internal_link\",\"id\":\"8d631ecf-4c48-46d2-b8f2-5db69fd03245\",\""])</script><script>self.__next_f.push([1,"links\":\"$154\",\"attributes\":\"$156\",\"relationships\":\"$158\"}\n167:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2121533f-ed8e-4292-81c3-c9c5f3b88c42?resourceVersion=id%3A19223\"}\n166:{\"self\":\"$167\"}\n169:[]\n168:{\"drupal_internal__id\":3388,\"drupal_internal__revision_id\":19223,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-07-08T14:22:10+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$169\",\"default_langcode\":true,\"revision_translation_affected\":true}\n16d:{\"drupal_internal__target_id\":\"internal_link\"}\n16c:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$16d\"}\n16f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2121533f-ed8e-4292-81c3-c9c5f3b88c42/paragraph_type?resourceVersion=id%3A19223\"}\n170:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2121533f-ed8e-4292-81c3-c9c5f3b88c42/relationships/paragraph_type?resourceVersion=id%3A19223\"}\n16e:{\"related\":\"$16f\",\"self\":\"$170\"}\n16b:{\"data\":\"$16c\",\"links\":\"$16e\"}\n173:{\"drupal_internal__target_id\":256}\n172:{\"type\":\"node--explainer\",\"id\":\"79350126-ac6b-4afd-8fb7-f5814702ddb2\",\"meta\":\"$173\"}\n175:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2121533f-ed8e-4292-81c3-c9c5f3b88c42/field_link?resourceVersion=id%3A19223\"}\n176:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2121533f-ed8e-4292-81c3-c9c5f3b88c42/relationships/field_link?resourceVersion=id%3A19223\"}\n174:{\"related\":\"$175\",\"self\":\"$176\"}\n171:{\"data\":\"$172\",\"links\":\"$174\"}\n16a:{\"paragraph_type\":\"$16b\",\"field_link\":\"$171\"}\n165:{\"type\":\"paragraph--internal_link\",\"id\":\"2121533f-ed8e-4292-81c3-c9c5f3b88c42\",\"links\":\"$166\",\"attributes\":\"$168\",\"relationships\":\"$16a\"}\n179:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e3a2533a-0128-4439-8ca5-a56210aa267e?resourceVersion=id%3A19224\"}\n178:{\"self\":\"$179\"}\n17b:[]\n17a:{\"drupal_internal__id\":3389,\"drupal_internal__revision_id\":19224,\"langcode\":\"en\",\"status\":true,\"c"])</script><script>self.__next_f.push([1,"reated\":\"2023-07-08T14:22:35+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$17b\",\"default_langcode\":true,\"revision_translation_affected\":true}\n17f:{\"drupal_internal__target_id\":\"internal_link\"}\n17e:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$17f\"}\n181:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e3a2533a-0128-4439-8ca5-a56210aa267e/paragraph_type?resourceVersion=id%3A19224\"}\n182:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e3a2533a-0128-4439-8ca5-a56210aa267e/relationships/paragraph_type?resourceVersion=id%3A19224\"}\n180:{\"related\":\"$181\",\"self\":\"$182\"}\n17d:{\"data\":\"$17e\",\"links\":\"$180\"}\n185:{\"drupal_internal__target_id\":1117}\n184:{\"type\":\"node--blog\",\"id\":\"ad85d9c2-1286-4564-90a1-f8dfba013c3f\",\"meta\":\"$185\"}\n187:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e3a2533a-0128-4439-8ca5-a56210aa267e/field_link?resourceVersion=id%3A19224\"}\n188:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e3a2533a-0128-4439-8ca5-a56210aa267e/relationships/field_link?resourceVersion=id%3A19224\"}\n186:{\"related\":\"$187\",\"self\":\"$188\"}\n183:{\"data\":\"$184\",\"links\":\"$186\"}\n17c:{\"paragraph_type\":\"$17d\",\"field_link\":\"$183\"}\n177:{\"type\":\"paragraph--internal_link\",\"id\":\"e3a2533a-0128-4439-8ca5-a56210aa267e\",\"links\":\"$178\",\"attributes\":\"$17a\",\"relationships\":\"$17c\"}\n18b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2?resourceVersion=id%3A5737\"}\n18a:{\"self\":\"$18b\"}\n18d:{\"alias\":\"/learn/authorization-operate-ato\",\"pid\":196,\"langcode\":\"en\"}\n18e:{\"value\":\"Testing and documenting system security and compliance to gain approval to operate the system at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting and documenting system security and compliance to gain approval to operate the system at CMS\u003c/p\u003e\\n\"}\n18f:[\"#cra-help\"]\n18c:{\"drupal_internal__nid\":206,\"drupal_internal__vid\":5737,\"langcode\":\"en\",\"revision_tim"])</script><script>self.__next_f.push([1,"estamp\":\"2024-07-31T17:37:48+00:00\",\"status\":true,\"title\":\"Authorization to Operate (ATO)\",\"created\":\"2022-08-25T19:06:37+00:00\",\"changed\":\"2024-07-31T17:37:48+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$18d\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$18e\",\"field_slack_channel\":\"$18f\"}\n193:{\"drupal_internal__target_id\":\"explainer\"}\n192:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$193\"}\n195:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/node_type?resourceVersion=id%3A5737\"}\n196:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/node_type?resourceVersion=id%3A5737\"}\n194:{\"related\":\"$195\",\"self\":\"$196\"}\n191:{\"data\":\"$192\",\"links\":\"$194\"}\n199:{\"drupal_internal__target_id\":6}\n198:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$199\"}\n19b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/revision_uid?resourceVersion=id%3A5737\"}\n19c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/revision_uid?resourceVersion=id%3A5737\"}\n19a:{\"related\":\"$19b\",\"self\":\"$19c\"}\n197:{\"data\":\"$198\",\"links\":\"$19a\"}\n19f:{\"drupal_internal__target_id\":26}\n19e:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$19f\"}\n1a1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/uid?resourceVersion=id%3A5737\"}\n1a2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/uid?resourceVersion=id%3A5737\"}\n1a0:{\"related\":\"$1a1\",\"self\":\"$1a2\"}\n19d:{\"data\":\"$19e\",\"links\":\""])</script><script>self.__next_f.push([1,"$1a0\"}\n1a6:{\"target_revision_id\":18928,\"drupal_internal__target_id\":711}\n1a5:{\"type\":\"paragraph--page_section\",\"id\":\"d94629f9-9668-41dd-bce7-a4f267239c07\",\"meta\":\"$1a6\"}\n1a8:{\"target_revision_id\":18929,\"drupal_internal__target_id\":736}\n1a7:{\"type\":\"paragraph--page_section\",\"id\":\"243e2d3f-f903-438c-8b1f-aee53390b1df\",\"meta\":\"$1a8\"}\n1a4:[\"$1a5\",\"$1a7\"]\n1aa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_page_section?resourceVersion=id%3A5737\"}\n1ab:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_page_section?resourceVersion=id%3A5737\"}\n1a9:{\"related\":\"$1aa\",\"self\":\"$1ab\"}\n1a3:{\"data\":\"$1a4\",\"links\":\"$1a9\"}\n1af:{\"target_revision_id\":18930,\"drupal_internal__target_id\":3376}\n1ae:{\"type\":\"paragraph--internal_link\",\"id\":\"6f904ac4-c80e-47d9-b786-ee79256befed\",\"meta\":\"$1af\"}\n1b1:{\"target_revision_id\":18931,\"drupal_internal__target_id\":1306}\n1b0:{\"type\":\"paragraph--internal_link\",\"id\":\"e20959d7-2a7b-4a01-b985-cfa5363233f5\",\"meta\":\"$1b1\"}\n1b3:{\"target_revision_id\":18932,\"drupal_internal__target_id\":1316}\n1b2:{\"type\":\"paragraph--internal_link\",\"id\":\"dba9b926-f657-43ce-bc94-0a2d803430c6\",\"meta\":\"$1b3\"}\n1b5:{\"target_revision_id\":18933,\"drupal_internal__target_id\":2521}\n1b4:{\"type\":\"paragraph--internal_link\",\"id\":\"44f7083e-9341-42a5-85dc-a9043cdccdce\",\"meta\":\"$1b5\"}\n1b7:{\"target_revision_id\":18934,\"drupal_internal__target_id\":3444}\n1b6:{\"type\":\"paragraph--internal_link\",\"id\":\"bd0366d9-64ce-401f-9453-bf38aa8054a1\",\"meta\":\"$1b7\"}\n1ad:[\"$1ae\",\"$1b0\",\"$1b2\",\"$1b4\",\"$1b6\"]\n1b9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_related_collection?resourceVersion=id%3A5737\"}\n1ba:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_related_collection?resourceVersion=id%3A5737\"}\n1b8:{\"related\":\"$1b9\",\"self\":\"$1ba\"}\n1ac:{\"data\":\"$1ad\",\"links\":\"$1b8\"}\n1bd:{\"drupal_internal__target_id\":131}\n1bc:{\"type\":\"taxonomy_"])</script><script>self.__next_f.push([1,"term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$1bd\"}\n1bf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_resource_type?resourceVersion=id%3A5737\"}\n1c0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_resource_type?resourceVersion=id%3A5737\"}\n1be:{\"related\":\"$1bf\",\"self\":\"$1c0\"}\n1bb:{\"data\":\"$1bc\",\"links\":\"$1be\"}\n1c4:{\"drupal_internal__target_id\":66}\n1c3:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$1c4\"}\n1c6:{\"drupal_internal__target_id\":61}\n1c5:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$1c6\"}\n1c8:{\"drupal_internal__target_id\":76}\n1c7:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$1c8\"}\n1c2:[\"$1c3\",\"$1c5\",\"$1c7\"]\n1ca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_roles?resourceVersion=id%3A5737\"}\n1cb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_roles?resourceVersion=id%3A5737\"}\n1c9:{\"related\":\"$1ca\",\"self\":\"$1cb\"}\n1c1:{\"data\":\"$1c2\",\"links\":\"$1c9\"}\n1cf:{\"drupal_internal__target_id\":11}\n1ce:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$1cf\"}\n1cd:[\"$1ce\"]\n1d1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_topics?resourceVersion=id%3A5737\"}\n1d2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_topics?resourceVersion=id%3A5737\"}\n1d0:{\"related\":\"$1d1\",\"self\":\"$1d2\"}\n1cc:{\"data\":\"$1cd\",\"links\":\"$1d0\"}\n190:{\"node_type\":\"$191\",\"revision_uid\":\"$197\",\"uid\":\"$19d\",\"field_page_section\":\"$1a3\",\"field_related_collection\":\"$1ac\",\"field_resource_type\":\"$1bb\",\"field_roles\":\"$1c1\",\"field_topics\":\"$1cc\"}\n189:{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"links\":\"$18a\",\"attri"])</script><script>self.__next_f.push([1,"butes\":\"$18c\",\"relationships\":\"$190\"}\n1d5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320?resourceVersion=id%3A5941\"}\n1d4:{\"self\":\"$1d5\"}\n1d7:{\"alias\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"pid\":191,\"langcode\":\"en\"}\n1d8:{\"value\":\"A streamlined risk-based control(s) testing methodology designed to relieve operational burden.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA streamlined risk-based control(s) testing methodology designed to relieve operational burden.\u003c/p\u003e\\n\"}\n1d9:[]\n1d6:{\"drupal_internal__nid\":201,\"drupal_internal__vid\":5941,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-17T14:04:35+00:00\",\"status\":true,\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"created\":\"2022-08-25T18:58:52+00:00\",\"changed\":\"2024-10-07T20:27:11+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1d7\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CSRAP@cms.hhs.gov\",\"field_contact_name\":\"CSRAP Team\",\"field_short_description\":\"$1d8\",\"field_slack_channel\":\"$1d9\"}\n1dd:{\"drupal_internal__target_id\":\"explainer\"}\n1dc:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$1dd\"}\n1df:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/node_type?resourceVersion=id%3A5941\"}\n1e0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/node_type?resourceVersion=id%3A5941\"}\n1de:{\"related\":\"$1df\",\"self\":\"$1e0\"}\n1db:{\"data\":\"$1dc\",\"links\":\"$1de\"}\n1e3:{\"drupal_internal__target_id\":95}\n1e2:{\"type\":\"user--user\",\"id\":\"39240c69-3096-49cd-a07c-3843b6c48c5f\",\"meta\":\"$1e3\"}\n1e5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/revision_uid?resourceVersion=id%3A5941\"}\n1e6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/"])</script><script>self.__next_f.push([1,"node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/revision_uid?resourceVersion=id%3A5941\"}\n1e4:{\"related\":\"$1e5\",\"self\":\"$1e6\"}\n1e1:{\"data\":\"$1e2\",\"links\":\"$1e4\"}\n1e9:{\"drupal_internal__target_id\":26}\n1e8:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$1e9\"}\n1eb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/uid?resourceVersion=id%3A5941\"}\n1ec:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/uid?resourceVersion=id%3A5941\"}\n1ea:{\"related\":\"$1eb\",\"self\":\"$1ec\"}\n1e7:{\"data\":\"$1e8\",\"links\":\"$1ea\"}\n1f0:{\"target_revision_id\":19433,\"drupal_internal__target_id\":3501}\n1ef:{\"type\":\"paragraph--page_section\",\"id\":\"f36fb6d1-0795-400f-8a15-36d1979118b0\",\"meta\":\"$1f0\"}\n1f2:{\"target_revision_id\":19434,\"drupal_internal__target_id\":611}\n1f1:{\"type\":\"paragraph--page_section\",\"id\":\"eb5b28d8-8825-43c5-a889-513068f48fd8\",\"meta\":\"$1f2\"}\n1f4:{\"target_revision_id\":19435,\"drupal_internal__target_id\":651}\n1f3:{\"type\":\"paragraph--page_section\",\"id\":\"269aaf52-85f1-411f-a67e-e9d9ad620d8a\",\"meta\":\"$1f4\"}\n1f6:{\"target_revision_id\":19442,\"drupal_internal__target_id\":3502}\n1f5:{\"type\":\"paragraph--page_section\",\"id\":\"3a3615ff-9d53-40d6-8291-fd4516dbc893\",\"meta\":\"$1f6\"}\n1f8:{\"target_revision_id\":19443,\"drupal_internal__target_id\":3503}\n1f7:{\"type\":\"paragraph--page_section\",\"id\":\"cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa\",\"meta\":\"$1f8\"}\n1fa:{\"target_revision_id\":19444,\"drupal_internal__target_id\":3504}\n1f9:{\"type\":\"paragraph--page_section\",\"id\":\"a46d03b7-7478-40f1-a7da-3171ffcfaa2d\",\"meta\":\"$1fa\"}\n1ee:[\"$1ef\",\"$1f1\",\"$1f3\",\"$1f5\",\"$1f7\",\"$1f9\"]\n1fc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_page_section?resourceVersion=id%3A5941\"}\n1fd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_page_section?resourceVersion=id%3A5941\"}\n1fb:{\"related\":\"$1fc\",\"self\":\"$1fd\"}\n1ed:{\"data\":\"$1ee\",\"links\""])</script><script>self.__next_f.push([1,":\"$1fb\"}\n201:{\"target_revision_id\":19445,\"drupal_internal__target_id\":656}\n200:{\"type\":\"paragraph--internal_link\",\"id\":\"28dbad4c-79e6-4f83-bc5e-965ba6aa4926\",\"meta\":\"$201\"}\n203:{\"target_revision_id\":19446,\"drupal_internal__target_id\":661}\n202:{\"type\":\"paragraph--internal_link\",\"id\":\"9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2\",\"meta\":\"$203\"}\n205:{\"target_revision_id\":19447,\"drupal_internal__target_id\":671}\n204:{\"type\":\"paragraph--internal_link\",\"id\":\"77c203ce-2da8-4200-986c-1093acc2ff5a\",\"meta\":\"$205\"}\n207:{\"target_revision_id\":19448,\"drupal_internal__target_id\":676}\n206:{\"type\":\"paragraph--internal_link\",\"id\":\"50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a\",\"meta\":\"$207\"}\n209:{\"target_revision_id\":19449,\"drupal_internal__target_id\":681}\n208:{\"type\":\"paragraph--internal_link\",\"id\":\"c4a332dc-02ea-48f6-9c08-c12ca06e62b5\",\"meta\":\"$209\"}\n20b:{\"target_revision_id\":19450,\"drupal_internal__target_id\":3505}\n20a:{\"type\":\"paragraph--internal_link\",\"id\":\"5cc61db4-e2f7-43ad-b914-3661d73886e9\",\"meta\":\"$20b\"}\n1ff:[\"$200\",\"$202\",\"$204\",\"$206\",\"$208\",\"$20a\"]\n20d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_related_collection?resourceVersion=id%3A5941\"}\n20e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_related_collection?resourceVersion=id%3A5941\"}\n20c:{\"related\":\"$20d\",\"self\":\"$20e\"}\n1fe:{\"data\":\"$1ff\",\"links\":\"$20c\"}\n211:{\"drupal_internal__target_id\":121}\n210:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$211\"}\n213:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_resource_type?resourceVersion=id%3A5941\"}\n214:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_resource_type?resourceVersion=id%3A5941\"}\n212:{\"related\":\"$213\",\"self\":\"$214\"}\n20f:{\"data\":\"$210\",\"links\":\"$212\"}\n218:{\"drupal_internal__target_id\":66}\n217:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45"])</script><script>self.__next_f.push([1,"fb-973e-dffe50c27da5\",\"meta\":\"$218\"}\n21a:{\"drupal_internal__target_id\":61}\n219:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$21a\"}\n21c:{\"drupal_internal__target_id\":76}\n21b:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$21c\"}\n216:[\"$217\",\"$219\",\"$21b\"]\n21e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_roles?resourceVersion=id%3A5941\"}\n21f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_roles?resourceVersion=id%3A5941\"}\n21d:{\"related\":\"$21e\",\"self\":\"$21f\"}\n215:{\"data\":\"$216\",\"links\":\"$21d\"}\n223:{\"drupal_internal__target_id\":6}\n222:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":\"$223\"}\n225:{\"drupal_internal__target_id\":36}\n224:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$225\"}\n221:[\"$222\",\"$224\"]\n227:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_topics?resourceVersion=id%3A5941\"}\n228:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_topics?resourceVersion=id%3A5941\"}\n226:{\"related\":\"$227\",\"self\":\"$228\"}\n220:{\"data\":\"$221\",\"links\":\"$226\"}\n1da:{\"node_type\":\"$1db\",\"revision_uid\":\"$1e1\",\"uid\":\"$1e7\",\"field_page_section\":\"$1ed\",\"field_related_collection\":\"$1fe\",\"field_resource_type\":\"$20f\",\"field_roles\":\"$215\",\"field_topics\":\"$220\"}\n1d3:{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"links\":\"$1d4\",\"attributes\":\"$1d6\",\"relationships\":\"$1da\"}\n22b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b?resourceVersion=id%3A5999\"}\n22a:{\"self\":\"$22b\"}\n22d:{\"alias\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"pid\":251,\"langcode\":\"en\"}\n22e:{\"value\":\"CFACTS is a CMS database that tracks application security deficiencies and POA\u0026Ms, and supports the ATO process\",\"format\":\"p"])</script><script>self.__next_f.push([1,"lain_text\",\"processed\":\"\u003cp\u003eCFACTS is a CMS database that tracks application security deficiencies and POA\u0026amp;Ms, and supports the ATO process\u003c/p\u003e\\n\"}\n22f:[\"#cfacts_community\"]\n22c:{\"drupal_internal__nid\":261,\"drupal_internal__vid\":5999,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-05T18:41:37+00:00\",\"status\":true,\"title\":\"CMS FISMA Continuous Tracking System (CFACTS)\",\"created\":\"2022-08-26T14:57:02+00:00\",\"changed\":\"2024-12-05T18:41:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$22d\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ciso@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":\"$22e\",\"field_slack_channel\":\"$22f\"}\n233:{\"drupal_internal__target_id\":\"explainer\"}\n232:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$233\"}\n235:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/node_type?resourceVersion=id%3A5999\"}\n236:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/node_type?resourceVersion=id%3A5999\"}\n234:{\"related\":\"$235\",\"self\":\"$236\"}\n231:{\"data\":\"$232\",\"links\":\"$234\"}\n239:{\"drupal_internal__target_id\":159}\n238:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":\"$239\"}\n23b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/revision_uid?resourceVersion=id%3A5999\"}\n23c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/revision_uid?resourceVersion=id%3A5999\"}\n23a:{\"related\":\"$23b\",\"self\":\"$23c\"}\n237:{\"data\":\"$238\",\"links\":\"$23a\"}\n23f:{\"drupal_internal__target_id\":26}\n23e:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$23f\"}\n241:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/"])</script><script>self.__next_f.push([1,"de0901ae-4ea5-491c-badd-90a32da3989b/uid?resourceVersion=id%3A5999\"}\n242:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/uid?resourceVersion=id%3A5999\"}\n240:{\"related\":\"$241\",\"self\":\"$242\"}\n23d:{\"data\":\"$23e\",\"links\":\"$240\"}\n246:{\"target_revision_id\":19655,\"drupal_internal__target_id\":2101}\n245:{\"type\":\"paragraph--page_section\",\"id\":\"963db416-cca0-421d-8c3e-40c8e2ce190f\",\"meta\":\"$246\"}\n248:{\"target_revision_id\":19660,\"drupal_internal__target_id\":446}\n247:{\"type\":\"paragraph--page_section\",\"id\":\"9b87eb1d-cb43-472b-9b5b-8618d2688563\",\"meta\":\"$248\"}\n24a:{\"target_revision_id\":19666,\"drupal_internal__target_id\":1781}\n249:{\"type\":\"paragraph--page_section\",\"id\":\"122a8de9-c38d-492b-bc93-b43b270f2933\",\"meta\":\"$24a\"}\n24c:{\"target_revision_id\":19667,\"drupal_internal__target_id\":3468}\n24b:{\"type\":\"paragraph--page_section\",\"id\":\"594617c8-824a-4962-aa08-fdf8dd4677fb\",\"meta\":\"$24c\"}\n244:[\"$245\",\"$247\",\"$249\",\"$24b\"]\n24e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_page_section?resourceVersion=id%3A5999\"}\n24f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_page_section?resourceVersion=id%3A5999\"}\n24d:{\"related\":\"$24e\",\"self\":\"$24f\"}\n243:{\"data\":\"$244\",\"links\":\"$24d\"}\n253:{\"target_revision_id\":19668,\"drupal_internal__target_id\":1816}\n252:{\"type\":\"paragraph--internal_link\",\"id\":\"76dcb171-ae0a-42ba-b330-b93b63633cdd\",\"meta\":\"$253\"}\n255:{\"target_revision_id\":19669,\"drupal_internal__target_id\":1821}\n254:{\"type\":\"paragraph--internal_link\",\"id\":\"7f340091-9774-491a-817d-0cdfaf0c72d1\",\"meta\":\"$255\"}\n257:{\"target_revision_id\":19670,\"drupal_internal__target_id\":1826}\n256:{\"type\":\"paragraph--internal_link\",\"id\":\"4b7486bb-57c5-440b-b07c-54deb80f1ca1\",\"meta\":\"$257\"}\n259:{\"target_revision_id\":19671,\"drupal_internal__target_id\":1831}\n258:{\"type\":\"paragraph--internal_link\",\"id\":\"d72a41d1-1d17-452f-9375-aea58d84e8e7\",\"meta\":\"$259\"}\n25b:{\"target_revision_id\":19672,\"dr"])</script><script>self.__next_f.push([1,"upal_internal__target_id\":3462}\n25a:{\"type\":\"paragraph--internal_link\",\"id\":\"726e3057-d549-4d7d-80c7-0f4c5d5f8007\",\"meta\":\"$25b\"}\n25d:{\"target_revision_id\":19673,\"drupal_internal__target_id\":3463}\n25c:{\"type\":\"paragraph--internal_link\",\"id\":\"dbde5fa8-5137-4df4-af83-a4330e0778c7\",\"meta\":\"$25d\"}\n251:[\"$252\",\"$254\",\"$256\",\"$258\",\"$25a\",\"$25c\"]\n25f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_related_collection?resourceVersion=id%3A5999\"}\n260:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_related_collection?resourceVersion=id%3A5999\"}\n25e:{\"related\":\"$25f\",\"self\":\"$260\"}\n250:{\"data\":\"$251\",\"links\":\"$25e\"}\n263:{\"drupal_internal__target_id\":121}\n262:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$263\"}\n265:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_resource_type?resourceVersion=id%3A5999\"}\n266:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_resource_type?resourceVersion=id%3A5999\"}\n264:{\"related\":\"$265\",\"self\":\"$266\"}\n261:{\"data\":\"$262\",\"links\":\"$264\"}\n26a:{\"drupal_internal__target_id\":66}\n269:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$26a\"}\n26c:{\"drupal_internal__target_id\":61}\n26b:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$26c\"}\n26e:{\"drupal_internal__target_id\":76}\n26d:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$26e\"}\n270:{\"drupal_internal__target_id\":71}\n26f:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$270\"}\n268:[\"$269\",\"$26b\",\"$26d\",\"$26f\"]\n272:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_roles?resourceVersion=id%3A5999\"}\n273:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da"])</script><script>self.__next_f.push([1,"3989b/relationships/field_roles?resourceVersion=id%3A5999\"}\n271:{\"related\":\"$272\",\"self\":\"$273\"}\n267:{\"data\":\"$268\",\"links\":\"$271\"}\n277:{\"drupal_internal__target_id\":36}\n276:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$277\"}\n279:{\"drupal_internal__target_id\":11}\n278:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$279\"}\n275:[\"$276\",\"$278\"]\n27b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_topics?resourceVersion=id%3A5999\"}\n27c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_topics?resourceVersion=id%3A5999\"}\n27a:{\"related\":\"$27b\",\"self\":\"$27c\"}\n274:{\"data\":\"$275\",\"links\":\"$27a\"}\n230:{\"node_type\":\"$231\",\"revision_uid\":\"$237\",\"uid\":\"$23d\",\"field_page_section\":\"$243\",\"field_related_collection\":\"$250\",\"field_resource_type\":\"$261\",\"field_roles\":\"$267\",\"field_topics\":\"$274\"}\n229:{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"links\":\"$22a\",\"attributes\":\"$22c\",\"relationships\":\"$230\"}\n27f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81?resourceVersion=id%3A5754\"}\n27e:{\"self\":\"$27f\"}\n281:{\"alias\":\"/learn/plan-action-and-milestones-poam\",\"pid\":386,\"langcode\":\"en\"}\n282:{\"value\":\"A corrective action plan roadmap to address system weaknesses and the resources required to fix them\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA corrective action plan roadmap to address system weaknesses and the resources required to fix them\u003c/p\u003e\\n\"}\n283:[\"#cra-help\"]\n280:{\"drupal_internal__nid\":396,\"drupal_internal__vid\":5754,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T15:53:09+00:00\",\"status\":true,\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"created\":\"2022-08-29T16:56:42+00:00\",\"changed\":\"2024-08-05T15:53:09+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$281\",\"rh_action\":null,\"rh_redirec"])</script><script>self.__next_f.push([1,"t\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$282\",\"field_slack_channel\":\"$283\"}\n287:{\"drupal_internal__target_id\":\"explainer\"}\n286:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$287\"}\n289:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/node_type?resourceVersion=id%3A5754\"}\n28a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/node_type?resourceVersion=id%3A5754\"}\n288:{\"related\":\"$289\",\"self\":\"$28a\"}\n285:{\"data\":\"$286\",\"links\":\"$288\"}\n28d:{\"drupal_internal__target_id\":159}\n28c:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":\"$28d\"}\n28f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/revision_uid?resourceVersion=id%3A5754\"}\n290:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/revision_uid?resourceVersion=id%3A5754\"}\n28e:{\"related\":\"$28f\",\"self\":\"$290\"}\n28b:{\"data\":\"$28c\",\"links\":\"$28e\"}\n293:{\"drupal_internal__target_id\":26}\n292:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$293\"}\n295:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/uid?resourceVersion=id%3A5754\"}\n296:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/uid?resourceVersion=id%3A5754\"}\n294:{\"related\":\"$295\",\"self\":\"$296\"}\n291:{\"data\":\"$292\",\"links\":\"$294\"}\n29a:{\"target_revision_id\":19037,\"drupal_internal__target_id\":506}\n299:{\"type\":\"paragraph--page_section\",\"id\":\"7a011f0b-d154-4824-a3d9-ab6d2d897205\",\"meta\":\"$29a\"}\n29c:{\"target_revision_id\":19038,\"drupal_internal__target_id\":3385}\n29b:{\"type\":\"paragraph--page_section\",\"id\":\"ee1fabb0-058d-4b71-a7db-8a9ce8319795\",\"meta\":\"$29"])</script><script>self.__next_f.push([1,"c\"}\n298:[\"$299\",\"$29b\"]\n29e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/field_page_section?resourceVersion=id%3A5754\"}\n29f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/field_page_section?resourceVersion=id%3A5754\"}\n29d:{\"related\":\"$29e\",\"self\":\"$29f\"}\n297:{\"data\":\"$298\",\"links\":\"$29d\"}\n2a3:{\"target_revision_id\":19039,\"drupal_internal__target_id\":2041}\n2a2:{\"type\":\"paragraph--internal_link\",\"id\":\"df30d570-d5dc-431f-bec8-3054b29243cb\",\"meta\":\"$2a3\"}\n2a5:{\"target_revision_id\":19040,\"drupal_internal__target_id\":2046}\n2a4:{\"type\":\"paragraph--internal_link\",\"id\":\"4bccf275-df68-449d-8a48-3ba2274c322a\",\"meta\":\"$2a5\"}\n2a7:{\"target_revision_id\":19041,\"drupal_internal__target_id\":2051}\n2a6:{\"type\":\"paragraph--internal_link\",\"id\":\"443bfeb0-96a1-4b88-bd6d-d93d1d744e64\",\"meta\":\"$2a7\"}\n2a9:{\"target_revision_id\":19042,\"drupal_internal__target_id\":2056}\n2a8:{\"type\":\"paragraph--internal_link\",\"id\":\"71549f27-6a6b-4a16-9304-6208d994604a\",\"meta\":\"$2a9\"}\n2ab:{\"target_revision_id\":19043,\"drupal_internal__target_id\":2061}\n2aa:{\"type\":\"paragraph--internal_link\",\"id\":\"ab8baea5-3667-47bd-b2c5-a8b59a3847ac\",\"meta\":\"$2ab\"}\n2ad:{\"target_revision_id\":19044,\"drupal_internal__target_id\":2551}\n2ac:{\"type\":\"paragraph--internal_link\",\"id\":\"6b40f485-c76e-44f6-8489-9bbf991c1f6c\",\"meta\":\"$2ad\"}\n2a1:[\"$2a2\",\"$2a4\",\"$2a6\",\"$2a8\",\"$2aa\",\"$2ac\"]\n2af:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/field_related_collection?resourceVersion=id%3A5754\"}\n2b0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/field_related_collection?resourceVersion=id%3A5754\"}\n2ae:{\"related\":\"$2af\",\"self\":\"$2b0\"}\n2a0:{\"data\":\"$2a1\",\"links\":\"$2ae\"}\n2b3:{\"drupal_internal__target_id\":131}\n2b2:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$2b3\"}\n2b5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-4"])</script><script>self.__next_f.push([1,"3d2-9d86-2f0a42dc8a81/field_resource_type?resourceVersion=id%3A5754\"}\n2b6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/field_resource_type?resourceVersion=id%3A5754\"}\n2b4:{\"related\":\"$2b5\",\"self\":\"$2b6\"}\n2b1:{\"data\":\"$2b2\",\"links\":\"$2b4\"}\n2ba:{\"drupal_internal__target_id\":66}\n2b9:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$2ba\"}\n2bc:{\"drupal_internal__target_id\":61}\n2bb:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$2bc\"}\n2be:{\"drupal_internal__target_id\":76}\n2bd:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$2be\"}\n2c0:{\"drupal_internal__target_id\":71}\n2bf:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$2c0\"}\n2b8:[\"$2b9\",\"$2bb\",\"$2bd\",\"$2bf\"]\n2c2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/field_roles?resourceVersion=id%3A5754\"}\n2c3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/field_roles?resourceVersion=id%3A5754\"}\n2c1:{\"related\":\"$2c2\",\"self\":\"$2c3\"}\n2b7:{\"data\":\"$2b8\",\"links\":\"$2c1\"}\n2c7:{\"drupal_internal__target_id\":6}\n2c6:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":\"$2c7\"}\n2c9:{\"drupal_internal__target_id\":36}\n2c8:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$2c9\"}\n2c5:[\"$2c6\",\"$2c8\"]\n2cb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/field_topics?resourceVersion=id%3A5754\"}\n2cc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/field_topics?resourceVersion=id%3A5754\"}\n2ca:{\"related\":\"$2cb\",\"self\":\"$2cc\"}\n2c4:{\"data\":\"$2c5\",\"links\":\"$2ca\"}\n284:{\"node_type\":\"$285\",\"revision_uid\":\"$28b\",\"uid\":\"$291\",\"field_page_section\":\"$297\",\"field_related_collection\":\"$2a0\",\"field_resource_type\":\"$2b1\",\"field_roles\":\"$2b"])</script><script>self.__next_f.push([1,"7\",\"field_topics\":\"$2c4\"}\n27d:{\"type\":\"node--explainer\",\"id\":\"6586d174-482d-43d2-9d86-2f0a42dc8a81\",\"links\":\"$27e\",\"attributes\":\"$280\",\"relationships\":\"$284\"}\n2cf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2?resourceVersion=id%3A5170\"}\n2ce:{\"self\":\"$2cf\"}\n2d1:{\"alias\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"pid\":246,\"langcode\":\"en\"}\n2d2:{\"value\":\"The CCIC uses data to address incidents through risk management and monitoring activities across CMS \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThe CCIC uses data to address incidents through risk management and monitoring activities across CMS\u003c/p\u003e\\n\"}\n2d3:[]\n2d0:{\"drupal_internal__nid\":256,\"drupal_internal__vid\":5170,\"langcode\":\"en\",\"revision_timestamp\":\"2024-01-05T17:56:20+00:00\",\"status\":true,\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"created\":\"2022-08-26T14:55:57+00:00\",\"changed\":\"2024-01-05T17:56:20+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$2d1\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"Report incidents in ServiceNOW\",\"field_short_description\":\"$2d2\",\"field_slack_channel\":\"$2d3\"}\n2d7:{\"drupal_internal__target_id\":\"explainer\"}\n2d6:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$2d7\"}\n2d9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/node_type?resourceVersion=id%3A5170\"}\n2da:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/node_type?resourceVersion=id%3A5170\"}\n2d8:{\"related\":\"$2d9\",\"self\":\"$2da\"}\n2d5:{\"data\":\"$2d6\",\"links\":\"$2d8\"}\n2dd:{\"drupal_internal__target_id\":36}\n2dc:{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"meta\":\"$2dd\"}\n2df:{\"href\":\"https://cybergeek.cms.gov/jsona"])</script><script>self.__next_f.push([1,"pi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/revision_uid?resourceVersion=id%3A5170\"}\n2e0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/revision_uid?resourceVersion=id%3A5170\"}\n2de:{\"related\":\"$2df\",\"self\":\"$2e0\"}\n2db:{\"data\":\"$2dc\",\"links\":\"$2de\"}\n2e3:{\"drupal_internal__target_id\":26}\n2e2:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$2e3\"}\n2e5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/uid?resourceVersion=id%3A5170\"}\n2e6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/uid?resourceVersion=id%3A5170\"}\n2e4:{\"related\":\"$2e5\",\"self\":\"$2e6\"}\n2e1:{\"data\":\"$2e2\",\"links\":\"$2e4\"}\n2ea:{\"target_revision_id\":16462,\"drupal_internal__target_id\":3363}\n2e9:{\"type\":\"paragraph--page_section\",\"id\":\"59fda20c-2255-44ef-9fb0-d0834c579aa4\",\"meta\":\"$2ea\"}\n2ec:{\"target_revision_id\":16464,\"drupal_internal__target_id\":3365}\n2eb:{\"type\":\"paragraph--page_section\",\"id\":\"859d0236-1261-46a5-b0de-417573614a67\",\"meta\":\"$2ec\"}\n2ee:{\"target_revision_id\":16466,\"drupal_internal__target_id\":3367}\n2ed:{\"type\":\"paragraph--page_section\",\"id\":\"b4617ce8-95fc-4897-818b-c27cc6651aa2\",\"meta\":\"$2ee\"}\n2e8:[\"$2e9\",\"$2eb\",\"$2ed\"]\n2f0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/field_page_section?resourceVersion=id%3A5170\"}\n2f1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/field_page_section?resourceVersion=id%3A5170\"}\n2ef:{\"related\":\"$2f0\",\"self\":\"$2f1\"}\n2e7:{\"data\":\"$2e8\",\"links\":\"$2ef\"}\n2f5:{\"target_revision_id\":16467,\"drupal_internal__target_id\":3368}\n2f4:{\"type\":\"paragraph--internal_link\",\"id\":\"dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7\",\"meta\":\"$2f5\"}\n2f7:{\"target_revision_id\":16468,\"drupal_internal__target_id\":3369}\n2f6:{\"type\":\"paragraph--internal_link\",\"id\":\"fc107bc4-832c-47e5-9f84-8235407eeed2\",\"meta\":\"$2f7\"}\n2f9:{\"target_revision_id\":164"])</script><script>self.__next_f.push([1,"69,\"drupal_internal__target_id\":3370}\n2f8:{\"type\":\"paragraph--internal_link\",\"id\":\"d51b0447-02a5-4951-bc45-42b3b7ae745b\",\"meta\":\"$2f9\"}\n2fb:{\"target_revision_id\":16470,\"drupal_internal__target_id\":3371}\n2fa:{\"type\":\"paragraph--internal_link\",\"id\":\"4090ef92-e750-496d-8230-dcec4f6d312d\",\"meta\":\"$2fb\"}\n2fd:{\"target_revision_id\":16471,\"drupal_internal__target_id\":3372}\n2fc:{\"type\":\"paragraph--internal_link\",\"id\":\"d8afa351-48fa-446c-9491-7865d51b2f72\",\"meta\":\"$2fd\"}\n2ff:{\"target_revision_id\":16472,\"drupal_internal__target_id\":3373}\n2fe:{\"type\":\"paragraph--internal_link\",\"id\":\"010ab69b-b5ce-499a-a760-d3c0af6a37a8\",\"meta\":\"$2ff\"}\n2f3:[\"$2f4\",\"$2f6\",\"$2f8\",\"$2fa\",\"$2fc\",\"$2fe\"]\n301:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/field_related_collection?resourceVersion=id%3A5170\"}\n302:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/field_related_collection?resourceVersion=id%3A5170\"}\n300:{\"related\":\"$301\",\"self\":\"$302\"}\n2f2:{\"data\":\"$2f3\",\"links\":\"$300\"}\n305:{\"drupal_internal__target_id\":131}\n304:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$305\"}\n307:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/field_resource_type?resourceVersion=id%3A5170\"}\n308:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/field_resource_type?resourceVersion=id%3A5170\"}\n306:{\"related\":\"$307\",\"self\":\"$308\"}\n303:{\"data\":\"$304\",\"links\":\"$306\"}\n30c:{\"drupal_internal__target_id\":66}\n30b:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$30c\"}\n30e:{\"drupal_internal__target_id\":61}\n30d:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$30e\"}\n310:{\"drupal_internal__target_id\":76}\n30f:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$310\"}\n312:{\"drupal_internal__target_id\":71}\n311:{\"type\":\"taxonomy_te"])</script><script>self.__next_f.push([1,"rm--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$312\"}\n30a:[\"$30b\",\"$30d\",\"$30f\",\"$311\"]\n314:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/field_roles?resourceVersion=id%3A5170\"}\n315:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/field_roles?resourceVersion=id%3A5170\"}\n313:{\"related\":\"$314\",\"self\":\"$315\"}\n309:{\"data\":\"$30a\",\"links\":\"$313\"}\n319:{\"drupal_internal__target_id\":46}\n318:{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":\"$319\"}\n317:[\"$318\"]\n31b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/field_topics?resourceVersion=id%3A5170\"}\n31c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/field_topics?resourceVersion=id%3A5170\"}\n31a:{\"related\":\"$31b\",\"self\":\"$31c\"}\n316:{\"data\":\"$317\",\"links\":\"$31a\"}\n2d4:{\"node_type\":\"$2d5\",\"revision_uid\":\"$2db\",\"uid\":\"$2e1\",\"field_page_section\":\"$2e7\",\"field_related_collection\":\"$2f2\",\"field_resource_type\":\"$303\",\"field_roles\":\"$309\",\"field_topics\":\"$316\"}\n2cd:{\"type\":\"node--explainer\",\"id\":\"79350126-ac6b-4afd-8fb7-f5814702ddb2\",\"links\":\"$2ce\",\"attributes\":\"$2d0\",\"relationships\":\"$2d4\"}\n31f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f?resourceVersion=id%3A5815\"}\n31e:{\"self\":\"$31f\"}\n321:{\"alias\":\"/posts/cms-cybersecurity-integration-center-ccic-red-team-engagements\",\"pid\":972,\"langcode\":\"en\"}\n323:T2708,"])</script><script>self.__next_f.push([1,"\u003cp\u003eIn today's digital landscape, organizations face an ever-evolving array of cyber threats that can compromise their critical data assets. As technology advances, so do the tactics employed by malicious actors seeking to infiltrate networks, steal sensitive information, and cause damage. To counter these threats, it is crucial for organizations to assess their security posture comprehensively and proactively. This is where the Red Team Engagements come into play.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat are Red Team Engagements?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eRed Team Engagements are highly targeted assessments designed to simulate real-world threat scenarios. Unlike traditional penetration tests that focus on identifying vulnerabilities, Red Team Engagements take a more holistic approach. They go beyond simply finding weaknesses in defenses and delve into the realms of defense, detection, and response. By emulating the Tactics, Techniques, and Procedures (TTPs) of actual adversaries, Red Teams challenge an organization's security measures, testing its ability to detect and respond to potential threats.\u003c/p\u003e\u003cp\u003eIn essence, while penetration testing focuses on the technological aspects of defense, Red Team Engagements aim to improve the detection capabilities of the defenders themselves, the people responsible for safeguarding the system.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow do Red Team Engagements work?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eRed Team Engagements require collaboration between the System team and the CMS Cybersecurity Integration Center (CCIC) team. Business owners and cyber risk advisors work together to define the scope of the engagement, including identifying the system's boundaries, gathering necessary credentials, and scheduling the engagement.\u003c/p\u003e\u003cp\u003eDuring the engagement, the Red Team assumes the role of a threat actor who has already gained initial access to the system. Over the course of approximately one month, the team executes a series of MITRE ATT\u0026amp;CK TTPs commonly employed by real-world adversaries. They start slowly and subtly, gradually increasing their activity and noise to assess the system's resilience.\u003c/p\u003e\u003cp\u003eNote: Red Team Engagements do not involve social engineering attacks such as phishing or impersonation. Instead, the focus is on testing the system's ability to detect and respond to an advanced and persistent threat.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eBenefits of Red Team Engagements\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eRegularly conducting Red Team Engagements offers several benefits to organizations looking to enhance their security posture:\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003eStrengthened Defenses\u003c/strong\u003e: By identifying weaknesses and vulnerabilities, Red Team Engagements enable organizations to bolster their defenses proactively. They provide valuable insights into potential entry points and the effectiveness of existing security measures.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEarly Detection\u003c/strong\u003e: Red Team Engagements test the system's ability to detect attacks at an early stage. By simulating real-world threat scenarios, organizations can fine-tune their monitoring and detection capabilities, allowing them to respond swiftly to potential breaches.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eDamage Limitation\u003c/strong\u003e: By uncovering vulnerabilities and weaknesses, organizations can address them promptly, minimizing the potential damage that a real-world attack might cause. Red Team Engagements help organizations stay one step ahead of malicious actors.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImproved Security Stance\u003c/strong\u003e: Red Team Engagements contribute to an overall improvement in an organization's security stance. By continuously challenging and refining their defenses, organizations can maintain a strong security posture that evolves with emerging threats.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eFAQs about Red Team Engagements\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eTo provide further clarity, let's address some frequently asked questions about Red Team Engagements:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ1: Who should be involved in the Red Team Engagements - and what support is needed from our end?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eUnlike traditional penetration tests, Red Team Engagements involve the active participation of upper leadership and system personnel. It is highly encouraged for upper leadership to be involved on the system's end. This approach ensures that the engagement remains as \"low profile\" as possible, allowing the Red Team to effectively test the system's ability to detect and respond to their activity.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ2: Is there a risk of potential downtime for the system?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of a Red Team Engagement is not to cause any damage to the systems or disrupt their operations. The majority of techniques and tactics employed during the engagement should not cause any downtime for the given system. The focus is on identifying vulnerabilities and weaknesses without affecting the system's availability.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ3: What documentation is provided at the end of the engagement?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAt the conclusion of the Red Team Engagement, the CCIC Penetration Team will produce and deliver the following documents:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRed Team Engagement Final Report: This high-level report outlines the overall results of the engagement, providing a summary of key findings and recommendations.\u003c/li\u003e\u003cli\u003eRed Team Engagement Full Report: This in-depth documentation outlines the entire engagement, from the scope of the assessment to detailed recommendations for better securing the system/environment. It provides a comprehensive analysis of the findings and includes actionable steps for improvement.\u003c/li\u003e\u003cli\u003eRed Team Log: This document outlines the specific actions performed by each tester during the engagement, detailing their activities on a given system at a specific time. The Red Team Log provides system maintainers, developers, and security professionals with all the necessary details to replicate and understand the methodologies used during the engagement.\u003c/li\u003e\u003cli\u003eVulnerability Findings: This documentation highlights specific vulnerabilities discovered during the engagement. It includes steps to reproduce the vulnerabilities and recommendations for their remediation.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eQ4: What level of support is needed from our team during the engagement?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBefore the engagement starts, the CCIC Penetration Team will work with your team to gather the IP addresses/Hosts that are within the scope. Additionally, they may request a \"Low\" level user account for the target system(s). Once the engagement is underway, the only additional support that may be needed is if the Red Team is detected and the system initiates the incident response process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ5: What happens if vulnerabilities are discovered?\u003c/strong\u003e\u0026nbsp;\u003c/h3\u003e\u003cp\u003eWhile the primary focus of Red Team Engagements is not on discovering vulnerabilities, if any are discovered, the CCIC Penetration Team will follow the normal process for addressing them. They will work with the system's stakeholders to properly remediate the vulnerabilities. Critical findings must be remediated within 15 calendar days, High findings within 30 calendar days, Moderate findings within 90 calendar days, and Low findings within 365 calendar days before being submitted to the CMS\u0026nbsp;FISMA Controls Tracking System (CFACTS).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ6: In which environment will the testing occur?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf the monitoring and detection capabilities of a lower environment are the same as the production environment, the Red Team prefers to conduct the test in the lower environment. However, if there are differences, it is recommended to perform the test in the production environment. This allows the Red Team to provide the most accurate and realistic results possible, considering the actual production system.\u003c/p\u003e\u003cp\u003eBy conducting Red Team Engagements, you can proactively assess your security defenses, enhance your detection capabilities, and improve your overall security stance. With the collaboration between the System team and the CMS Cybersecurity Integration Center (CCIC) team, a stronger and more resilient cybersecurity posture can be achieved to protect critical data assets from real-world threat actors.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eInterested in learning more?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eTo learn more about Red Team Engagements, penetration testing, and other cybersecurity measures, you're invited to attend the CCIC Final Friday Frequently asked questions (CF3) session that takes place once a quarter. If youre interested in attending, we encourage you to send us an e-mail at \u003ca href=\"mailto:cmspentestteam@cms.hhs.gov\"\u003ecmspentestmanagement@cms.hhs.gov\u003c/a\u003e and we will be happy to add you to the e-mail invite for the upcoming session. This comprehensive discussion is designed to answer key questions about the cybersecurity landscape, and specifically the role of CCIC penetration testing, different types of testing, the process of reporting findings, the role of Red Teaming, and much more.\u003c/p\u003e\u003cp\u003eWe highly recommend tuning in to this valuable session to boost your understanding of how to secure your systems effectively. The information provided will empower you to make more informed decisions about your cybersecurity strategy, enhancing your ability to protect your organization from evolving cyber threats.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAvailability of this service at CMS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis service is available at the CMS Cybersecurity Integration Center (CCIC). To request a Red Team Engagement, you can contact the CMS CCIC Penetration Team via email at \u003ca href=\"mailto:cmspentestteam@cms.hhs.gov\"\u003ecmspentestmanagement@cms.hhs.gov\u003c/a\u003e. The team will guide you through the process, providing you with a PenTest Request form and scheduling a call to gather additional details.\u003c/p\u003e\u003cp\u003eRemember, the strength of your cybersecurity posture relies heavily on being proactive. Regular security assessments like Red Team Engagements are an excellent way to identify potential weaknesses before they can be exploited, enabling you to maintain a robust and effective defense against real-world cyber threats.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"324:T2708,"])</script><script>self.__next_f.push([1,"\u003cp\u003eIn today's digital landscape, organizations face an ever-evolving array of cyber threats that can compromise their critical data assets. As technology advances, so do the tactics employed by malicious actors seeking to infiltrate networks, steal sensitive information, and cause damage. To counter these threats, it is crucial for organizations to assess their security posture comprehensively and proactively. This is where the Red Team Engagements come into play.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat are Red Team Engagements?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eRed Team Engagements are highly targeted assessments designed to simulate real-world threat scenarios. Unlike traditional penetration tests that focus on identifying vulnerabilities, Red Team Engagements take a more holistic approach. They go beyond simply finding weaknesses in defenses and delve into the realms of defense, detection, and response. By emulating the Tactics, Techniques, and Procedures (TTPs) of actual adversaries, Red Teams challenge an organization's security measures, testing its ability to detect and respond to potential threats.\u003c/p\u003e\u003cp\u003eIn essence, while penetration testing focuses on the technological aspects of defense, Red Team Engagements aim to improve the detection capabilities of the defenders themselves, the people responsible for safeguarding the system.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow do Red Team Engagements work?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eRed Team Engagements require collaboration between the System team and the CMS Cybersecurity Integration Center (CCIC) team. Business owners and cyber risk advisors work together to define the scope of the engagement, including identifying the system's boundaries, gathering necessary credentials, and scheduling the engagement.\u003c/p\u003e\u003cp\u003eDuring the engagement, the Red Team assumes the role of a threat actor who has already gained initial access to the system. Over the course of approximately one month, the team executes a series of MITRE ATT\u0026amp;CK TTPs commonly employed by real-world adversaries. They start slowly and subtly, gradually increasing their activity and noise to assess the system's resilience.\u003c/p\u003e\u003cp\u003eNote: Red Team Engagements do not involve social engineering attacks such as phishing or impersonation. Instead, the focus is on testing the system's ability to detect and respond to an advanced and persistent threat.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eBenefits of Red Team Engagements\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eRegularly conducting Red Team Engagements offers several benefits to organizations looking to enhance their security posture:\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003eStrengthened Defenses\u003c/strong\u003e: By identifying weaknesses and vulnerabilities, Red Team Engagements enable organizations to bolster their defenses proactively. They provide valuable insights into potential entry points and the effectiveness of existing security measures.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEarly Detection\u003c/strong\u003e: Red Team Engagements test the system's ability to detect attacks at an early stage. By simulating real-world threat scenarios, organizations can fine-tune their monitoring and detection capabilities, allowing them to respond swiftly to potential breaches.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eDamage Limitation\u003c/strong\u003e: By uncovering vulnerabilities and weaknesses, organizations can address them promptly, minimizing the potential damage that a real-world attack might cause. Red Team Engagements help organizations stay one step ahead of malicious actors.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImproved Security Stance\u003c/strong\u003e: Red Team Engagements contribute to an overall improvement in an organization's security stance. By continuously challenging and refining their defenses, organizations can maintain a strong security posture that evolves with emerging threats.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eFAQs about Red Team Engagements\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eTo provide further clarity, let's address some frequently asked questions about Red Team Engagements:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ1: Who should be involved in the Red Team Engagements - and what support is needed from our end?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eUnlike traditional penetration tests, Red Team Engagements involve the active participation of upper leadership and system personnel. It is highly encouraged for upper leadership to be involved on the system's end. This approach ensures that the engagement remains as \"low profile\" as possible, allowing the Red Team to effectively test the system's ability to detect and respond to their activity.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ2: Is there a risk of potential downtime for the system?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of a Red Team Engagement is not to cause any damage to the systems or disrupt their operations. The majority of techniques and tactics employed during the engagement should not cause any downtime for the given system. The focus is on identifying vulnerabilities and weaknesses without affecting the system's availability.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ3: What documentation is provided at the end of the engagement?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAt the conclusion of the Red Team Engagement, the CCIC Penetration Team will produce and deliver the following documents:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRed Team Engagement Final Report: This high-level report outlines the overall results of the engagement, providing a summary of key findings and recommendations.\u003c/li\u003e\u003cli\u003eRed Team Engagement Full Report: This in-depth documentation outlines the entire engagement, from the scope of the assessment to detailed recommendations for better securing the system/environment. It provides a comprehensive analysis of the findings and includes actionable steps for improvement.\u003c/li\u003e\u003cli\u003eRed Team Log: This document outlines the specific actions performed by each tester during the engagement, detailing their activities on a given system at a specific time. The Red Team Log provides system maintainers, developers, and security professionals with all the necessary details to replicate and understand the methodologies used during the engagement.\u003c/li\u003e\u003cli\u003eVulnerability Findings: This documentation highlights specific vulnerabilities discovered during the engagement. It includes steps to reproduce the vulnerabilities and recommendations for their remediation.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eQ4: What level of support is needed from our team during the engagement?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBefore the engagement starts, the CCIC Penetration Team will work with your team to gather the IP addresses/Hosts that are within the scope. Additionally, they may request a \"Low\" level user account for the target system(s). Once the engagement is underway, the only additional support that may be needed is if the Red Team is detected and the system initiates the incident response process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ5: What happens if vulnerabilities are discovered?\u003c/strong\u003e\u0026nbsp;\u003c/h3\u003e\u003cp\u003eWhile the primary focus of Red Team Engagements is not on discovering vulnerabilities, if any are discovered, the CCIC Penetration Team will follow the normal process for addressing them. They will work with the system's stakeholders to properly remediate the vulnerabilities. Critical findings must be remediated within 15 calendar days, High findings within 30 calendar days, Moderate findings within 90 calendar days, and Low findings within 365 calendar days before being submitted to the CMS\u0026nbsp;FISMA Controls Tracking System (CFACTS).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eQ6: In which environment will the testing occur?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf the monitoring and detection capabilities of a lower environment are the same as the production environment, the Red Team prefers to conduct the test in the lower environment. However, if there are differences, it is recommended to perform the test in the production environment. This allows the Red Team to provide the most accurate and realistic results possible, considering the actual production system.\u003c/p\u003e\u003cp\u003eBy conducting Red Team Engagements, you can proactively assess your security defenses, enhance your detection capabilities, and improve your overall security stance. With the collaboration between the System team and the CMS Cybersecurity Integration Center (CCIC) team, a stronger and more resilient cybersecurity posture can be achieved to protect critical data assets from real-world threat actors.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eInterested in learning more?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eTo learn more about Red Team Engagements, penetration testing, and other cybersecurity measures, you're invited to attend the CCIC Final Friday Frequently asked questions (CF3) session that takes place once a quarter. If youre interested in attending, we encourage you to send us an e-mail at \u003ca href=\"mailto:cmspentestteam@cms.hhs.gov\"\u003ecmspentestmanagement@cms.hhs.gov\u003c/a\u003e and we will be happy to add you to the e-mail invite for the upcoming session. This comprehensive discussion is designed to answer key questions about the cybersecurity landscape, and specifically the role of CCIC penetration testing, different types of testing, the process of reporting findings, the role of Red Teaming, and much more.\u003c/p\u003e\u003cp\u003eWe highly recommend tuning in to this valuable session to boost your understanding of how to secure your systems effectively. The information provided will empower you to make more informed decisions about your cybersecurity strategy, enhancing your ability to protect your organization from evolving cyber threats.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAvailability of this service at CMS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis service is available at the CMS Cybersecurity Integration Center (CCIC). To request a Red Team Engagement, you can contact the CMS CCIC Penetration Team via email at \u003ca href=\"mailto:cmspentestteam@cms.hhs.gov\"\u003ecmspentestmanagement@cms.hhs.gov\u003c/a\u003e. The team will guide you through the process, providing you with a PenTest Request form and scheduling a call to gather additional details.\u003c/p\u003e\u003cp\u003eRemember, the strength of your cybersecurity posture relies heavily on being proactive. Regular security assessments like Red Team Engagements are an excellent way to identify potential weaknesses before they can be exploited, enabling you to maintain a robust and effective defense against real-world cyber threats.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"322:{\"value\":\"$323\",\"format\":\"body_text\",\"processed\":\"$324\",\"summary\":\"\"}\n325:{\"value\":\"CCIC Red Team Engagements help strengthen your system's defenses against real-world threat actors\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCCIC Red Team Engagements help strengthen your system\u0026#039;s defenses against real-world threat actors\u003c/p\u003e\\n\"}\n320:{\"drupal_internal__nid\":1117,\"drupal_internal__vid\":5815,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-06T15:55:22+00:00\",\"status\":true,\"title\":\"CMS Cybersecurity Integration Center (CCIC) Red Team Engagements\",\"created\":\"2023-06-14T17:54:25+00:00\",\"changed\":\"2024-08-06T15:55:22+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$321\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$322\",\"field_short_description\":\"$325\",\"field_video_link\":null}\n329:{\"drupal_internal__target_id\":\"blog\"}\n328:{\"type\":\"node_type--node_type\",\"id\":\"f382c03e-0cc5-4892-aa46-653a2d90fc05\",\"meta\":\"$329\"}\n32b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/node_type?resourceVersion=id%3A5815\"}\n32c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/node_type?resourceVersion=id%3A5815\"}\n32a:{\"related\":\"$32b\",\"self\":\"$32c\"}\n327:{\"data\":\"$328\",\"links\":\"$32a\"}\n32f:{\"drupal_internal__target_id\":94}\n32e:{\"type\":\"user--user\",\"id\":\"c34b79d4-f936-45dd-968f-7efc22d4370b\",\"meta\":\"$32f\"}\n331:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/revision_uid?resourceVersion=id%3A5815\"}\n332:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/revision_uid?resourceVersion=id%3A5815\"}\n330:{\"related\":\"$331\",\"self\":\"$332\"}\n32d:{\"data\":\"$32e\",\"links\":\"$330\"}\n335:{\"drupal_internal__target_id\":26}\n334:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"met"])</script><script>self.__next_f.push([1,"a\":\"$335\"}\n337:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/uid?resourceVersion=id%3A5815\"}\n338:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/uid?resourceVersion=id%3A5815\"}\n336:{\"related\":\"$337\",\"self\":\"$338\"}\n333:{\"data\":\"$334\",\"links\":\"$336\"}\n33b:{\"drupal_internal__target_id\":221}\n33a:{\"type\":\"media--blog_cover_image\",\"id\":\"ddd76d53-b84b-4de2-8c73-73ed5072381e\",\"meta\":\"$33b\"}\n33d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/field_cover_image?resourceVersion=id%3A5815\"}\n33e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/field_cover_image?resourceVersion=id%3A5815\"}\n33c:{\"related\":\"$33d\",\"self\":\"$33e\"}\n339:{\"data\":\"$33a\",\"links\":\"$33c\"}\n341:{\"drupal_internal__target_id\":31}\n340:{\"type\":\"group--team\",\"id\":\"1465e196-2728-442c-add2-7dd02e5cc3b2\",\"meta\":\"$341\"}\n343:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/field_publisher_group?resourceVersion=id%3A5815\"}\n344:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/field_publisher_group?resourceVersion=id%3A5815\"}\n342:{\"related\":\"$343\",\"self\":\"$344\"}\n33f:{\"data\":\"$340\",\"links\":\"$342\"}\n347:{\"drupal_internal__target_id\":106}\n346:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"cccd136f-b478-40f0-8ff8-fd73f75f4ab0\",\"meta\":\"$347\"}\n349:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/field_resource_type?resourceVersion=id%3A5815\"}\n34a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/field_resource_type?resourceVersion=id%3A5815\"}\n348:{\"related\":\"$349\",\"self\":\"$34a\"}\n345:{\"data\":\"$346\",\"links\":\"$348\"}\n34e:{\"drupal_internal__target_id\":66}\n34d:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$34e\"}\n350:{\"drupal_internal__target_id\":61}\n34f:{\"type\":\"taxono"])</script><script>self.__next_f.push([1,"my_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$350\"}\n352:{\"drupal_internal__target_id\":76}\n351:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$352\"}\n354:{\"drupal_internal__target_id\":71}\n353:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$354\"}\n34c:[\"$34d\",\"$34f\",\"$351\",\"$353\"]\n356:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/field_roles?resourceVersion=id%3A5815\"}\n357:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/field_roles?resourceVersion=id%3A5815\"}\n355:{\"related\":\"$356\",\"self\":\"$357\"}\n34b:{\"data\":\"$34c\",\"links\":\"$355\"}\n35b:{\"drupal_internal__target_id\":6}\n35a:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":\"$35b\"}\n35d:{\"drupal_internal__target_id\":46}\n35c:{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":\"$35d\"}\n359:[\"$35a\",\"$35c\"]\n35f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/field_topics?resourceVersion=id%3A5815\"}\n360:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/field_topics?resourceVersion=id%3A5815\"}\n35e:{\"related\":\"$35f\",\"self\":\"$360\"}\n358:{\"data\":\"$359\",\"links\":\"$35e\"}\n326:{\"node_type\":\"$327\",\"revision_uid\":\"$32d\",\"uid\":\"$333\",\"field_cover_image\":\"$339\",\"field_publisher_group\":\"$33f\",\"field_resource_type\":\"$345\",\"field_roles\":\"$34b\",\"field_topics\":\"$358\"}\n31d:{\"type\":\"node--blog\",\"id\":\"ad85d9c2-1286-4564-90a1-f8dfba013c3f\",\"links\":\"$31e\",\"attributes\":\"$320\",\"relationships\":\"$326\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748?resourceVersion=id%3A5886\"}},\"attributes\":{\"drupal_internal__nid\":391,\"drupal_internal__vid\":5886,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-30T19:33:09+00:00\",\"status\":true,\"title\":\"Penetration Testing (PenTesting)\",\"created\":\"2022-08-29T16:54:55+00:00\",\"changed\":\"2024-08-30T19:33:09+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/penetration-testing-pentesting\",\"pid\":381,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cmspentestmanagement@cms.hhs.gov\",\"field_contact_name\":\"Penetration Testing Team\",\"field_short_description\":{\"value\":\"Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ccic_sec_eng_and_soc\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/node_type?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/node_type?resourceVersion=id%3A5886\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"94466ab9-93ba-4374-964a-cac08e0505c1\",\"meta\":{\"drupal_internal__target_id\":122}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/revision_uid?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/revision_uid?resourceVersion=id%3A5886\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/uid?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/uid?resourceVersion=id%3A5886\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"9ce3ee98-23ca-4e7f-aba7-eb85e992ee97\",\"meta\":{\"target_revision_id\":19217,\"drupal_internal__target_id\":501}},{\"type\":\"paragraph--page_section\",\"id\":\"7b5e13a5-a70b-4570-8feb-183ff1d4fae9\",\"meta\":{\"target_revision_id\":19218,\"drupal_internal__target_id\":2546}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_page_section?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_page_section?resourceVersion=id%3A5886\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"a7c47ed1-07a0-4487-8538-27c56a8e48d2\",\"meta\":{\"target_revision_id\":19219,\"drupal_internal__target_id\":2021}},{\"type\":\"paragraph--internal_link\",\"id\":\"44807064-0310-448f-8f66-09ee2ff9b17d\",\"meta\":{\"target_revision_id\":19220,\"drupal_internal__target_id\":2026}},{\"type\":\"paragraph--internal_link\",\"id\":\"825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb\",\"meta\":{\"target_revision_id\":19221,\"drupal_internal__target_id\":2031}},{\"type\":\"paragraph--internal_link\",\"id\":\"8d631ecf-4c48-46d2-b8f2-5db69fd03245\",\"meta\":{\"target_revision_id\":19222,\"drupal_internal__target_id\":2036}},{\"type\":\"paragraph--internal_link\",\"id\":\"2121533f-ed8e-4292-81c3-c9c5f3b88c42\",\"meta\":{\"target_revision_id\":19223,\"drupal_internal__target_id\":3388}},{\"type\":\"paragraph--internal_link\",\"id\":\"e3a2533a-0128-4439-8ca5-a56210aa267e\",\"meta\":{\"target_revision_id\":19224,\"drupal_internal__target_id\":3389}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_related_collection?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_related_collection?resourceVersion=id%3A5886\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_resource_type?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_resource_type?resourceVersion=id%3A5886\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_roles?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_roles?resourceVersion=id%3A5886\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":{\"drupal_internal__target_id\":46}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_topics?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_topics?resourceVersion=id%3A5886\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"94466ab9-93ba-4374-964a-cac08e0505c1\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/94466ab9-93ba-4374-964a-cac08e0505c1\"}},\"attributes\":{\"display_name\":\"jcuenca\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4?resourceVersion=id%3A121\"}},\"attributes\":{\"drupal_internal__tid\":121,\"drupal_internal__revision_id\":121,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:12+00:00\",\"status\":true,\"name\":\"Tools / Services\",\"description\":null,\"weight\":5,\"changed\":\"2023-06-14T19:04:09+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/vid?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/vid?resourceVersion=id%3A121\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/revision_user?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/revision_user?resourceVersion=id%3A121\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/parent?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/parent?resourceVersion=id%3A121\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674?resourceVersion=id%3A6\"}},\"attributes\":{\"drupal_internal__tid\":6,\"drupal_internal__revision_id\":6,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:04:59+00:00\",\"status\":true,\"name\":\"Assessments \u0026 Audits\",\"description\":null,\"weight\":1,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/vid?resourceVersion=id%3A6\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/vid?resourceVersion=id%3A6\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/revision_user?resourceVersion=id%3A6\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/revision_user?resourceVersion=id%3A6\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/parent?resourceVersion=id%3A6\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/parent?resourceVersion=id%3A6\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5?resourceVersion=id%3A46\"}},\"attributes\":{\"drupal_internal__tid\":46,\"drupal_internal__revision_id\":46,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:13+00:00\",\"status\":true,\"name\":\"Security Operations\",\"description\":null,\"weight\":6,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/vid?resourceVersion=id%3A46\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/vid?resourceVersion=id%3A46\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/revision_user?resourceVersion=id%3A46\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/revision_user?resourceVersion=id%3A46\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/parent?resourceVersion=id%3A46\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/parent?resourceVersion=id%3A46\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"9ce3ee98-23ca-4e7f-aba7-eb85e992ee97\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ce3ee98-23ca-4e7f-aba7-eb85e992ee97?resourceVersion=id%3A19217\"}},\"attributes\":{\"drupal_internal__id\":501,\"drupal_internal__revision_id\":19217,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-02T16:39:14+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ce3ee98-23ca-4e7f-aba7-eb85e992ee97/paragraph_type?resourceVersion=id%3A19217\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ce3ee98-23ca-4e7f-aba7-eb85e992ee97/relationships/paragraph_type?resourceVersion=id%3A19217\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"5c56be77-6e63-4713-80cb-8efc2966a029\",\"meta\":{\"target_revision_id\":19216,\"drupal_internal__target_id\":2541}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ce3ee98-23ca-4e7f-aba7-eb85e992ee97/field_specialty_item?resourceVersion=id%3A19217\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ce3ee98-23ca-4e7f-aba7-eb85e992ee97/relationships/field_specialty_item?resourceVersion=id%3A19217\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"7b5e13a5-a70b-4570-8feb-183ff1d4fae9\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7b5e13a5-a70b-4570-8feb-183ff1d4fae9?resourceVersion=id%3A19218\"}},\"attributes\":{\"drupal_internal__id\":2546,\"drupal_internal__revision_id\":19218,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-14T13:16:04+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7b5e13a5-a70b-4570-8feb-183ff1d4fae9/paragraph_type?resourceVersion=id%3A19218\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7b5e13a5-a70b-4570-8feb-183ff1d4fae9/relationships/paragraph_type?resourceVersion=id%3A19218\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7b5e13a5-a70b-4570-8feb-183ff1d4fae9/field_specialty_item?resourceVersion=id%3A19218\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7b5e13a5-a70b-4570-8feb-183ff1d4fae9/relationships/field_specialty_item?resourceVersion=id%3A19218\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"5c56be77-6e63-4713-80cb-8efc2966a029\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/5c56be77-6e63-4713-80cb-8efc2966a029?resourceVersion=id%3A19216\"}},\"attributes\":{\"drupal_internal__id\":2541,\"drupal_internal__revision_id\":19216,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-14T13:16:46+00:00\",\"parent_id\":\"501\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":{\"uri\":\"mailto:cmspentestmanagement@cms.hhs.gov\",\"title\":\"\",\"options\":[],\"url\":\"mailto:cmspentestmanagement@cms.hhs.gov\"},\"field_call_out_link_text\":\"Email the team\",\"field_call_out_text\":{\"value\":\"* Contact the CMS Penetration Testing Team to schedule your system's PenTest today. Please email the PenTest team to obtain the most-up-to-date pentest request form.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003e* Contact the CMS Penetration Testing Team to schedule your system\u0026#039;s PenTest today. Please email the PenTest team to obtain the most-up-to-date pentest request form.\u003c/p\u003e\\n\"},\"field_header\":\"Schedule your PenTest\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/5c56be77-6e63-4713-80cb-8efc2966a029/paragraph_type?resourceVersion=id%3A19216\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/5c56be77-6e63-4713-80cb-8efc2966a029/relationships/paragraph_type?resourceVersion=id%3A19216\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"a7c47ed1-07a0-4487-8538-27c56a8e48d2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7c47ed1-07a0-4487-8538-27c56a8e48d2?resourceVersion=id%3A19219\"}},\"attributes\":{\"drupal_internal__id\":2021,\"drupal_internal__revision_id\":19219,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:09:59+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7c47ed1-07a0-4487-8538-27c56a8e48d2/paragraph_type?resourceVersion=id%3A19219\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7c47ed1-07a0-4487-8538-27c56a8e48d2/relationships/paragraph_type?resourceVersion=id%3A19219\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"meta\":{\"drupal_internal__target_id\":206}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7c47ed1-07a0-4487-8538-27c56a8e48d2/field_link?resourceVersion=id%3A19219\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a7c47ed1-07a0-4487-8538-27c56a8e48d2/relationships/field_link?resourceVersion=id%3A19219\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"44807064-0310-448f-8f66-09ee2ff9b17d\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44807064-0310-448f-8f66-09ee2ff9b17d?resourceVersion=id%3A19220\"}},\"attributes\":{\"drupal_internal__id\":2026,\"drupal_internal__revision_id\":19220,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:10:52+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44807064-0310-448f-8f66-09ee2ff9b17d/paragraph_type?resourceVersion=id%3A19220\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44807064-0310-448f-8f66-09ee2ff9b17d/relationships/paragraph_type?resourceVersion=id%3A19220\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"meta\":{\"drupal_internal__target_id\":201}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44807064-0310-448f-8f66-09ee2ff9b17d/field_link?resourceVersion=id%3A19220\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44807064-0310-448f-8f66-09ee2ff9b17d/relationships/field_link?resourceVersion=id%3A19220\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb?resourceVersion=id%3A19221\"}},\"attributes\":{\"drupal_internal__id\":2031,\"drupal_internal__revision_id\":19221,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:10:59+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb/paragraph_type?resourceVersion=id%3A19221\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb/relationships/paragraph_type?resourceVersion=id%3A19221\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"meta\":{\"drupal_internal__target_id\":261}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb/field_link?resourceVersion=id%3A19221\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb/relationships/field_link?resourceVersion=id%3A19221\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"8d631ecf-4c48-46d2-b8f2-5db69fd03245\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d631ecf-4c48-46d2-b8f2-5db69fd03245?resourceVersion=id%3A19222\"}},\"attributes\":{\"drupal_internal__id\":2036,\"drupal_internal__revision_id\":19222,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:11:10+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d631ecf-4c48-46d2-b8f2-5db69fd03245/paragraph_type?resourceVersion=id%3A19222\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d631ecf-4c48-46d2-b8f2-5db69fd03245/relationships/paragraph_type?resourceVersion=id%3A19222\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"6586d174-482d-43d2-9d86-2f0a42dc8a81\",\"meta\":{\"drupal_internal__target_id\":396}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d631ecf-4c48-46d2-b8f2-5db69fd03245/field_link?resourceVersion=id%3A19222\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d631ecf-4c48-46d2-b8f2-5db69fd03245/relationships/field_link?resourceVersion=id%3A19222\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"2121533f-ed8e-4292-81c3-c9c5f3b88c42\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2121533f-ed8e-4292-81c3-c9c5f3b88c42?resourceVersion=id%3A19223\"}},\"attributes\":{\"drupal_internal__id\":3388,\"drupal_internal__revision_id\":19223,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-07-08T14:22:10+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2121533f-ed8e-4292-81c3-c9c5f3b88c42/paragraph_type?resourceVersion=id%3A19223\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2121533f-ed8e-4292-81c3-c9c5f3b88c42/relationships/paragraph_type?resourceVersion=id%3A19223\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"79350126-ac6b-4afd-8fb7-f5814702ddb2\",\"meta\":{\"drupal_internal__target_id\":256}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2121533f-ed8e-4292-81c3-c9c5f3b88c42/field_link?resourceVersion=id%3A19223\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2121533f-ed8e-4292-81c3-c9c5f3b88c42/relationships/field_link?resourceVersion=id%3A19223\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"e3a2533a-0128-4439-8ca5-a56210aa267e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e3a2533a-0128-4439-8ca5-a56210aa267e?resourceVersion=id%3A19224\"}},\"attributes\":{\"drupal_internal__id\":3389,\"drupal_internal__revision_id\":19224,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-07-08T14:22:35+00:00\",\"parent_id\":\"391\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e3a2533a-0128-4439-8ca5-a56210aa267e/paragraph_type?resourceVersion=id%3A19224\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e3a2533a-0128-4439-8ca5-a56210aa267e/relationships/paragraph_type?resourceVersion=id%3A19224\"}}},\"field_link\":{\"data\":{\"type\":\"node--blog\",\"id\":\"ad85d9c2-1286-4564-90a1-f8dfba013c3f\",\"meta\":{\"drupal_internal__target_id\":1117}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e3a2533a-0128-4439-8ca5-a56210aa267e/field_link?resourceVersion=id%3A19224\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e3a2533a-0128-4439-8ca5-a56210aa267e/relationships/field_link?resourceVersion=id%3A19224\"}}}}},{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2?resourceVersion=id%3A5737\"}},\"attributes\":{\"drupal_internal__nid\":206,\"drupal_internal__vid\":5737,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-31T17:37:48+00:00\",\"status\":true,\"title\":\"Authorization to Operate (ATO)\",\"created\":\"2022-08-25T19:06:37+00:00\",\"changed\":\"2024-07-31T17:37:48+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/authorization-operate-ato\",\"pid\":196,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Testing and documenting system security and compliance to gain approval to operate the system at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting and documenting system security and compliance to gain approval to operate the system at CMS\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cra-help\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/node_type?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/node_type?resourceVersion=id%3A5737\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/revision_uid?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/revision_uid?resourceVersion=id%3A5737\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/uid?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/uid?resourceVersion=id%3A5737\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"d94629f9-9668-41dd-bce7-a4f267239c07\",\"meta\":{\"target_revision_id\":18928,\"drupal_internal__target_id\":711}},{\"type\":\"paragraph--page_section\",\"id\":\"243e2d3f-f903-438c-8b1f-aee53390b1df\",\"meta\":{\"target_revision_id\":18929,\"drupal_internal__target_id\":736}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_page_section?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_page_section?resourceVersion=id%3A5737\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"6f904ac4-c80e-47d9-b786-ee79256befed\",\"meta\":{\"target_revision_id\":18930,\"drupal_internal__target_id\":3376}},{\"type\":\"paragraph--internal_link\",\"id\":\"e20959d7-2a7b-4a01-b985-cfa5363233f5\",\"meta\":{\"target_revision_id\":18931,\"drupal_internal__target_id\":1306}},{\"type\":\"paragraph--internal_link\",\"id\":\"dba9b926-f657-43ce-bc94-0a2d803430c6\",\"meta\":{\"target_revision_id\":18932,\"drupal_internal__target_id\":1316}},{\"type\":\"paragraph--internal_link\",\"id\":\"44f7083e-9341-42a5-85dc-a9043cdccdce\",\"meta\":{\"target_revision_id\":18933,\"drupal_internal__target_id\":2521}},{\"type\":\"paragraph--internal_link\",\"id\":\"bd0366d9-64ce-401f-9453-bf38aa8054a1\",\"meta\":{\"target_revision_id\":18934,\"drupal_internal__target_id\":3444}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_related_collection?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_related_collection?resourceVersion=id%3A5737\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_resource_type?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_resource_type?resourceVersion=id%3A5737\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_roles?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_roles?resourceVersion=id%3A5737\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_topics?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_topics?resourceVersion=id%3A5737\"}}}}},{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320?resourceVersion=id%3A5941\"}},\"attributes\":{\"drupal_internal__nid\":201,\"drupal_internal__vid\":5941,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-17T14:04:35+00:00\",\"status\":true,\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"created\":\"2022-08-25T18:58:52+00:00\",\"changed\":\"2024-10-07T20:27:11+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"pid\":191,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CSRAP@cms.hhs.gov\",\"field_contact_name\":\"CSRAP Team\",\"field_short_description\":{\"value\":\"A streamlined risk-based control(s) testing methodology designed to relieve operational burden.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA streamlined risk-based control(s) testing methodology designed to relieve operational burden.\u003c/p\u003e\\n\"},\"field_slack_channel\":[]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/node_type?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/node_type?resourceVersion=id%3A5941\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"39240c69-3096-49cd-a07c-3843b6c48c5f\",\"meta\":{\"drupal_internal__target_id\":95}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/revision_uid?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/revision_uid?resourceVersion=id%3A5941\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/uid?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/uid?resourceVersion=id%3A5941\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"f36fb6d1-0795-400f-8a15-36d1979118b0\",\"meta\":{\"target_revision_id\":19433,\"drupal_internal__target_id\":3501}},{\"type\":\"paragraph--page_section\",\"id\":\"eb5b28d8-8825-43c5-a889-513068f48fd8\",\"meta\":{\"target_revision_id\":19434,\"drupal_internal__target_id\":611}},{\"type\":\"paragraph--page_section\",\"id\":\"269aaf52-85f1-411f-a67e-e9d9ad620d8a\",\"meta\":{\"target_revision_id\":19435,\"drupal_internal__target_id\":651}},{\"type\":\"paragraph--page_section\",\"id\":\"3a3615ff-9d53-40d6-8291-fd4516dbc893\",\"meta\":{\"target_revision_id\":19442,\"drupal_internal__target_id\":3502}},{\"type\":\"paragraph--page_section\",\"id\":\"cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa\",\"meta\":{\"target_revision_id\":19443,\"drupal_internal__target_id\":3503}},{\"type\":\"paragraph--page_section\",\"id\":\"a46d03b7-7478-40f1-a7da-3171ffcfaa2d\",\"meta\":{\"target_revision_id\":19444,\"drupal_internal__target_id\":3504}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_page_section?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_page_section?resourceVersion=id%3A5941\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"28dbad4c-79e6-4f83-bc5e-965ba6aa4926\",\"meta\":{\"target_revision_id\":19445,\"drupal_internal__target_id\":656}},{\"type\":\"paragraph--internal_link\",\"id\":\"9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2\",\"meta\":{\"target_revision_id\":19446,\"drupal_internal__target_id\":661}},{\"type\":\"paragraph--internal_link\",\"id\":\"77c203ce-2da8-4200-986c-1093acc2ff5a\",\"meta\":{\"target_revision_id\":19447,\"drupal_internal__target_id\":671}},{\"type\":\"paragraph--internal_link\",\"id\":\"50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a\",\"meta\":{\"target_revision_id\":19448,\"drupal_internal__target_id\":676}},{\"type\":\"paragraph--internal_link\",\"id\":\"c4a332dc-02ea-48f6-9c08-c12ca06e62b5\",\"meta\":{\"target_revision_id\":19449,\"drupal_internal__target_id\":681}},{\"type\":\"paragraph--internal_link\",\"id\":\"5cc61db4-e2f7-43ad-b914-3661d73886e9\",\"meta\":{\"target_revision_id\":19450,\"drupal_internal__target_id\":3505}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_related_collection?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_related_collection?resourceVersion=id%3A5941\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_resource_type?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_resource_type?resourceVersion=id%3A5941\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_roles?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_roles?resourceVersion=id%3A5941\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_topics?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_topics?resourceVersion=id%3A5941\"}}}}},{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b?resourceVersion=id%3A5999\"}},\"attributes\":{\"drupal_internal__nid\":261,\"drupal_internal__vid\":5999,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-05T18:41:37+00:00\",\"status\":true,\"title\":\"CMS FISMA Continuous Tracking System (CFACTS)\",\"created\":\"2022-08-26T14:57:02+00:00\",\"changed\":\"2024-12-05T18:41:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"pid\":251,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ciso@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":{\"value\":\"CFACTS is a CMS database that tracks application security deficiencies and POA\u0026Ms, and supports the ATO process\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCFACTS is a CMS database that tracks application security deficiencies and POA\u0026amp;Ms, and supports the ATO process\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cfacts_community\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/node_type?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/node_type?resourceVersion=id%3A5999\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/revision_uid?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/revision_uid?resourceVersion=id%3A5999\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/uid?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/uid?resourceVersion=id%3A5999\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"963db416-cca0-421d-8c3e-40c8e2ce190f\",\"meta\":{\"target_revision_id\":19655,\"drupal_internal__target_id\":2101}},{\"type\":\"paragraph--page_section\",\"id\":\"9b87eb1d-cb43-472b-9b5b-8618d2688563\",\"meta\":{\"target_revision_id\":19660,\"drupal_internal__target_id\":446}},{\"type\":\"paragraph--page_section\",\"id\":\"122a8de9-c38d-492b-bc93-b43b270f2933\",\"meta\":{\"target_revision_id\":19666,\"drupal_internal__target_id\":1781}},{\"type\":\"paragraph--page_section\",\"id\":\"594617c8-824a-4962-aa08-fdf8dd4677fb\",\"meta\":{\"target_revision_id\":19667,\"drupal_internal__target_id\":3468}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_page_section?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_page_section?resourceVersion=id%3A5999\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"76dcb171-ae0a-42ba-b330-b93b63633cdd\",\"meta\":{\"target_revision_id\":19668,\"drupal_internal__target_id\":1816}},{\"type\":\"paragraph--internal_link\",\"id\":\"7f340091-9774-491a-817d-0cdfaf0c72d1\",\"meta\":{\"target_revision_id\":19669,\"drupal_internal__target_id\":1821}},{\"type\":\"paragraph--internal_link\",\"id\":\"4b7486bb-57c5-440b-b07c-54deb80f1ca1\",\"meta\":{\"target_revision_id\":19670,\"drupal_internal__target_id\":1826}},{\"type\":\"paragraph--internal_link\",\"id\":\"d72a41d1-1d17-452f-9375-aea58d84e8e7\",\"meta\":{\"target_revision_id\":19671,\"drupal_internal__target_id\":1831}},{\"type\":\"paragraph--internal_link\",\"id\":\"726e3057-d549-4d7d-80c7-0f4c5d5f8007\",\"meta\":{\"target_revision_id\":19672,\"drupal_internal__target_id\":3462}},{\"type\":\"paragraph--internal_link\",\"id\":\"dbde5fa8-5137-4df4-af83-a4330e0778c7\",\"meta\":{\"target_revision_id\":19673,\"drupal_internal__target_id\":3463}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_related_collection?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_related_collection?resourceVersion=id%3A5999\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_resource_type?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_resource_type?resourceVersion=id%3A5999\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_roles?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_roles?resourceVersion=id%3A5999\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_topics?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_topics?resourceVersion=id%3A5999\"}}}}},{\"type\":\"node--explainer\",\"id\":\"6586d174-482d-43d2-9d86-2f0a42dc8a81\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81?resourceVersion=id%3A5754\"}},\"attributes\":{\"drupal_internal__nid\":396,\"drupal_internal__vid\":5754,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T15:53:09+00:00\",\"status\":true,\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"created\":\"2022-08-29T16:56:42+00:00\",\"changed\":\"2024-08-05T15:53:09+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/plan-action-and-milestones-poam\",\"pid\":386,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"A corrective action plan roadmap to address system weaknesses and the resources required to fix them\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA corrective action plan roadmap to address system weaknesses and the resources required to fix them\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cra-help\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/node_type?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/node_type?resourceVersion=id%3A5754\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/revision_uid?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/revision_uid?resourceVersion=id%3A5754\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/uid?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/uid?resourceVersion=id%3A5754\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"7a011f0b-d154-4824-a3d9-ab6d2d897205\",\"meta\":{\"target_revision_id\":19037,\"drupal_internal__target_id\":506}},{\"type\":\"paragraph--page_section\",\"id\":\"ee1fabb0-058d-4b71-a7db-8a9ce8319795\",\"meta\":{\"target_revision_id\":19038,\"drupal_internal__target_id\":3385}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/field_page_section?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/field_page_section?resourceVersion=id%3A5754\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"df30d570-d5dc-431f-bec8-3054b29243cb\",\"meta\":{\"target_revision_id\":19039,\"drupal_internal__target_id\":2041}},{\"type\":\"paragraph--internal_link\",\"id\":\"4bccf275-df68-449d-8a48-3ba2274c322a\",\"meta\":{\"target_revision_id\":19040,\"drupal_internal__target_id\":2046}},{\"type\":\"paragraph--internal_link\",\"id\":\"443bfeb0-96a1-4b88-bd6d-d93d1d744e64\",\"meta\":{\"target_revision_id\":19041,\"drupal_internal__target_id\":2051}},{\"type\":\"paragraph--internal_link\",\"id\":\"71549f27-6a6b-4a16-9304-6208d994604a\",\"meta\":{\"target_revision_id\":19042,\"drupal_internal__target_id\":2056}},{\"type\":\"paragraph--internal_link\",\"id\":\"ab8baea5-3667-47bd-b2c5-a8b59a3847ac\",\"meta\":{\"target_revision_id\":19043,\"drupal_internal__target_id\":2061}},{\"type\":\"paragraph--internal_link\",\"id\":\"6b40f485-c76e-44f6-8489-9bbf991c1f6c\",\"meta\":{\"target_revision_id\":19044,\"drupal_internal__target_id\":2551}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/field_related_collection?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/field_related_collection?resourceVersion=id%3A5754\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/field_resource_type?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/field_resource_type?resourceVersion=id%3A5754\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/field_roles?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/field_roles?resourceVersion=id%3A5754\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/field_topics?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/field_topics?resourceVersion=id%3A5754\"}}}}},{\"type\":\"node--explainer\",\"id\":\"79350126-ac6b-4afd-8fb7-f5814702ddb2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2?resourceVersion=id%3A5170\"}},\"attributes\":{\"drupal_internal__nid\":256,\"drupal_internal__vid\":5170,\"langcode\":\"en\",\"revision_timestamp\":\"2024-01-05T17:56:20+00:00\",\"status\":true,\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"created\":\"2022-08-26T14:55:57+00:00\",\"changed\":\"2024-01-05T17:56:20+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"pid\":246,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"Report incidents in ServiceNOW\",\"field_short_description\":{\"value\":\"The CCIC uses data to address incidents through risk management and monitoring activities across CMS \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThe CCIC uses data to address incidents through risk management and monitoring activities across CMS\u003c/p\u003e\\n\"},\"field_slack_channel\":[]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/node_type?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/node_type?resourceVersion=id%3A5170\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"meta\":{\"drupal_internal__target_id\":36}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/revision_uid?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/revision_uid?resourceVersion=id%3A5170\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/uid?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/uid?resourceVersion=id%3A5170\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"59fda20c-2255-44ef-9fb0-d0834c579aa4\",\"meta\":{\"target_revision_id\":16462,\"drupal_internal__target_id\":3363}},{\"type\":\"paragraph--page_section\",\"id\":\"859d0236-1261-46a5-b0de-417573614a67\",\"meta\":{\"target_revision_id\":16464,\"drupal_internal__target_id\":3365}},{\"type\":\"paragraph--page_section\",\"id\":\"b4617ce8-95fc-4897-818b-c27cc6651aa2\",\"meta\":{\"target_revision_id\":16466,\"drupal_internal__target_id\":3367}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/field_page_section?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/field_page_section?resourceVersion=id%3A5170\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7\",\"meta\":{\"target_revision_id\":16467,\"drupal_internal__target_id\":3368}},{\"type\":\"paragraph--internal_link\",\"id\":\"fc107bc4-832c-47e5-9f84-8235407eeed2\",\"meta\":{\"target_revision_id\":16468,\"drupal_internal__target_id\":3369}},{\"type\":\"paragraph--internal_link\",\"id\":\"d51b0447-02a5-4951-bc45-42b3b7ae745b\",\"meta\":{\"target_revision_id\":16469,\"drupal_internal__target_id\":3370}},{\"type\":\"paragraph--internal_link\",\"id\":\"4090ef92-e750-496d-8230-dcec4f6d312d\",\"meta\":{\"target_revision_id\":16470,\"drupal_internal__target_id\":3371}},{\"type\":\"paragraph--internal_link\",\"id\":\"d8afa351-48fa-446c-9491-7865d51b2f72\",\"meta\":{\"target_revision_id\":16471,\"drupal_internal__target_id\":3372}},{\"type\":\"paragraph--internal_link\",\"id\":\"010ab69b-b5ce-499a-a760-d3c0af6a37a8\",\"meta\":{\"target_revision_id\":16472,\"drupal_internal__target_id\":3373}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/field_related_collection?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/field_related_collection?resourceVersion=id%3A5170\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/field_resource_type?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/field_resource_type?resourceVersion=id%3A5170\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/field_roles?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/field_roles?resourceVersion=id%3A5170\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":{\"drupal_internal__target_id\":46}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/field_topics?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/field_topics?resourceVersion=id%3A5170\"}}}}},{\"type\":\"node--blog\",\"id\":\"ad85d9c2-1286-4564-90a1-f8dfba013c3f\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f?resourceVersion=id%3A5815\"}},\"attributes\":{\"drupal_internal__nid\":1117,\"drupal_internal__vid\":5815,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-06T15:55:22+00:00\",\"status\":true,\"title\":\"CMS Cybersecurity Integration Center (CCIC) Red Team Engagements\",\"created\":\"2023-06-14T17:54:25+00:00\",\"changed\":\"2024-08-06T15:55:22+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/posts/cms-cybersecurity-integration-center-ccic-red-team-engagements\",\"pid\":972,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1c\",\"format\":\"body_text\",\"processed\":\"$1d\",\"summary\":\"\"},\"field_short_description\":{\"value\":\"CCIC Red Team Engagements help strengthen your system's defenses against real-world threat actors\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCCIC Red Team Engagements help strengthen your system\u0026#039;s defenses against real-world threat actors\u003c/p\u003e\\n\"},\"field_video_link\":null},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"f382c03e-0cc5-4892-aa46-653a2d90fc05\",\"meta\":{\"drupal_internal__target_id\":\"blog\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/node_type?resourceVersion=id%3A5815\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/node_type?resourceVersion=id%3A5815\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"c34b79d4-f936-45dd-968f-7efc22d4370b\",\"meta\":{\"drupal_internal__target_id\":94}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/revision_uid?resourceVersion=id%3A5815\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/revision_uid?resourceVersion=id%3A5815\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/uid?resourceVersion=id%3A5815\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/uid?resourceVersion=id%3A5815\"}}},\"field_cover_image\":{\"data\":{\"type\":\"media--blog_cover_image\",\"id\":\"ddd76d53-b84b-4de2-8c73-73ed5072381e\",\"meta\":{\"drupal_internal__target_id\":221}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/field_cover_image?resourceVersion=id%3A5815\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/field_cover_image?resourceVersion=id%3A5815\"}}},\"field_publisher_group\":{\"data\":{\"type\":\"group--team\",\"id\":\"1465e196-2728-442c-add2-7dd02e5cc3b2\",\"meta\":{\"drupal_internal__target_id\":31}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/field_publisher_group?resourceVersion=id%3A5815\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/field_publisher_group?resourceVersion=id%3A5815\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"cccd136f-b478-40f0-8ff8-fd73f75f4ab0\",\"meta\":{\"drupal_internal__target_id\":106}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/field_resource_type?resourceVersion=id%3A5815\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/field_resource_type?resourceVersion=id%3A5815\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/field_roles?resourceVersion=id%3A5815\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/field_roles?resourceVersion=id%3A5815\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":{\"drupal_internal__target_id\":46}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/field_topics?resourceVersion=id%3A5815\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/ad85d9c2-1286-4564-90a1-f8dfba013c3f/relationships/field_topics?resourceVersion=id%3A5815\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1e\",\"94466ab9-93ba-4374-964a-cac08e0505c1\":\"$28\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$2c\",\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\":\"$30\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$4a\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$64\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$7e\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$98\",\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\":\"$b2\",\"0534f7e2-9894-488d-a526-3c0255df2ad5\":\"$cc\",\"9ce3ee98-23ca-4e7f-aba7-eb85e992ee97\":\"$e6\",\"7b5e13a5-a70b-4570-8feb-183ff1d4fae9\":\"$fb\",\"5c56be77-6e63-4713-80cb-8efc2966a029\":\"$10e\",\"a7c47ed1-07a0-4487-8538-27c56a8e48d2\":\"$11d\",\"44807064-0310-448f-8f66-09ee2ff9b17d\":\"$12f\",\"825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb\":\"$141\",\"8d631ecf-4c48-46d2-b8f2-5db69fd03245\":\"$153\",\"2121533f-ed8e-4292-81c3-c9c5f3b88c42\":\"$165\",\"e3a2533a-0128-4439-8ca5-a56210aa267e\":\"$177\",\"defa7277-790b-4bbd-b6ee-cc539e121df2\":\"$189\",\"a74e943d-f87d-4688-81e7-65a4013fa320\":\"$1d3\",\"de0901ae-4ea5-491c-badd-90a32da3989b\":\"$229\",\"6586d174-482d-43d2-9d86-2f0a42dc8a81\":\"$27d\",\"79350126-ac6b-4afd-8fb7-f5814702ddb2\":\"$2cd\",\"ad85d9c2-1286-4564-90a1-f8dfba013c3f\":\"$31d\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Penetration Testing (PenTesting) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/penetration-testing-pentesting\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"Penetration Testing (PenTesting) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/penetration-testing-pentesting\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/penetration-testing-pentesting/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"Penetration Testing (PenTesting) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/penetration-testing-pentesting/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink