publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/zero-trust
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
443 KiB
Text
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>Zero Trust | CMS Information Security &amp; Privacy Group</title><meta name="description" content="Security paradigm that requires the continuous verification of system users to promote system security"/><link rel="canonical" href="https://security.cms.gov/learn/zero-trust"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="Zero Trust | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="Security paradigm that requires the continuous verification of system users to promote system security"/><meta property="og:url" content="https://security.cms.gov/learn/zero-trust"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/zero-trust/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Zero Trust | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="Security paradigm that requires the continuous verification of system users to promote system security"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/zero-trust/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">Zero Trust </h1><p class="hero__description">Security paradigm that requires the continuous verification of system users to promote system security</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">Zero Trust Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:ISPGZeroTrust@cms.hhs.gov">ISPGZeroTrust@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#cms-zero-trust</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What is Zero Trust?</h2><p>Zero Trust is a security model that is built on continuous validation at every stage of digital interaction. The Zero Trust (ZT) security model, also known as Zero Trust Architecture (ZTA), maintains that no user or application should be trusted by default. As a result, organizations that implement a Zero Trust model move from checking permissions only at initial sign-on to continuously checking permissions as users or devices move through a system. This constant validation provides enhanced security for systems, devices, and users. Below are the associated concepts and policies that go hand-in-hand with the Zero Trust model.</p><h3>Zero Trust policy: least privilege</h3><p>The policy of least privilege is associated with the Zero Trust model and is designed to give users the least amount of access to a system or device that is required to complete a task. For example, if a system administrator wants to add new users to a given system, only that single permission is granted to complete that task. If the same system administrator wants to perform a different task, like deleting inactive users, their permissions will need to be reevaluated. In this scenario, the extra level of authentication prevents a malicious user from being able to casually use sensitive privileges like deleting users; it also prevents accidents from happening through trusted user error.</p><h3>Zero Trust policy: assuming compromise</h3><p>Assuming compromise means just what it says: as part of the Zero Trust model, we assume that our systems have been compromised by threats. To increase our overall security posture, we design our systems to limit access to data and networks. Limitations can look like restricted connections between networks or different applications. These limitations can prevent malicious users from accessing sensitive data or data that lives on unrelated networks or applications.</p><p>As CMS moves toward a Zero Trust model, you may notice some changes in how you sign in to devices and systems at work. This isnt because we dont trust you we just want to be sure that the person logging in is you so that you can keep doing the great work you do.</p><h3>Where did Zero Trust come from?</h3><p>In May 2021, the Biden Administration issued <a href="https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity">Executive Order (EO) 14028</a>, charging federal agencies with the task of modernizing and enhancing cybersecurity. Executive Order 14028 was quickly followed by guidance from the <a href="https://zerotrust.cyber.gov/federal-zero-trust-strategy">Office of Management and Budget (M-22-09)</a> recommending the introduction of Zero Trust security practices and offering specific steps agencies needed to take to implement them. So what is Zero Trust (ZT), and how will these important changes impact your daily work?</p><h2>Zero Trust at CMS</h2><p>CMSs transition to Zero Trust is a journey. It will involve a series of small adjustments over time that will allow our agency to transition from a traditional perimeter-based security model to a system of continuous authorization, authentication, and validation. You may have already noticed some of the important changes that have been implemented to support Zero Trust at CMS including:</p><ul><li>The introduction of <a href="/learn/cms-cloud-services">CMS Cloud</a></li><li>Our move to the Zscaler integrated platform</li><li>The use of PIV credentials for user authentication</li></ul><p>There is no single tool that CMS can deploy to instantly implement Zero Trust across all systems; different system architectures will be necessary for different environments. To create those custom architectures, CMS is using the <a href="https://www.cisa.gov/zero-trust-maturity-model">Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model</a>.</p><h3>CISA Zero Trust Maturity Model</h3><p>The CISA Zero Trust Maturity Model (ZTMM) is a roadmap designed to transition federal agencies to Zero Trust by assessing their current security stance and recommending specific changes that will improve security moving forward. (<a href="https://security.cms.gov/posts/zero-trust-maturity-model-version-2-now-less-trust">Learn more about the ZTMM here</a>.)&nbsp;</p><h3>Zero Trust pillars</h3><p>The model assesses system components, referred to as “pillars”, as well as general details regarding system <strong>visibility and analytics</strong> (how information is collected), <strong>automation and orchestration </strong>(how security is created through automated processes), and <strong>governance</strong> (the policies that guide the work).&nbsp;</p><ul><li><strong>Identity</strong> An attribute or set of attributes that describe a CMS user.</li><li><strong>Devices</strong> A hardware asset that can be connected to a network, such as a laptop or mobile device provided by CMS. Devices can also include virtual machines and containers.&nbsp;</li><li><strong>Networks</strong> Internal CMS networks, data centers, and internet-based networks.</li><li><strong>Applications and workloads</strong> CMS systems, computer programs, and services that execute on-premise, as well as in a cloud environment.</li><li><strong>Data</strong> Information that CMS collects, from documents to information collected from the public to fulfill our mission.</li></ul><h3>Stages of Zero Trust maturity</h3><p>For each pillar, there are specific things we can measure to determine the degree to which an organization has reached Zero Trust maturity. Full information about the maturity stages for each pillar can be found in the ZTMM itself.</p><p>In general, these are the stages that will help CMS track progress towards full adoption and implementation of Zero Trust standards.</p><p><strong>Traditional</strong></p><p>The traditional level of maturity is marked by manually configured lifecycles (i.e., from establishment to decommissioning) and assignments of attributes (security and logging); static security policies and solutions that address one pillar at a time with discrete dependencies on external systems; manual response and mitigation deployment; least privilege established only at provisioning; siloed pillars of policy enforcement; and limited correlation of dependencies, logs, and telemetry.</p><p><strong>Initial</strong></p><p>At the level described as initial, increased maturity is demonstrated by starting automation of attribute assignment and configuration of lifecycles, policy decisions, and enforcement, and initial some responsive changes to least privilege after provisioning; cross-pillar solutions with integration of external systems; and aggregated visibility for internal systems.</p><p><strong>Advanced</strong></p><p>At the advanced level of maturity, wherever applicable, automated controls for lifecycle and assignment of configurations and policies with cross-pillar coordination; response to pre-defined mitigations; changes to least privilege based on risk and posture assessments; policy enforcement integrated across pillars; and centralized visibility and identity control building toward enterprise-wide awareness (including externally hosted resources).</p><p><strong>Optimal</strong></p><p>The optimal level of maturity is demonstrated by fully automated, just-in-time lifecycles and assignments of attributes to assets and resources that self-report with dynamic policies based on automated/observed triggers; dynamic least privilege access (just-enough and within thresholds) for assets and their respective dependencies enterprise-wide; cross-pillar interoperability with continuous monitoring; and centralized visibility with comprehensive situational awareness.</p><p>As our Zero Trust rollout continues, System Owners will work with their teams to evaluate their desired level of maturity. While Optimal maturity is the goal for many systems, not all systems will be required to achieve it. Most systems will be required to achieve Advanced maturity, and many systems will be able to use CMS-wide tooling to make changes as your specific system requirements are defined.</p><p>In general, this process will start with homogeneous cloud environments that use the same software and devices. We will then move on to custom environments and systems until all CMS systems have been properly evaluated.</p><h2>Zero Trust and compliance</h2><p>While Zero Trust is not a compliance framework, its principles complement the existing compliance frameworks at <a href="/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS like Acceptable Risk Safeguards 5.1</a>.</p><p>ARS 5.1 already supports many of the best practices offered by Zero Trust, such as the least privilege policy for certain levels of systems (e.g. High and Moderate) and the assumed compromise policy. As all CMS systems move to Zero Trust Architecture, System Owners are encouraged to add their own flair and implement tools and resources that will keep their systems compliant and push them closer to Optimal maturity. As specific implementation expectations are developed, they will be incorporated into future versions of ARS.</p><p>ISSOs and others directly involved in the compliance process for CMS systems should watch for news and updates from ISPG for information related to Zero Trust implementation and its impact on compliance activities.</p><h2>How will Zero Trust impact me?</h2><p>Many of the Zero Trust improvements implemented by CMS will be invisible to users. You may see more instances where youre asked to provide two-factor authentication when accessing websites and apps. Since youre using your work computer, your device will share information with CMS about the status of your system. For example, our networks will know if your computer patches are up to date and if there is a valid device certificate. This information not only keeps your computer and CMS systems safe and secure, but it also increases the amount of trust that CMS has that the person logging in is you.</p><p>Throughout the Zero Trust rollout at CMS, we will introduce new tools that will streamline existing processes while also increasing security. Members of OIT or others who run IT infrastructure at CMS will see the biggest changes, and overall, it should improve security while reducing burdens.</p><p>Application Owners will also see changes as the environments they are in have more ZT features available, such as additional multi-factor authentication options for users or increased network encryption. These changes will make applications and systems more resilient to malicious attacks.</p><h2>Zero Trust FAQs</h2><p><strong>Where can I read about Zero Trust features, functionality, or offerings applicable to CMS?</strong></p><p>CyberGeek is a great place to get started reading more about how Zero Trust will apply to CMS. Most of what we store here will be overviews, though, so as we have more features and functionality available, we will need to move that to internal knowledge repositories.</p><p>For the latest Zero Trust news and updates, see <a href="https://security.cms.gov/posts?ispg%5Bmenu%5D%5Bpublisher_title%5D=Zero%20Trust%20Team">Zero Trust articles on the CyberGeek blog</a>.</p><p>To the extent possible, we will keep Zero Trust information near where you will use it. If you are building your applications on CMS Cloud, you can find more specific information on <a href="http://cloud.cms.gov">cloud.cms.gov</a>. We also have spaces on the internal CODA site and Slack for more information. We also focus on keeping the ISSO community informed through the monthly <a href="https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP&amp;title=CMS+ISSO+Forum">CMS Cybersecurity Community Forum</a> (requires CMS login), announcements in Slack, and <a href="https://security.cms.gov/posts/read-cms-isso-journal">the ISSO Journal</a>.</p><p><strong>What is changing for CMS?</strong></p><p>Right now? Not much. Over time we will roll out more options for Multi-factor authentication, access control for data, and micro-segmentation within subnets and applications. A lot of the changes are going to be on a case-by-case basis, though, so its hard to say if there is something everyone is going to have to change.</p><p><strong>When will we get information on what we need to do on an ADO level? What other processes can we pilot/test drive for you?</strong></p><p>HHS now requires CMS to report on the Zero Trust Maturity of each of our FISMA systems twice a year, so that helps teams identify areas where there is room for improvement. &nbsp;ISPG is not currently (as of September 2024) requiring specific improvements; all improvements are voluntary. &nbsp;<a href="https://cloud.cms.gov/zero-trust-maturity-for-aws-on-cms-cloud">CMS Hybrid Cloud website</a> has some suggestions for areas to focus on.</p><p>Requests for volunteer ADOs to help us try new Zero Trust Techniques are distributed via the <a href="https://security.cms.gov/learn/zero-trust#zero-trust-ambassador-program">Zero Trust Ambassadors Program</a> and <a href="https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP&amp;title=CMS+ISSO+Forum">CMS Cybersecurity Community Forum</a> (requires CMS login).</p><p><strong>How will Zero Trust affect making information accessible to CMS staff and CMS contractors?</strong></p><p>Ideally, we will make it easier to make data and information accessible to CMS staff, contractors, and consultants. The increased use of Attribute-based access control through various systems at our disposal can allow us to adapt what data is accessible by authorized persons based on other factors like what team they are on, what role they have, and if they are using GFE that is up-to-date. These changes will be made in upstream systems like IDM/Okta and Kion (nee CloudTamer) so that they can be used easily by different teams.</p><p><strong>The Maturity Framework Evaluation appears to be scoring questions for an entire team at once: 1/2/3/4 points based on the status of all the systems. But its rare to be equally mature across all systems: perhaps user-facing applications are integrated with the agencys external identity management system, but a tool for team administrators like CI/CD is not. Wouldnt you get a better view of the teams maturity by asking separately about those systems?</strong></p><p>That is a great observation and one that we arrived at when we were adapting the CISA Zero Trust Maturity Model to CMS. CISAs original only had one function listed for Authentication, which was pretty general. When reviewing the CISA Model, we decided to split the authentication questions into three (3) parts:</p><ul><li>ADO staff/developers</li><li>Interactive users of websites</li><li>API users</li></ul><p>We recognize that the technology needed for each of those is different and likely matures at different levels. It is a tough balance being granular enough to tease out distinctions like different kinds of users, but not too granular that we have to ask 200 questions to judge maturity level.</p><p><strong>How can my system get a Zero Trust evaluation?</strong></p><p>Reach out with your request to the <a href="mailto:ISPGZeroTrust@cms.hhs.gov">ISPG Zero Trust Team</a>. Include information about your system:</p><ul><li>Name and Acronym</li><li>Environment it runs in (e.g. AWS for CMS Cloud, Azure for CMS Cloud, Ashburn, etc.)</li><li>Names and email addresses of other people to be involved</li></ul><h2>Zero Trust Ambassador Program</h2><p>The <strong>Zero Trust Ambassador Program</strong> is for ISSOs, Security Engineers, Network Engineers, and Application developers who work on systems at CMS. It gives you access to additional Zero Trust content related to CMS environments, so you can:</p><ul><li>Learn more about Zero Trust security</li><li>Test new Zero Trust recommendations</li><li>Share Zero Trust practices with your team</li></ul><p>If your team is working on increasing your Zero Trust maturity, this program is for you! Resources include:</p><p><strong>Monthly newsletter</strong> -- with highlights from Zero Trust articles, upcoming presentation topics, and a handy reference guide.</p><p><a href="https://public.govdelivery.com/accounts/USCMS/subscriber/new?topic_id=USCMS_13166">Sign up for the newsletter here</a>.</p><p><strong>Zero Trust articles</strong> -- with the latest tips and information from the Zero Trust team at CMS.</p><p><a href="https://security.cms.gov/posts?ispg%5Bmenu%5D%5Bpublisher_title%5D=Zero%20Trust%20Team">See Zero Trust articles</a> on the ISPG News &amp; Updates blog.</p><p><strong>Monthly Office Hours</strong> -- where you can connect with the Zero Trust Working Group, hear presentations from special guests, and ask questions. Office Hours information is listed below.</p><h2>Zero Trust Ambassador Office Hours</h2><p>Each month, the Zero Trust Working Group holds Office Hours featuring a half hour Zero Trust presentation and a half hour for questions. Office Hours are the <strong>3rd Tuesday of the month at 1pm ET</strong>. &nbsp;New time for 2025!</p><p><a href="https://cms.zoomgov.com/meeting/register/57oW2jbfTT6bnGPiEiz_5Q">Register for upcoming Office Hours here</a>. &nbsp;There is a new series for 2025.</p><p><a href="https://confluenceent.cms.gov/display/ISPG/Zero+Trust+Ambassador+Program">Past meeting recordings and presentation decks are here</a> (link requires a CMS login to access).</p></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/posts/7-tenets-zero-trust-issos-and-ados">The 7 Tenets of Zero Trust for ISSOs and ADOs</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>A guide to help ADO and ISSOs understand and implement Zero Trust practices </p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/posts/cryptographic-agility-zeitgeist">Cryptographic agility in the zeitgeist</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Cryptographic agility has become a topic for Federal security teams to address. This post helps explain what it is and why we are talking about it now.</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/posts/three-elements-cryptographic-agility">Three elements of cryptographic agility</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Cryptographic agility is achieved through modern crypto, accurate inventories, and engineering in the ability to make encryption changes quickly and efficiently</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/national-institute-standards-and-technology-nist">National Institute of Standards and Technology (NIST)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Information about NIST and how the agency&#x27;s policies and guidance relate to security and privacy at CMS</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/federal-information-security-modernization-act-fisma">Federal Information Security Modernization Act (FISMA)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>FISMA is federal legislation that defines a framework of guidelines and security standards to protect government information and operations</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/fedramp">Federal Risk and Authorization Management Program (FedRAMP)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Provides a federally-recognized and standardized security framework for all cloud products and services</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"zero-trust\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"zero-trust\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"zero-trust\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"zero-trust\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:T4489,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is Zero Trust?\u003c/h2\u003e\u003cp\u003eZero Trust is a security model that is built on continuous validation at every stage of digital interaction. The Zero Trust (ZT) security model, also known as Zero Trust Architecture (ZTA), maintains that no user or application should be trusted by default. As a result, organizations that implement a Zero Trust model move from checking permissions only at initial sign-on to continuously checking permissions as users or devices move through a system. This constant validation provides enhanced security for systems, devices, and users. Below are the associated concepts and policies that go hand-in-hand with the Zero Trust model.\u003c/p\u003e\u003ch3\u003eZero Trust policy: least privilege\u003c/h3\u003e\u003cp\u003eThe policy of least privilege is associated with the Zero Trust model and is designed to give users the least amount of access to a system or device that is required to complete a task. For example, if a system administrator wants to add new users to a given system, only that single permission is granted to complete that task. If the same system administrator wants to perform a different task, like deleting inactive users, their permissions will need to be reevaluated. In this scenario, the extra level of authentication prevents a malicious user from being able to casually use sensitive privileges like deleting users; it also prevents accidents from happening through trusted user error.\u003c/p\u003e\u003ch3\u003eZero Trust policy: assuming compromise\u003c/h3\u003e\u003cp\u003eAssuming compromise means just what it says: as part of the Zero Trust model, we assume that our systems have been compromised by threats. To increase our overall security posture, we design our systems to limit access to data and networks. Limitations can look like restricted connections between networks or different applications. These limitations can prevent malicious users from accessing sensitive data or data that lives on unrelated networks or applications.\u003c/p\u003e\u003cp\u003eAs CMS moves toward a Zero Trust model, you may notice some changes in how you sign in to devices and systems at work. This isnt because we dont trust you we just want to be sure that the person logging in is you so that you can keep doing the great work you do.\u003c/p\u003e\u003ch3\u003eWhere did Zero Trust come from?\u003c/h3\u003e\u003cp\u003eIn May 2021, the Biden Administration issued \u003ca href=\"https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity\"\u003eExecutive Order (EO) 14028\u003c/a\u003e, charging federal agencies with the task of modernizing and enhancing cybersecurity. Executive Order 14028 was quickly followed by guidance from the \u003ca href=\"https://zerotrust.cyber.gov/federal-zero-trust-strategy\"\u003eOffice of Management and Budget (M-22-09)\u003c/a\u003e recommending the introduction of Zero Trust security practices and offering specific steps agencies needed to take to implement them. So what is Zero Trust (ZT), and how will these important changes impact your daily work?\u003c/p\u003e\u003ch2\u003eZero Trust at CMS\u003c/h2\u003e\u003cp\u003eCMSs transition to Zero Trust is a journey. It will involve a series of small adjustments over time that will allow our agency to transition from a traditional perimeter-based security model to a system of continuous authorization, authentication, and validation. You may have already noticed some of the important changes that have been implemented to support Zero Trust at CMS including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe introduction of \u003ca href=\"/learn/cms-cloud-services\"\u003eCMS Cloud\u003c/a\u003e\u003c/li\u003e\u003cli\u003eOur move to the Zscaler integrated platform\u003c/li\u003e\u003cli\u003eThe use of PIV credentials for user authentication\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThere is no single tool that CMS can deploy to instantly implement Zero Trust across all systems; different system architectures will be necessary for different environments. To create those custom architectures, CMS is using the \u003ca href=\"https://www.cisa.gov/zero-trust-maturity-model\"\u003eCybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003eCISA Zero Trust Maturity Model\u003c/h3\u003e\u003cp\u003eThe CISA Zero Trust Maturity Model (ZTMM) is a roadmap designed to transition federal agencies to Zero Trust by assessing their current security stance and recommending specific changes that will improve security moving forward. (\u003ca href=\"https://security.cms.gov/posts/zero-trust-maturity-model-version-2-now-less-trust\"\u003eLearn more about the ZTMM here\u003c/a\u003e.)\u0026nbsp;\u003c/p\u003e\u003ch3\u003eZero Trust pillars\u003c/h3\u003e\u003cp\u003eThe model assesses system components, referred to as “pillars”, as well as general details regarding system \u003cstrong\u003evisibility and analytics\u003c/strong\u003e (how information is collected), \u003cstrong\u003eautomation and orchestration \u003c/strong\u003e(how security is created through automated processes), and \u003cstrong\u003egovernance\u003c/strong\u003e (the policies that guide the work).\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eIdentity\u003c/strong\u003e An attribute or set of attributes that describe a CMS user.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eDevices\u003c/strong\u003e A hardware asset that can be connected to a network, such as a laptop or mobile device provided by CMS. Devices can also include virtual machines and containers.\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eNetworks\u003c/strong\u003e Internal CMS networks, data centers, and internet-based networks.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eApplications and workloads\u003c/strong\u003e CMS systems, computer programs, and services that execute on-premise, as well as in a cloud environment.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eData\u003c/strong\u003e Information that CMS collects, from documents to information collected from the public to fulfill our mission.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eStages of Zero Trust maturity\u003c/h3\u003e\u003cp\u003eFor each pillar, there are specific things we can measure to determine the degree to which an organization has reached Zero Trust maturity. Full information about the maturity stages for each pillar can be found in the ZTMM itself.\u003c/p\u003e\u003cp\u003eIn general, these are the stages that will help CMS track progress towards full adoption and implementation of Zero Trust standards.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTraditional\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe traditional level of maturity is marked by manually configured lifecycles (i.e., from establishment to decommissioning) and assignments of attributes (security and logging); static security policies and solutions that address one pillar at a time with discrete dependencies on external systems; manual response and mitigation deployment; least privilege established only at provisioning; siloed pillars of policy enforcement; and limited correlation of dependencies, logs, and telemetry.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInitial\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAt the level described as initial, increased maturity is demonstrated by starting automation of attribute assignment and configuration of lifecycles, policy decisions, and enforcement, and initial some responsive changes to least privilege after provisioning; cross-pillar solutions with integration of external systems; and aggregated visibility for internal systems.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAdvanced\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAt the advanced level of maturity, wherever applicable, automated controls for lifecycle and assignment of configurations and policies with cross-pillar coordination; response to pre-defined mitigations; changes to least privilege based on risk and posture assessments; policy enforcement integrated across pillars; and centralized visibility and identity control building toward enterprise-wide awareness (including externally hosted resources).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOptimal\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe optimal level of maturity is demonstrated by fully automated, just-in-time lifecycles and assignments of attributes to assets and resources that self-report with dynamic policies based on automated/observed triggers; dynamic least privilege access (just-enough and within thresholds) for assets and their respective dependencies enterprise-wide; cross-pillar interoperability with continuous monitoring; and centralized visibility with comprehensive situational awareness.\u003c/p\u003e\u003cp\u003eAs our Zero Trust rollout continues, System Owners will work with their teams to evaluate their desired level of maturity. While Optimal maturity is the goal for many systems, not all systems will be required to achieve it. Most systems will be required to achieve Advanced maturity, and many systems will be able to use CMS-wide tooling to make changes as your specific system requirements are defined.\u003c/p\u003e\u003cp\u003eIn general, this process will start with homogeneous cloud environments that use the same software and devices. We will then move on to custom environments and systems until all CMS systems have been properly evaluated.\u003c/p\u003e\u003ch2\u003eZero Trust and compliance\u003c/h2\u003e\u003cp\u003eWhile Zero Trust is not a compliance framework, its principles complement the existing compliance frameworks at \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS like Acceptable Risk Safeguards 5.1\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eARS 5.1 already supports many of the best practices offered by Zero Trust, such as the least privilege policy for certain levels of systems (e.g. High and Moderate) and the assumed compromise policy. As all CMS systems move to Zero Trust Architecture, System Owners are encouraged to add their own flair and implement tools and resources that will keep their systems compliant and push them closer to Optimal maturity. As specific implementation expectations are developed, they will be incorporated into future versions of ARS.\u003c/p\u003e\u003cp\u003eISSOs and others directly involved in the compliance process for CMS systems should watch for news and updates from ISPG for information related to Zero Trust implementation and its impact on compliance activities.\u003c/p\u003e\u003ch2\u003eHow will Zero Trust impact me?\u003c/h2\u003e\u003cp\u003eMany of the Zero Trust improvements implemented by CMS will be invisible to users. You may see more instances where youre asked to provide two-factor authentication when accessing websites and apps. Since youre using your work computer, your device will share information with CMS about the status of your system. For example, our networks will know if your computer patches are up to date and if there is a valid device certificate. This information not only keeps your computer and CMS systems safe and secure, but it also increases the amount of trust that CMS has that the person logging in is you.\u003c/p\u003e\u003cp\u003eThroughout the Zero Trust rollout at CMS, we will introduce new tools that will streamline existing processes while also increasing security. Members of OIT or others who run IT infrastructure at CMS will see the biggest changes, and overall, it should improve security while reducing burdens.\u003c/p\u003e\u003cp\u003eApplication Owners will also see changes as the environments they are in have more ZT features available, such as additional multi-factor authentication options for users or increased network encryption. These changes will make applications and systems more resilient to malicious attacks.\u003c/p\u003e\u003ch2\u003eZero Trust FAQs\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eWhere can I read about Zero Trust features, functionality, or offerings applicable to CMS?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCyberGeek is a great place to get started reading more about how Zero Trust will apply to CMS. Most of what we store here will be overviews, though, so as we have more features and functionality available, we will need to move that to internal knowledge repositories.\u003c/p\u003e\u003cp\u003eFor the latest Zero Trust news and updates, see \u003ca href=\"https://security.cms.gov/posts?ispg%5Bmenu%5D%5Bpublisher_title%5D=Zero%20Trust%20Team\"\u003eZero Trust articles on the CyberGeek blog\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eTo the extent possible, we will keep Zero Trust information near where you will use it. If you are building your applications on CMS Cloud, you can find more specific information on \u003ca href=\"http://cloud.cms.gov\"\u003ecloud.cms.gov\u003c/a\u003e. We also have spaces on the internal CODA site and Slack for more information. We also focus on keeping the ISSO community informed through the monthly \u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Forum\"\u003eCMS Cybersecurity Community Forum\u003c/a\u003e (requires CMS login), announcements in Slack, and \u003ca href=\"https://security.cms.gov/posts/read-cms-isso-journal\"\u003ethe ISSO Journal\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWhat is changing for CMS?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eRight now? Not much. Over time we will roll out more options for Multi-factor authentication, access control for data, and micro-segmentation within subnets and applications. A lot of the changes are going to be on a case-by-case basis, though, so its hard to say if there is something everyone is going to have to change.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWhen will we get information on what we need to do on an ADO level? What other processes can we pilot/test drive for you?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eHHS now requires CMS to report on the Zero Trust Maturity of each of our FISMA systems twice a year, so that helps teams identify areas where there is room for improvement. \u0026nbsp;ISPG is not currently (as of September 2024) requiring specific improvements; all improvements are voluntary. \u0026nbsp;\u003ca href=\"https://cloud.cms.gov/zero-trust-maturity-for-aws-on-cms-cloud\"\u003eCMS Hybrid Cloud website\u003c/a\u003e has some suggestions for areas to focus on.\u003c/p\u003e\u003cp\u003eRequests for volunteer ADOs to help us try new Zero Trust Techniques are distributed via the \u003ca href=\"https://security.cms.gov/learn/zero-trust#zero-trust-ambassador-program\"\u003eZero Trust Ambassadors Program\u003c/a\u003e and \u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Forum\"\u003eCMS Cybersecurity Community Forum\u003c/a\u003e (requires CMS login).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow will Zero Trust affect making information accessible to CMS staff and CMS contractors?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIdeally, we will make it easier to make data and information accessible to CMS staff, contractors, and consultants. The increased use of Attribute-based access control through various systems at our disposal can allow us to adapt what data is accessible by authorized persons based on other factors like what team they are on, what role they have, and if they are using GFE that is up-to-date. These changes will be made in upstream systems like IDM/Okta and Kion (nee CloudTamer) so that they can be used easily by different teams.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eThe Maturity Framework Evaluation appears to be scoring questions for an entire team at once: 1/2/3/4 points based on the status of all the systems. But its rare to be equally mature across all systems: perhaps user-facing applications are integrated with the agencys external identity management system, but a tool for team administrators like CI/CD is not. Wouldnt you get a better view of the teams maturity by asking separately about those systems?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThat is a great observation and one that we arrived at when we were adapting the CISA Zero Trust Maturity Model to CMS. CISAs original only had one function listed for Authentication, which was pretty general. When reviewing the CISA Model, we decided to split the authentication questions into three (3) parts:\u003c/p\u003e\u003cul\u003e\u003cli\u003eADO staff/developers\u003c/li\u003e\u003cli\u003eInteractive users of websites\u003c/li\u003e\u003cli\u003eAPI users\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWe recognize that the technology needed for each of those is different and likely matures at different levels. It is a tough balance being granular enough to tease out distinctions like different kinds of users, but not too granular that we have to ask 200 questions to judge maturity level.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow can my system get a Zero Trust evaluation?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eReach out with your request to the \u003ca href=\"mailto:ISPGZeroTrust@cms.hhs.gov\"\u003eISPG Zero Trust Team\u003c/a\u003e. Include information about your system:\u003c/p\u003e\u003cul\u003e\u003cli\u003eName and Acronym\u003c/li\u003e\u003cli\u003eEnvironment it runs in (e.g. AWS for CMS Cloud, Azure for CMS Cloud, Ashburn, etc.)\u003c/li\u003e\u003cli\u003eNames and email addresses of other people to be involved\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eZero Trust Ambassador Program\u003c/h2\u003e\u003cp\u003eThe \u003cstrong\u003eZero Trust Ambassador Program\u003c/strong\u003e is for ISSOs, Security Engineers, Network Engineers, and Application developers who work on systems at CMS. It gives you access to additional Zero Trust content related to CMS environments, so you can:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLearn more about Zero Trust security\u003c/li\u003e\u003cli\u003eTest new Zero Trust recommendations\u003c/li\u003e\u003cli\u003eShare Zero Trust practices with your team\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your team is working on increasing your Zero Trust maturity, this program is for you! Resources include:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMonthly newsletter\u003c/strong\u003e -- with highlights from Zero Trust articles, upcoming presentation topics, and a handy reference guide.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://public.govdelivery.com/accounts/USCMS/subscriber/new?topic_id=USCMS_13166\"\u003eSign up for the newsletter here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eZero Trust articles\u003c/strong\u003e -- with the latest tips and information from the Zero Trust team at CMS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/posts?ispg%5Bmenu%5D%5Bpublisher_title%5D=Zero%20Trust%20Team\"\u003eSee Zero Trust articles\u003c/a\u003e on the ISPG News \u0026amp; Updates blog.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMonthly Office Hours\u003c/strong\u003e -- where you can connect with the Zero Trust Working Group, hear presentations from special guests, and ask questions. Office Hours information is listed below.\u003c/p\u003e\u003ch2\u003eZero Trust Ambassador Office Hours\u003c/h2\u003e\u003cp\u003eEach month, the Zero Trust Working Group holds Office Hours featuring a half hour Zero Trust presentation and a half hour for questions. Office Hours are the \u003cstrong\u003e3rd Tuesday of the month at 1pm ET\u003c/strong\u003e. \u0026nbsp;New time for 2025!\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cms.zoomgov.com/meeting/register/57oW2jbfTT6bnGPiEiz_5Q\"\u003eRegister for upcoming Office Hours here\u003c/a\u003e. \u0026nbsp;There is a new series for 2025.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://confluenceent.cms.gov/display/ISPG/Zero+Trust+Ambassador+Program\"\u003ePast meeting recordings and presentation decks are here\u003c/a\u003e (link requires a CMS login to access).\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:T4489,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is Zero Trust?\u003c/h2\u003e\u003cp\u003eZero Trust is a security model that is built on continuous validation at every stage of digital interaction. The Zero Trust (ZT) security model, also known as Zero Trust Architecture (ZTA), maintains that no user or application should be trusted by default. As a result, organizations that implement a Zero Trust model move from checking permissions only at initial sign-on to continuously checking permissions as users or devices move through a system. This constant validation provides enhanced security for systems, devices, and users. Below are the associated concepts and policies that go hand-in-hand with the Zero Trust model.\u003c/p\u003e\u003ch3\u003eZero Trust policy: least privilege\u003c/h3\u003e\u003cp\u003eThe policy of least privilege is associated with the Zero Trust model and is designed to give users the least amount of access to a system or device that is required to complete a task. For example, if a system administrator wants to add new users to a given system, only that single permission is granted to complete that task. If the same system administrator wants to perform a different task, like deleting inactive users, their permissions will need to be reevaluated. In this scenario, the extra level of authentication prevents a malicious user from being able to casually use sensitive privileges like deleting users; it also prevents accidents from happening through trusted user error.\u003c/p\u003e\u003ch3\u003eZero Trust policy: assuming compromise\u003c/h3\u003e\u003cp\u003eAssuming compromise means just what it says: as part of the Zero Trust model, we assume that our systems have been compromised by threats. To increase our overall security posture, we design our systems to limit access to data and networks. Limitations can look like restricted connections between networks or different applications. These limitations can prevent malicious users from accessing sensitive data or data that lives on unrelated networks or applications.\u003c/p\u003e\u003cp\u003eAs CMS moves toward a Zero Trust model, you may notice some changes in how you sign in to devices and systems at work. This isnt because we dont trust you we just want to be sure that the person logging in is you so that you can keep doing the great work you do.\u003c/p\u003e\u003ch3\u003eWhere did Zero Trust come from?\u003c/h3\u003e\u003cp\u003eIn May 2021, the Biden Administration issued \u003ca href=\"https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity\"\u003eExecutive Order (EO) 14028\u003c/a\u003e, charging federal agencies with the task of modernizing and enhancing cybersecurity. Executive Order 14028 was quickly followed by guidance from the \u003ca href=\"https://zerotrust.cyber.gov/federal-zero-trust-strategy\"\u003eOffice of Management and Budget (M-22-09)\u003c/a\u003e recommending the introduction of Zero Trust security practices and offering specific steps agencies needed to take to implement them. So what is Zero Trust (ZT), and how will these important changes impact your daily work?\u003c/p\u003e\u003ch2\u003eZero Trust at CMS\u003c/h2\u003e\u003cp\u003eCMSs transition to Zero Trust is a journey. It will involve a series of small adjustments over time that will allow our agency to transition from a traditional perimeter-based security model to a system of continuous authorization, authentication, and validation. You may have already noticed some of the important changes that have been implemented to support Zero Trust at CMS including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe introduction of \u003ca href=\"/learn/cms-cloud-services\"\u003eCMS Cloud\u003c/a\u003e\u003c/li\u003e\u003cli\u003eOur move to the Zscaler integrated platform\u003c/li\u003e\u003cli\u003eThe use of PIV credentials for user authentication\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThere is no single tool that CMS can deploy to instantly implement Zero Trust across all systems; different system architectures will be necessary for different environments. To create those custom architectures, CMS is using the \u003ca href=\"https://www.cisa.gov/zero-trust-maturity-model\"\u003eCybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003eCISA Zero Trust Maturity Model\u003c/h3\u003e\u003cp\u003eThe CISA Zero Trust Maturity Model (ZTMM) is a roadmap designed to transition federal agencies to Zero Trust by assessing their current security stance and recommending specific changes that will improve security moving forward. (\u003ca href=\"https://security.cms.gov/posts/zero-trust-maturity-model-version-2-now-less-trust\"\u003eLearn more about the ZTMM here\u003c/a\u003e.)\u0026nbsp;\u003c/p\u003e\u003ch3\u003eZero Trust pillars\u003c/h3\u003e\u003cp\u003eThe model assesses system components, referred to as “pillars”, as well as general details regarding system \u003cstrong\u003evisibility and analytics\u003c/strong\u003e (how information is collected), \u003cstrong\u003eautomation and orchestration \u003c/strong\u003e(how security is created through automated processes), and \u003cstrong\u003egovernance\u003c/strong\u003e (the policies that guide the work).\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eIdentity\u003c/strong\u003e An attribute or set of attributes that describe a CMS user.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eDevices\u003c/strong\u003e A hardware asset that can be connected to a network, such as a laptop or mobile device provided by CMS. Devices can also include virtual machines and containers.\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eNetworks\u003c/strong\u003e Internal CMS networks, data centers, and internet-based networks.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eApplications and workloads\u003c/strong\u003e CMS systems, computer programs, and services that execute on-premise, as well as in a cloud environment.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eData\u003c/strong\u003e Information that CMS collects, from documents to information collected from the public to fulfill our mission.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eStages of Zero Trust maturity\u003c/h3\u003e\u003cp\u003eFor each pillar, there are specific things we can measure to determine the degree to which an organization has reached Zero Trust maturity. Full information about the maturity stages for each pillar can be found in the ZTMM itself.\u003c/p\u003e\u003cp\u003eIn general, these are the stages that will help CMS track progress towards full adoption and implementation of Zero Trust standards.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTraditional\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe traditional level of maturity is marked by manually configured lifecycles (i.e., from establishment to decommissioning) and assignments of attributes (security and logging); static security policies and solutions that address one pillar at a time with discrete dependencies on external systems; manual response and mitigation deployment; least privilege established only at provisioning; siloed pillars of policy enforcement; and limited correlation of dependencies, logs, and telemetry.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInitial\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAt the level described as initial, increased maturity is demonstrated by starting automation of attribute assignment and configuration of lifecycles, policy decisions, and enforcement, and initial some responsive changes to least privilege after provisioning; cross-pillar solutions with integration of external systems; and aggregated visibility for internal systems.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAdvanced\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAt the advanced level of maturity, wherever applicable, automated controls for lifecycle and assignment of configurations and policies with cross-pillar coordination; response to pre-defined mitigations; changes to least privilege based on risk and posture assessments; policy enforcement integrated across pillars; and centralized visibility and identity control building toward enterprise-wide awareness (including externally hosted resources).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOptimal\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe optimal level of maturity is demonstrated by fully automated, just-in-time lifecycles and assignments of attributes to assets and resources that self-report with dynamic policies based on automated/observed triggers; dynamic least privilege access (just-enough and within thresholds) for assets and their respective dependencies enterprise-wide; cross-pillar interoperability with continuous monitoring; and centralized visibility with comprehensive situational awareness.\u003c/p\u003e\u003cp\u003eAs our Zero Trust rollout continues, System Owners will work with their teams to evaluate their desired level of maturity. While Optimal maturity is the goal for many systems, not all systems will be required to achieve it. Most systems will be required to achieve Advanced maturity, and many systems will be able to use CMS-wide tooling to make changes as your specific system requirements are defined.\u003c/p\u003e\u003cp\u003eIn general, this process will start with homogeneous cloud environments that use the same software and devices. We will then move on to custom environments and systems until all CMS systems have been properly evaluated.\u003c/p\u003e\u003ch2\u003eZero Trust and compliance\u003c/h2\u003e\u003cp\u003eWhile Zero Trust is not a compliance framework, its principles complement the existing compliance frameworks at \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS like Acceptable Risk Safeguards 5.1\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eARS 5.1 already supports many of the best practices offered by Zero Trust, such as the least privilege policy for certain levels of systems (e.g. High and Moderate) and the assumed compromise policy. As all CMS systems move to Zero Trust Architecture, System Owners are encouraged to add their own flair and implement tools and resources that will keep their systems compliant and push them closer to Optimal maturity. As specific implementation expectations are developed, they will be incorporated into future versions of ARS.\u003c/p\u003e\u003cp\u003eISSOs and others directly involved in the compliance process for CMS systems should watch for news and updates from ISPG for information related to Zero Trust implementation and its impact on compliance activities.\u003c/p\u003e\u003ch2\u003eHow will Zero Trust impact me?\u003c/h2\u003e\u003cp\u003eMany of the Zero Trust improvements implemented by CMS will be invisible to users. You may see more instances where youre asked to provide two-factor authentication when accessing websites and apps. Since youre using your work computer, your device will share information with CMS about the status of your system. For example, our networks will know if your computer patches are up to date and if there is a valid device certificate. This information not only keeps your computer and CMS systems safe and secure, but it also increases the amount of trust that CMS has that the person logging in is you.\u003c/p\u003e\u003cp\u003eThroughout the Zero Trust rollout at CMS, we will introduce new tools that will streamline existing processes while also increasing security. Members of OIT or others who run IT infrastructure at CMS will see the biggest changes, and overall, it should improve security while reducing burdens.\u003c/p\u003e\u003cp\u003eApplication Owners will also see changes as the environments they are in have more ZT features available, such as additional multi-factor authentication options for users or increased network encryption. These changes will make applications and systems more resilient to malicious attacks.\u003c/p\u003e\u003ch2\u003eZero Trust FAQs\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eWhere can I read about Zero Trust features, functionality, or offerings applicable to CMS?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCyberGeek is a great place to get started reading more about how Zero Trust will apply to CMS. Most of what we store here will be overviews, though, so as we have more features and functionality available, we will need to move that to internal knowledge repositories.\u003c/p\u003e\u003cp\u003eFor the latest Zero Trust news and updates, see \u003ca href=\"https://security.cms.gov/posts?ispg%5Bmenu%5D%5Bpublisher_title%5D=Zero%20Trust%20Team\"\u003eZero Trust articles on the CyberGeek blog\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eTo the extent possible, we will keep Zero Trust information near where you will use it. If you are building your applications on CMS Cloud, you can find more specific information on \u003ca href=\"http://cloud.cms.gov\"\u003ecloud.cms.gov\u003c/a\u003e. We also have spaces on the internal CODA site and Slack for more information. We also focus on keeping the ISSO community informed through the monthly \u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Forum\"\u003eCMS Cybersecurity Community Forum\u003c/a\u003e (requires CMS login), announcements in Slack, and \u003ca href=\"https://security.cms.gov/posts/read-cms-isso-journal\"\u003ethe ISSO Journal\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWhat is changing for CMS?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eRight now? Not much. Over time we will roll out more options for Multi-factor authentication, access control for data, and micro-segmentation within subnets and applications. A lot of the changes are going to be on a case-by-case basis, though, so its hard to say if there is something everyone is going to have to change.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWhen will we get information on what we need to do on an ADO level? What other processes can we pilot/test drive for you?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eHHS now requires CMS to report on the Zero Trust Maturity of each of our FISMA systems twice a year, so that helps teams identify areas where there is room for improvement. \u0026nbsp;ISPG is not currently (as of September 2024) requiring specific improvements; all improvements are voluntary. \u0026nbsp;\u003ca href=\"https://cloud.cms.gov/zero-trust-maturity-for-aws-on-cms-cloud\"\u003eCMS Hybrid Cloud website\u003c/a\u003e has some suggestions for areas to focus on.\u003c/p\u003e\u003cp\u003eRequests for volunteer ADOs to help us try new Zero Trust Techniques are distributed via the \u003ca href=\"https://security.cms.gov/learn/zero-trust#zero-trust-ambassador-program\"\u003eZero Trust Ambassadors Program\u003c/a\u003e and \u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Forum\"\u003eCMS Cybersecurity Community Forum\u003c/a\u003e (requires CMS login).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow will Zero Trust affect making information accessible to CMS staff and CMS contractors?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIdeally, we will make it easier to make data and information accessible to CMS staff, contractors, and consultants. The increased use of Attribute-based access control through various systems at our disposal can allow us to adapt what data is accessible by authorized persons based on other factors like what team they are on, what role they have, and if they are using GFE that is up-to-date. These changes will be made in upstream systems like IDM/Okta and Kion (nee CloudTamer) so that they can be used easily by different teams.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eThe Maturity Framework Evaluation appears to be scoring questions for an entire team at once: 1/2/3/4 points based on the status of all the systems. But its rare to be equally mature across all systems: perhaps user-facing applications are integrated with the agencys external identity management system, but a tool for team administrators like CI/CD is not. Wouldnt you get a better view of the teams maturity by asking separately about those systems?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThat is a great observation and one that we arrived at when we were adapting the CISA Zero Trust Maturity Model to CMS. CISAs original only had one function listed for Authentication, which was pretty general. When reviewing the CISA Model, we decided to split the authentication questions into three (3) parts:\u003c/p\u003e\u003cul\u003e\u003cli\u003eADO staff/developers\u003c/li\u003e\u003cli\u003eInteractive users of websites\u003c/li\u003e\u003cli\u003eAPI users\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWe recognize that the technology needed for each of those is different and likely matures at different levels. It is a tough balance being granular enough to tease out distinctions like different kinds of users, but not too granular that we have to ask 200 questions to judge maturity level.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow can my system get a Zero Trust evaluation?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eReach out with your request to the \u003ca href=\"mailto:ISPGZeroTrust@cms.hhs.gov\"\u003eISPG Zero Trust Team\u003c/a\u003e. Include information about your system:\u003c/p\u003e\u003cul\u003e\u003cli\u003eName and Acronym\u003c/li\u003e\u003cli\u003eEnvironment it runs in (e.g. AWS for CMS Cloud, Azure for CMS Cloud, Ashburn, etc.)\u003c/li\u003e\u003cli\u003eNames and email addresses of other people to be involved\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eZero Trust Ambassador Program\u003c/h2\u003e\u003cp\u003eThe \u003cstrong\u003eZero Trust Ambassador Program\u003c/strong\u003e is for ISSOs, Security Engineers, Network Engineers, and Application developers who work on systems at CMS. It gives you access to additional Zero Trust content related to CMS environments, so you can:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLearn more about Zero Trust security\u003c/li\u003e\u003cli\u003eTest new Zero Trust recommendations\u003c/li\u003e\u003cli\u003eShare Zero Trust practices with your team\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your team is working on increasing your Zero Trust maturity, this program is for you! Resources include:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMonthly newsletter\u003c/strong\u003e -- with highlights from Zero Trust articles, upcoming presentation topics, and a handy reference guide.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://public.govdelivery.com/accounts/USCMS/subscriber/new?topic_id=USCMS_13166\"\u003eSign up for the newsletter here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eZero Trust articles\u003c/strong\u003e -- with the latest tips and information from the Zero Trust team at CMS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/posts?ispg%5Bmenu%5D%5Bpublisher_title%5D=Zero%20Trust%20Team\"\u003eSee Zero Trust articles\u003c/a\u003e on the ISPG News \u0026amp; Updates blog.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMonthly Office Hours\u003c/strong\u003e -- where you can connect with the Zero Trust Working Group, hear presentations from special guests, and ask questions. Office Hours information is listed below.\u003c/p\u003e\u003ch2\u003eZero Trust Ambassador Office Hours\u003c/h2\u003e\u003cp\u003eEach month, the Zero Trust Working Group holds Office Hours featuring a half hour Zero Trust presentation and a half hour for questions. Office Hours are the \u003cstrong\u003e3rd Tuesday of the month at 1pm ET\u003c/strong\u003e. \u0026nbsp;New time for 2025!\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cms.zoomgov.com/meeting/register/57oW2jbfTT6bnGPiEiz_5Q\"\u003eRegister for upcoming Office Hours here\u003c/a\u003e. \u0026nbsp;There is a new series for 2025.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://confluenceent.cms.gov/display/ISPG/Zero+Trust+Ambassador+Program\"\u003ePast meeting recordings and presentation decks are here\u003c/a\u003e (link requires a CMS login to access).\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1a:T1aef,"])</script><script>self.__next_f.push([1,"\u003cp\u003eAs part of their white paper on \u003ca href=\"https://www.nist.gov/publications/zero-trust-architecture\"\u003eZero Trust SP-800-207\u003c/a\u003e, NIST identified Seven Tenets that form the foundation of Zero Trust. The Zero Trust Workgroup at CMS has applied these tenets to CMS IT. CMS has many initiatives that support Zero Trust architecture, so engaging with those early can set your project up for a more mature Zero Trust architecture in the future and increase security now.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e1. All data sources and computing services are considered resources\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll data sources and computing services that process CMS data are considered resources and should have defined controls and zero trust solutions governing access to them. Data sources include data repositories, file shares, and databases, while computing services include servers, EC2 instances, containers, and AWS lambda functions.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e2. All communication is secured regardless of network location\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTraffic flowing between resources must be secured with appropriate encryption and authentication mechanisms as close to the originating resource as possible -- whether both resources are in the same network or if the data has to transit to another network.\u0026nbsp; Encryption is not only for privacy but also for protection against modification in transit.\u003c/p\u003e\u003cp\u003eThe OIT memo \u003cstrong\u003eCMS Strategy for Encrypting Sensitive Information\u003c/strong\u003e mandates CMS is required to encrypt sensitive information at rest and in transit on all CMS Systems that store process, or transmit such information, especially High Value Assets (HVA), Mission Essential Functions, and Sensitive PII systems.\u0026nbsp; The \u003ca href=\"https://security.cms.gov/learn/cms-enterprise-data-encryption-cede\"\u003eCMS Enterprise Data Encryption Initiative\u003c/a\u003e has been working on helping ISSOs get their data encrypted since 2021.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e3. Access to individual enterprise resources is granted on a per\u003c/strong\u003e-\u003cstrong\u003esession basis\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTrust in the user or developer is evaluated before the access is granted to a specific resource (e.g., authentication), and access should also be granted with the least privileges needed to complete the task (e.g., authorization).\u0026nbsp; Authenticated sessions should be time-bound, with a session lasting less than 24 hours.\u0026nbsp; The length of a session can vary based on the sensitivity of the data as long as it is finite.\u0026nbsp; Additionally, authentication and authorization to one resource should not automatically grant access to a different resource.\u003c/p\u003e\u003cp\u003eUse existing identity management systems \u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=15641880\"\u003esuch as IDM\u003c/a\u003e to the greatest extent possible to perform authentication and authorization -- avoid creating new ones.\u0026nbsp; There are systems available for developers and users alike.\u0026nbsp;\u0026nbsp; Developers should be granted the least amount of privileges to the resource as possible; \u003ca href=\"https://cloud.cms.gov/how-to-use-cloudtamer-cms-gov\"\u003eCloudTamer\u003c/a\u003e, now called Kion, for CMSCloud is a great way to do that.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e4. Access to resources is determined by dynamic policy\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eMature Zero Trust architectures strive to have access policies that take input from external systems, such as the asset they are using or the user's location, to determine the current access level for the user.\u0026nbsp; For example, some government systems cannot be accessed outside the United States.\u0026nbsp; This is often referred to as risk-based or attribute-based authentication.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhile attribute-based authentication is the goal of Zero Trust, the technology is still fairly new.\u0026nbsp; In the future, the Zero Trust Workgroup plans to provide a way for ADOs to do attribute-based authentication, but this is likely a ways off for widespread use.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe enterprise does not inherently trust any asset, whether CMS owns the asset or not.\u0026nbsp; CMS monitors the security posture of every asset, and uses that information when that asset requests access to resources. CMS already employs a dynamic policy for Government Furnished Laptops attempting to access CMSNet. Devices must have a device certificate, certain security software, and have the current security patches installed before it may join the network, and devices that do not meet this are sent to a different network for remediation.\u003c/p\u003e\u003cp\u003eVirtual Machines (VMs) and containers are also assets and should be treated in similar ways. These operating systems must be patched and vulnerability scanned just like physical servers would -- VMs and containers with known vulnerabilities should not be deployed to production. CMSCloud offers a Gold Image for AWS and MAG to help ADOs deploy VMs with the latest patches. ISSOs are encouraged to have ADOs take advantage of these options and existing vulnerability scanning tools.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAccess to resources is subject to a constant cycle of scanning for threats, evaluating trust, and obtaining access. Continuous monitoring with possible reauthentication and reauthorization occurs throughout a user transaction and happens as close to the application as possible.\u003c/p\u003e\u003cp\u003eISSOs should work with the team to determine reasonable user login timeouts based on ARS 5.1 requirements and customer experience.\u0026nbsp; This includes APIs as well as web applications.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAgencies should maintain an ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.\u0026nbsp; This includes continuous visibility into the actions of users, applications, and devices through a centralized log data collection. CMS does this in part through the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics \u0026amp; Mitigation (CDM) program run by ISPG\u003c/a\u003e. CMS uses asset inventories and vulnerability management scanning to keep tabs on both resources that employees use (e.g. laptops) and the applications and infrastructure they use.\u0026nbsp;\u003c/p\u003e\u003cp\u003eADOs can contribute by participating in the CDM program as it becomes available for their infrastructure. ADOs also need to understand the state of their infrastructure, as well as provide those logs and context to central security teams (follow the guidelines in ARS 5.0).\u0026nbsp; Strive to know \"who did what when\" about both your developers and your users.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1b:T1aef,"])</script><script>self.__next_f.push([1,"\u003cp\u003eAs part of their white paper on \u003ca href=\"https://www.nist.gov/publications/zero-trust-architecture\"\u003eZero Trust SP-800-207\u003c/a\u003e, NIST identified Seven Tenets that form the foundation of Zero Trust. The Zero Trust Workgroup at CMS has applied these tenets to CMS IT. CMS has many initiatives that support Zero Trust architecture, so engaging with those early can set your project up for a more mature Zero Trust architecture in the future and increase security now.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e1. All data sources and computing services are considered resources\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll data sources and computing services that process CMS data are considered resources and should have defined controls and zero trust solutions governing access to them. Data sources include data repositories, file shares, and databases, while computing services include servers, EC2 instances, containers, and AWS lambda functions.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e2. All communication is secured regardless of network location\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTraffic flowing between resources must be secured with appropriate encryption and authentication mechanisms as close to the originating resource as possible -- whether both resources are in the same network or if the data has to transit to another network.\u0026nbsp; Encryption is not only for privacy but also for protection against modification in transit.\u003c/p\u003e\u003cp\u003eThe OIT memo \u003cstrong\u003eCMS Strategy for Encrypting Sensitive Information\u003c/strong\u003e mandates CMS is required to encrypt sensitive information at rest and in transit on all CMS Systems that store process, or transmit such information, especially High Value Assets (HVA), Mission Essential Functions, and Sensitive PII systems.\u0026nbsp; The \u003ca href=\"https://security.cms.gov/learn/cms-enterprise-data-encryption-cede\"\u003eCMS Enterprise Data Encryption Initiative\u003c/a\u003e has been working on helping ISSOs get their data encrypted since 2021.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e3. Access to individual enterprise resources is granted on a per\u003c/strong\u003e-\u003cstrong\u003esession basis\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTrust in the user or developer is evaluated before the access is granted to a specific resource (e.g., authentication), and access should also be granted with the least privileges needed to complete the task (e.g., authorization).\u0026nbsp; Authenticated sessions should be time-bound, with a session lasting less than 24 hours.\u0026nbsp; The length of a session can vary based on the sensitivity of the data as long as it is finite.\u0026nbsp; Additionally, authentication and authorization to one resource should not automatically grant access to a different resource.\u003c/p\u003e\u003cp\u003eUse existing identity management systems \u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=15641880\"\u003esuch as IDM\u003c/a\u003e to the greatest extent possible to perform authentication and authorization -- avoid creating new ones.\u0026nbsp; There are systems available for developers and users alike.\u0026nbsp;\u0026nbsp; Developers should be granted the least amount of privileges to the resource as possible; \u003ca href=\"https://cloud.cms.gov/how-to-use-cloudtamer-cms-gov\"\u003eCloudTamer\u003c/a\u003e, now called Kion, for CMSCloud is a great way to do that.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e4. Access to resources is determined by dynamic policy\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eMature Zero Trust architectures strive to have access policies that take input from external systems, such as the asset they are using or the user's location, to determine the current access level for the user.\u0026nbsp; For example, some government systems cannot be accessed outside the United States.\u0026nbsp; This is often referred to as risk-based or attribute-based authentication.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhile attribute-based authentication is the goal of Zero Trust, the technology is still fairly new.\u0026nbsp; In the future, the Zero Trust Workgroup plans to provide a way for ADOs to do attribute-based authentication, but this is likely a ways off for widespread use.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe enterprise does not inherently trust any asset, whether CMS owns the asset or not.\u0026nbsp; CMS monitors the security posture of every asset, and uses that information when that asset requests access to resources. CMS already employs a dynamic policy for Government Furnished Laptops attempting to access CMSNet. Devices must have a device certificate, certain security software, and have the current security patches installed before it may join the network, and devices that do not meet this are sent to a different network for remediation.\u003c/p\u003e\u003cp\u003eVirtual Machines (VMs) and containers are also assets and should be treated in similar ways. These operating systems must be patched and vulnerability scanned just like physical servers would -- VMs and containers with known vulnerabilities should not be deployed to production. CMSCloud offers a Gold Image for AWS and MAG to help ADOs deploy VMs with the latest patches. ISSOs are encouraged to have ADOs take advantage of these options and existing vulnerability scanning tools.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAccess to resources is subject to a constant cycle of scanning for threats, evaluating trust, and obtaining access. Continuous monitoring with possible reauthentication and reauthorization occurs throughout a user transaction and happens as close to the application as possible.\u003c/p\u003e\u003cp\u003eISSOs should work with the team to determine reasonable user login timeouts based on ARS 5.1 requirements and customer experience.\u0026nbsp; This includes APIs as well as web applications.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAgencies should maintain an ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.\u0026nbsp; This includes continuous visibility into the actions of users, applications, and devices through a centralized log data collection. CMS does this in part through the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics \u0026amp; Mitigation (CDM) program run by ISPG\u003c/a\u003e. CMS uses asset inventories and vulnerability management scanning to keep tabs on both resources that employees use (e.g. laptops) and the applications and infrastructure they use.\u0026nbsp;\u003c/p\u003e\u003cp\u003eADOs can contribute by participating in the CDM program as it becomes available for their infrastructure. ADOs also need to understand the state of their infrastructure, as well as provide those logs and context to central security teams (follow the guidelines in ARS 5.0).\u0026nbsp; Strive to know \"who did what when\" about both your developers and your users.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1c:T1331,"])</script><script>self.__next_f.push([1,"\u003cp\u003eCryptographic agility, also called cryptoagility, is the ability for a system to quickly and easily change parts of their encryption mechanism(s).\u0026nbsp; This encompasses changing encryption keys, key lengths, encryption algorithms used, and even changing the libraries used to perform the encryption. \u0026nbsp;\u003c/p\u003e\u003cp\u003eZero Trust architectures feature encryption of data in transit and data at rest heavily, and systems with high Zero Trust maturity feature lots of automation, so it makes sense that cryptoagility would be part of a mature architecture. \u0026nbsp;The CMS Zero Trust Team will put out a couple articles on cryptoagility over the next few months.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhy this?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThere are many reasons to strive for cryptoagility. \u0026nbsp;As computers can do more calculations in less time, we need to occasionally change encryption algorithms or key lengths to take longer to brute force the keys.\u0026nbsp; Beyond that, there are internal factors such as to make it easier to recover from incidents and external ones such as from requirements for FISMA systems. \u0026nbsp;It is a design principle that has been around for a while even if we havent been using that phrase.\u0026nbsp; Systems have long needed the ability to change encryption keys and update the algorithms used, and good architectures facilitate these actions happening efficiently.\u0026nbsp;\u003ca href=\"https://techcrunch.com/2023/09/08/microsoft-hacker-china-government-storm-0558/\"\u003eEncryption keys can get compromised\u003c/a\u003e, key lengths can need to be increased, and bugs can be found in encryption libraries.\u003c/p\u003e\u003cp\u003eOne of the most famous bugs in an encryption library surfaced in the widely used OpenSSL library in 2014 and was called “\u003ca href=\"https://en.wikipedia.org/wiki/Heartbleed\"\u003eHeartbleed\u003c/a\u003e” because the heartbeat function in TLS could be exploited to leak information from memory.\u0026nbsp; An update for OpenSSL was released quickly, but it required many websites to either recompile the programs that used OpenSSL or restart their servers.\u0026nbsp;Additionally, there was a possibility that private keys for SSL certificates were leaked so certificates also had to be regenerated with new key pairs.\u0026nbsp; A month after the announcement, \u003ca href=\"https://www.netcraft.com/blog/keys-left-unchanged-in-many-heartbleed-replacement-certificates/\"\u003eover 50% of impacted systems had not issued new SSL certificates\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eNOTE: There can be tension around remediating a vulnerability in a product that has undergone a process like FIPS 140 validation. \u0026nbsp;How do we do this quickly while preserving the previous \"approval\"? \u0026nbsp;Hopefully cryptoagiity can help us with this in time.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhy now?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eOver the last couple of years there have been Federal directives and CISA guidance that touch on cryptoagility, so it makes sense to explain cryptographic agility and what it involves.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eCryptoagility supports OMB M-23-02 “\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf\"\u003eMigrating to Post-Quantum Cryptography\u003c/a\u003e”.\u0026nbsp; Quantum computing may reach a stage where it can easily brute force some key lengths of modern cryptographic algorithms, so systems need the ability to change those algorithms easily. The agility needed to respond to possible quantum computing attacks on current cryptography will revolve around knowing where encryption that is not quantum-proof is located and then replacing it.\u0026nbsp; Though an actual quantum computing attack is likely in the distant future, agencies can begin identifying the use weaker algorithms, key lengths, or libraries now to allow themselves to make the changes in at a leisurely pace instead of in an emergency.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe release of the \u003ca href=\"https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model\"\u003eCISA Zero Trust Maturity Model v2\u003c/a\u003e added references to “cryptographic agility” to the Advanced and Optimal levels of the Traffic Encryption and Data Encryption functions.\u0026nbsp; CMS included these updates in the \u003ca href=\"https://cloud.cms.gov/zero-trust-maturity-for-aws-on-cms-cloud\"\u003eAWS for CMS Cloud\u003c/a\u003e and \u003ca href=\"https://cloud.cms.gov/zero-trust-maturity-for-mag-on-cms-cloud\"\u003eMicrosoft Azure for Government for CMS Cloud\u003c/a\u003e maturity frameworks (Sorry, these are CMS internal references).\u0026nbsp;\u003c/p\u003e\u003cp\u003eLastly, maintaining records of where different algorithms and implementations are used is a key part of software supply chain management, introduced to Federal Agencies in \u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf\"\u003eOMB M-22-18\u003c/a\u003e.\u0026nbsp;This way when another Heartbleed is found we can more easily identify where we need to patch.\u003c/p\u003e\u003cp\u003eCheck back next month for a \u003ca href=\"https://security.cms.gov/posts/three-elements-cryptographic-agility\"\u003esecond installment on cryptoagility\u003c/a\u003e!\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1d:T1331,"])</script><script>self.__next_f.push([1,"\u003cp\u003eCryptographic agility, also called cryptoagility, is the ability for a system to quickly and easily change parts of their encryption mechanism(s).\u0026nbsp; This encompasses changing encryption keys, key lengths, encryption algorithms used, and even changing the libraries used to perform the encryption. \u0026nbsp;\u003c/p\u003e\u003cp\u003eZero Trust architectures feature encryption of data in transit and data at rest heavily, and systems with high Zero Trust maturity feature lots of automation, so it makes sense that cryptoagility would be part of a mature architecture. \u0026nbsp;The CMS Zero Trust Team will put out a couple articles on cryptoagility over the next few months.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhy this?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThere are many reasons to strive for cryptoagility. \u0026nbsp;As computers can do more calculations in less time, we need to occasionally change encryption algorithms or key lengths to take longer to brute force the keys.\u0026nbsp; Beyond that, there are internal factors such as to make it easier to recover from incidents and external ones such as from requirements for FISMA systems. \u0026nbsp;It is a design principle that has been around for a while even if we havent been using that phrase.\u0026nbsp; Systems have long needed the ability to change encryption keys and update the algorithms used, and good architectures facilitate these actions happening efficiently.\u0026nbsp;\u003ca href=\"https://techcrunch.com/2023/09/08/microsoft-hacker-china-government-storm-0558/\"\u003eEncryption keys can get compromised\u003c/a\u003e, key lengths can need to be increased, and bugs can be found in encryption libraries.\u003c/p\u003e\u003cp\u003eOne of the most famous bugs in an encryption library surfaced in the widely used OpenSSL library in 2014 and was called “\u003ca href=\"https://en.wikipedia.org/wiki/Heartbleed\"\u003eHeartbleed\u003c/a\u003e” because the heartbeat function in TLS could be exploited to leak information from memory.\u0026nbsp; An update for OpenSSL was released quickly, but it required many websites to either recompile the programs that used OpenSSL or restart their servers.\u0026nbsp;Additionally, there was a possibility that private keys for SSL certificates were leaked so certificates also had to be regenerated with new key pairs.\u0026nbsp; A month after the announcement, \u003ca href=\"https://www.netcraft.com/blog/keys-left-unchanged-in-many-heartbleed-replacement-certificates/\"\u003eover 50% of impacted systems had not issued new SSL certificates\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eNOTE: There can be tension around remediating a vulnerability in a product that has undergone a process like FIPS 140 validation. \u0026nbsp;How do we do this quickly while preserving the previous \"approval\"? \u0026nbsp;Hopefully cryptoagiity can help us with this in time.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhy now?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eOver the last couple of years there have been Federal directives and CISA guidance that touch on cryptoagility, so it makes sense to explain cryptographic agility and what it involves.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eCryptoagility supports OMB M-23-02 “\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf\"\u003eMigrating to Post-Quantum Cryptography\u003c/a\u003e”.\u0026nbsp; Quantum computing may reach a stage where it can easily brute force some key lengths of modern cryptographic algorithms, so systems need the ability to change those algorithms easily. The agility needed to respond to possible quantum computing attacks on current cryptography will revolve around knowing where encryption that is not quantum-proof is located and then replacing it.\u0026nbsp; Though an actual quantum computing attack is likely in the distant future, agencies can begin identifying the use weaker algorithms, key lengths, or libraries now to allow themselves to make the changes in at a leisurely pace instead of in an emergency.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe release of the \u003ca href=\"https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model\"\u003eCISA Zero Trust Maturity Model v2\u003c/a\u003e added references to “cryptographic agility” to the Advanced and Optimal levels of the Traffic Encryption and Data Encryption functions.\u0026nbsp; CMS included these updates in the \u003ca href=\"https://cloud.cms.gov/zero-trust-maturity-for-aws-on-cms-cloud\"\u003eAWS for CMS Cloud\u003c/a\u003e and \u003ca href=\"https://cloud.cms.gov/zero-trust-maturity-for-mag-on-cms-cloud\"\u003eMicrosoft Azure for Government for CMS Cloud\u003c/a\u003e maturity frameworks (Sorry, these are CMS internal references).\u0026nbsp;\u003c/p\u003e\u003cp\u003eLastly, maintaining records of where different algorithms and implementations are used is a key part of software supply chain management, introduced to Federal Agencies in \u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf\"\u003eOMB M-22-18\u003c/a\u003e.\u0026nbsp;This way when another Heartbleed is found we can more easily identify where we need to patch.\u003c/p\u003e\u003cp\u003eCheck back next month for a \u003ca href=\"https://security.cms.gov/posts/three-elements-cryptographic-agility\"\u003esecond installment on cryptoagility\u003c/a\u003e!\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1e:T280e,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is cryptographic agility?\u003c/h2\u003e\u003cp\u003eCryptographic agility, also called cryptoagility, is the ability for a system to quickly and easily change parts of their encryption mechanism(s). This encompasses changing encryption keys, key lengths, encryption algorithms used, and even changing the libraries used to perform the encryption.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThere is not currently an official cryptoagility standard for Federal Agencies, but research into it and \u003ca href=\"https://www.dhs.gov/sites/default/files/2022-05/22_0512_plcy_2966-01_cryptographic-agility-infographic.pdf\"\u003eresources from the Cybersecurity and Infrastructure Security Agency\u003c/a\u003e (CISA) led the ISPG Zero Trust team to identify three elements of a Cryptographically Agile system:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eUse modern cryptography.\u0026nbsp;\u003c/li\u003e\u003cli\u003eMaintain an accurate cryptographic inventory.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEngineer in the ability to make encryption changes quickly and efficiently.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis document sets out further definitions of cryptographic agility for CMS Federal Information Security Modernization Act (FISMA) Systems to strive for.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eUse modern cryptography\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003eFISMA Systems should use modern cryptographic algorithms, robust key lengths, and well-tested implementations of said algorithms. The National Institute of Standards and Technology (NIST) has written much on the topic, but a good rule of thumb is to stick with implementations that are FIPS 140-2 validated (see note below). Tools that are FedRAMP approved will be FIPS 140-2 validated.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt3r1.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eNIST Special Publication 800-57 Part 3\u003c/a\u003e has detailed information about preferred cryptographic algorithms and key lengths. They can be summarized as:\u0026nbsp;\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eKey Type\u003c/strong\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eAlgorithms and\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMinimum Key Sizes\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePublic Key Infrastructure (PKI).\u0026nbsp;\u003c/td\u003e\u003ctd\u003eDigital Signature keys used for authentication (for Users or Devices)\u0026nbsp;\u003c/td\u003e\u003ctd\u003eRSA (2048 bits). ECDSA (Curve P-256)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eDigital Signature keys used for non-repudiation (for Users or Devices)\u0026nbsp;\u003c/td\u003e\u003ctd\u003eRSA (2048 bits) ECDSA (Curves P-256 or P-384)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eKey Establishment keys (for Users or Devices)\u0026nbsp;\u003c/td\u003e\u003ctd\u003eRSA (2048 bits) Diffie-Hellman (2048 bits) ECDH (Curves P-256 or P-384)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEncryption for Data at Rest\u0026nbsp;\u003c/td\u003e\u003ctd\u003eSymmetric key\u0026nbsp;\u003c/td\u003e\u003ctd\u003eAES (128 bits)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHashing and Message Digests\u0026nbsp;\u003c/td\u003e\u003ctd\u003eOne-Way Hash, unkeyed\u0026nbsp;\u003c/td\u003e\u003ctd\u003eSHA-256\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eWebsites and other internet services that operate over TCP/IP shall use Transport Layer Security (TLS) version 1.3 to encrypt the network traffic. TLS 1.3 is based on PKI, and the above algorithms and key lengths are also recommended. If a system has devices that cannot use TLS 1.3, the connection may fall back to TLS 1.2. \u003ca href=\"https://www.cms.gov/files/document/hhsencryption-policy.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eTLS 1.0 and 1.1 shall not be used\u003c/a\u003e as per the HHS Policy for Encryption of Computing Devices and Information in Section 6.23.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn the event that your software needs to directly perform cryptographic operations, here at CMS we prefer that you do not implement your own cryptographic algorithms and instead use a well-established library that is FIPS 140-2 approved such as OpenSSL. Wikipedia has a chart \u003ca href=\"https://en.wikipedia.org/wiki/Comparison_of_cryptography_libraries\" target=\"_blank\" rel=\"noreferrer noopener\"\u003ecomparing different cryptography libraries\u003c/a\u003e and includes their FIPS 140 status.\u0026nbsp;\u003c/p\u003e\u003cp\u003eA Note on FIPS 140: A new version of FIPS 140 has been released, version 3, and systems will be required to use only FIPS 140-3 compliant tools starting in September 2026. As of December 2023,there are \u003ca href=\"https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Advanced\u0026amp;Standard=140-3\u0026amp;CertificateStatus=Active\u0026amp;ValidationYear=0\" target=\"_blank\" rel=\"noreferrer noopener\"\u003efew validated FIPS 14-3 implementations,\u003c/a\u003e but many popular services and hardware are \u003ca href=\"https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eundergoing evaluations.\u003c/a\u003e If selecting a new product, it would be wise to choose one that is undergoing evaluation.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eMaintain an accurate cryptographic inventory\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003eTo know what to fix, we need to know what we cryptographic algorithms we are using in our various systems. This will include data in transit, data at rest, and (as the technology becomes more accessible) data in use.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhile having an accurate inventory is important, it is not expected that CMS FISMA Systems will have a unified, automated solution that contains all the different encryptions just yet. Teams may need to look in different places to collect all this information. The Zero Trust program in ISPG is researching an automated solution that would be suitable for CMS.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe inventory will need to include where the encryption is being used (in transit, at rest, or in use), what algorithm is used, what key length is used, and (where available) what library or tool is providing the encryption. It is also desirable to be able to explain why a particular setup is used or note any exceptions.\u0026nbsp;\u003c/p\u003e\u003cp\u003eInfrastructure as a Service (IaaS) providers often have a key management service for storing keys used for encrypting data at rest, and they often have a service for storing TLS certificates, but they are likely not the same service.For example, AWS provides the \u003ca href=\"https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eKey Management System\u003c/a\u003e for general key management, and the \u003ca href=\"https://aws.amazon.com/certificate-manager/\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eAWS Certificate Manager\u003c/a\u003e is available for your TLS certificates.\u0026nbsp;\u003c/p\u003e\u003cp lang=\"EN-US\"\u003eThe Office of Management and Budget (OMB) requires agencies to report on their cryptographic inventories \u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf\"\u003eunder M-23-02\u003c/a\u003e, though they are slowly rolling out which systems are included in their reports. The Zero Trust Program will reach out to the ISSOs of FISMA systems required to submit for 2024.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eEngineer in the ability to make encryption changes quickly and efficiently\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://www.dictionary.com/browse/agility\"\u003eAgility\u003c/a\u003e in general is the “the power of moving quickly and easily.”, so cryptoagility is the ability to move quickly and easily around all things encryption.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/policy-guidance/cms-key-management-handbook#key-management-lifecycle-best-practices\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eKey Management Handbook from ISPG\u003c/a\u003e recommends that systems rotate encryption keys once per year (see the “Key Rotation” section). \u0026nbsp;Teams should have a documented process, whether the process is manual or automated. This includes both TLS certificates and database (or other storage) encryption keys.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIdeally, a team should be able to rotate keys and certificates in minutes not hours so that if a key compromise happens response time is low.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen using libraries to implement encryption functions in software, the software should be architected in a way to allow for the library to be updated without having to change the code (assuming that the new version of the library is backwards compatible). Where possible, key length should not be hard coded, and instead provided via a configuration file. Use of specific algorithms should be abstracted in such a way that if the team wanted to use a different algorithm or different library for the same algorithm the code can be changed in one place and used everywhere.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn“\u003ca href=\"https://security.cms.gov/posts/cryptographic-agility-zeitgeist\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eCryptoAgility in the Zeitgeist\u003c/a\u003e”, we talked about the 2014 Heartbleed exploit for OpenSSL. While a patch was available quickly for OpenSSL, it took months for most systems to be updated. As we seek to balance security and process, we need to contemplate the speed at which we want to mitigate and remediate such exploits.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen designing software and development processes, consider these guidelines for how long it should take for a system to make these changes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eMinutes to update and rotate a key\u0026nbsp;\u003c/li\u003e\u003cli\u003eMinutes to update a library to a new version\u0026nbsp;\u003c/li\u003e\u003cli\u003eHours to change key lengths\u0026nbsp;\u003c/li\u003e\u003cli\u003eLess than 1 sprint to change the algorithm or library\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eConclusion\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003eCryptoAgility is an integral part not just of Zero Trust, but a mature software development process. By factoring the three main elements of CryptoAgility into processes early, we can improve our ability to respond to cryptographic issues early. It may take time to add CryptoAgility into existing systems, but the Zero Trust team is here to support teams. We will be releasing specific guidance on implementation for different environments, such as AWS, via the internal CMS Cloud documentation in the coming months. \u0026nbsp;\u003c/p\u003e\u003cp\u003eIn the meantime, think about how the three elements apply to your systems:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eUse modern cryptography.\u0026nbsp;\u003c/li\u003e\u003cli\u003eMaintain an accurate cryptographic inventory.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEngineer in the ability to make encryption changes quickly and efficiently.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1f:T280e,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is cryptographic agility?\u003c/h2\u003e\u003cp\u003eCryptographic agility, also called cryptoagility, is the ability for a system to quickly and easily change parts of their encryption mechanism(s). This encompasses changing encryption keys, key lengths, encryption algorithms used, and even changing the libraries used to perform the encryption.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThere is not currently an official cryptoagility standard for Federal Agencies, but research into it and \u003ca href=\"https://www.dhs.gov/sites/default/files/2022-05/22_0512_plcy_2966-01_cryptographic-agility-infographic.pdf\"\u003eresources from the Cybersecurity and Infrastructure Security Agency\u003c/a\u003e (CISA) led the ISPG Zero Trust team to identify three elements of a Cryptographically Agile system:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eUse modern cryptography.\u0026nbsp;\u003c/li\u003e\u003cli\u003eMaintain an accurate cryptographic inventory.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEngineer in the ability to make encryption changes quickly and efficiently.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis document sets out further definitions of cryptographic agility for CMS Federal Information Security Modernization Act (FISMA) Systems to strive for.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eUse modern cryptography\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003eFISMA Systems should use modern cryptographic algorithms, robust key lengths, and well-tested implementations of said algorithms. The National Institute of Standards and Technology (NIST) has written much on the topic, but a good rule of thumb is to stick with implementations that are FIPS 140-2 validated (see note below). Tools that are FedRAMP approved will be FIPS 140-2 validated.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt3r1.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eNIST Special Publication 800-57 Part 3\u003c/a\u003e has detailed information about preferred cryptographic algorithms and key lengths. They can be summarized as:\u0026nbsp;\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eKey Type\u003c/strong\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eAlgorithms and\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMinimum Key Sizes\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePublic Key Infrastructure (PKI).\u0026nbsp;\u003c/td\u003e\u003ctd\u003eDigital Signature keys used for authentication (for Users or Devices)\u0026nbsp;\u003c/td\u003e\u003ctd\u003eRSA (2048 bits). ECDSA (Curve P-256)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eDigital Signature keys used for non-repudiation (for Users or Devices)\u0026nbsp;\u003c/td\u003e\u003ctd\u003eRSA (2048 bits) ECDSA (Curves P-256 or P-384)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eKey Establishment keys (for Users or Devices)\u0026nbsp;\u003c/td\u003e\u003ctd\u003eRSA (2048 bits) Diffie-Hellman (2048 bits) ECDH (Curves P-256 or P-384)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEncryption for Data at Rest\u0026nbsp;\u003c/td\u003e\u003ctd\u003eSymmetric key\u0026nbsp;\u003c/td\u003e\u003ctd\u003eAES (128 bits)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHashing and Message Digests\u0026nbsp;\u003c/td\u003e\u003ctd\u003eOne-Way Hash, unkeyed\u0026nbsp;\u003c/td\u003e\u003ctd\u003eSHA-256\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eWebsites and other internet services that operate over TCP/IP shall use Transport Layer Security (TLS) version 1.3 to encrypt the network traffic. TLS 1.3 is based on PKI, and the above algorithms and key lengths are also recommended. If a system has devices that cannot use TLS 1.3, the connection may fall back to TLS 1.2. \u003ca href=\"https://www.cms.gov/files/document/hhsencryption-policy.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eTLS 1.0 and 1.1 shall not be used\u003c/a\u003e as per the HHS Policy for Encryption of Computing Devices and Information in Section 6.23.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn the event that your software needs to directly perform cryptographic operations, here at CMS we prefer that you do not implement your own cryptographic algorithms and instead use a well-established library that is FIPS 140-2 approved such as OpenSSL. Wikipedia has a chart \u003ca href=\"https://en.wikipedia.org/wiki/Comparison_of_cryptography_libraries\" target=\"_blank\" rel=\"noreferrer noopener\"\u003ecomparing different cryptography libraries\u003c/a\u003e and includes their FIPS 140 status.\u0026nbsp;\u003c/p\u003e\u003cp\u003eA Note on FIPS 140: A new version of FIPS 140 has been released, version 3, and systems will be required to use only FIPS 140-3 compliant tools starting in September 2026. As of December 2023,there are \u003ca href=\"https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Advanced\u0026amp;Standard=140-3\u0026amp;CertificateStatus=Active\u0026amp;ValidationYear=0\" target=\"_blank\" rel=\"noreferrer noopener\"\u003efew validated FIPS 14-3 implementations,\u003c/a\u003e but many popular services and hardware are \u003ca href=\"https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eundergoing evaluations.\u003c/a\u003e If selecting a new product, it would be wise to choose one that is undergoing evaluation.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eMaintain an accurate cryptographic inventory\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003eTo know what to fix, we need to know what we cryptographic algorithms we are using in our various systems. This will include data in transit, data at rest, and (as the technology becomes more accessible) data in use.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhile having an accurate inventory is important, it is not expected that CMS FISMA Systems will have a unified, automated solution that contains all the different encryptions just yet. Teams may need to look in different places to collect all this information. The Zero Trust program in ISPG is researching an automated solution that would be suitable for CMS.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe inventory will need to include where the encryption is being used (in transit, at rest, or in use), what algorithm is used, what key length is used, and (where available) what library or tool is providing the encryption. It is also desirable to be able to explain why a particular setup is used or note any exceptions.\u0026nbsp;\u003c/p\u003e\u003cp\u003eInfrastructure as a Service (IaaS) providers often have a key management service for storing keys used for encrypting data at rest, and they often have a service for storing TLS certificates, but they are likely not the same service.For example, AWS provides the \u003ca href=\"https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eKey Management System\u003c/a\u003e for general key management, and the \u003ca href=\"https://aws.amazon.com/certificate-manager/\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eAWS Certificate Manager\u003c/a\u003e is available for your TLS certificates.\u0026nbsp;\u003c/p\u003e\u003cp lang=\"EN-US\"\u003eThe Office of Management and Budget (OMB) requires agencies to report on their cryptographic inventories \u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf\"\u003eunder M-23-02\u003c/a\u003e, though they are slowly rolling out which systems are included in their reports. The Zero Trust Program will reach out to the ISSOs of FISMA systems required to submit for 2024.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eEngineer in the ability to make encryption changes quickly and efficiently\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://www.dictionary.com/browse/agility\"\u003eAgility\u003c/a\u003e in general is the “the power of moving quickly and easily.”, so cryptoagility is the ability to move quickly and easily around all things encryption.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/policy-guidance/cms-key-management-handbook#key-management-lifecycle-best-practices\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eKey Management Handbook from ISPG\u003c/a\u003e recommends that systems rotate encryption keys once per year (see the “Key Rotation” section). \u0026nbsp;Teams should have a documented process, whether the process is manual or automated. This includes both TLS certificates and database (or other storage) encryption keys.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIdeally, a team should be able to rotate keys and certificates in minutes not hours so that if a key compromise happens response time is low.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen using libraries to implement encryption functions in software, the software should be architected in a way to allow for the library to be updated without having to change the code (assuming that the new version of the library is backwards compatible). Where possible, key length should not be hard coded, and instead provided via a configuration file. Use of specific algorithms should be abstracted in such a way that if the team wanted to use a different algorithm or different library for the same algorithm the code can be changed in one place and used everywhere.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn“\u003ca href=\"https://security.cms.gov/posts/cryptographic-agility-zeitgeist\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eCryptoAgility in the Zeitgeist\u003c/a\u003e”, we talked about the 2014 Heartbleed exploit for OpenSSL. While a patch was available quickly for OpenSSL, it took months for most systems to be updated. As we seek to balance security and process, we need to contemplate the speed at which we want to mitigate and remediate such exploits.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen designing software and development processes, consider these guidelines for how long it should take for a system to make these changes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eMinutes to update and rotate a key\u0026nbsp;\u003c/li\u003e\u003cli\u003eMinutes to update a library to a new version\u0026nbsp;\u003c/li\u003e\u003cli\u003eHours to change key lengths\u0026nbsp;\u003c/li\u003e\u003cli\u003eLess than 1 sprint to change the algorithm or library\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eConclusion\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003eCryptoAgility is an integral part not just of Zero Trust, but a mature software development process. By factoring the three main elements of CryptoAgility into processes early, we can improve our ability to respond to cryptographic issues early. It may take time to add CryptoAgility into existing systems, but the Zero Trust team is here to support teams. We will be releasing specific guidance on implementation for different environments, such as AWS, via the internal CMS Cloud documentation in the coming months. \u0026nbsp;\u003c/p\u003e\u003cp\u003eIn the meantime, think about how the three elements apply to your systems:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eUse modern cryptography.\u0026nbsp;\u003c/li\u003e\u003cli\u003eMaintain an accurate cryptographic inventory.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEngineer in the ability to make encryption changes quickly and efficiently.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"22:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n21:{\"self\":\"$22\"}\n25:[\"menu_ui\",\"scheduler\"]\n24:{\"module\":\"$25\"}\n28:[]\n27:{\"available_menus\":\"$28\",\"parent\":\"\"}\n29:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n26:{\"menu_ui\":\"$27\",\"scheduler\":\"$29\"}\n23:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$24\",\"third_party_settings\":\"$26\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n20:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$21\",\"attributes\":\"$23\"}\n2c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/bebd6b4a-b250-4060-a68d-15e540df32b8\"}\n2b:{\"self\":\"$2c\"}\n2d:{\"display_name\":\"eschweinsberg\"}\n2a:{\"type\":\"user--user\",\"id\":\"bebd6b4a-b250-4060-a68d-15e540df32b8\",\"links\":\"$2b\",\"attributes\":\"$2d\"}\n30:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n2f:{\"self\":\"$30\"}\n31:{\"display_name\":\"meg - retired\"}\n2e:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$2f\",\"attributes\":\"$31\"}\n34:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}\n33:{\"self\":\"$34\"}\n36:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n35:{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+"])</script><script>self.__next_f.push([1,"00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$36\"}\n3a:{\"drupal_internal__target_id\":\"resource_type\"}\n39:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$3a\"}\n3c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"}\n3d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}\n3b:{\"related\":\"$3c\",\"self\":\"$3d\"}\n38:{\"data\":\"$39\",\"links\":\"$3b\"}\n40:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"}\n41:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}\n3f:{\"related\":\"$40\",\"self\":\"$41\"}\n3e:{\"data\":null,\"links\":\"$3f\"}\n48:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n47:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$48\"}\n46:{\"help\":\"$47\"}\n45:{\"links\":\"$46\"}\n44:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$45\"}\n43:[\"$44\"]\n4a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"}\n4b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}\n49:{\"related\":\"$4a\",\"self\":\"$4b\"}\n42:{\"data\":\"$43\",\"links\":\"$49\"}\n37:{\"vid\":\"$38\",\"revision_user\":\"$3e\",\"parent\":\"$42\"}\n32:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":\"$33\",\"attributes\":\"$35\",\"relationships\":\"$37\"}\n4e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n4d:{\"self\":\"$4e\"}\n50:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4f:{\"drupal_i"])</script><script>self.__next_f.push([1,"nternal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$50\"}\n54:{\"drupal_internal__target_id\":\"roles\"}\n53:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$54\"}\n56:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n57:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n55:{\"related\":\"$56\",\"self\":\"$57\"}\n52:{\"data\":\"$53\",\"links\":\"$55\"}\n5a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n5b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n59:{\"related\":\"$5a\",\"self\":\"$5b\"}\n58:{\"data\":null,\"links\":\"$59\"}\n62:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n61:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$62\"}\n60:{\"help\":\"$61\"}\n5f:{\"links\":\"$60\"}\n5e:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$5f\"}\n5d:[\"$5e\"]\n64:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n65:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n63:{\"related\":\"$64\",\"self\":\"$65\"}\n5c:{\"data\":\"$5d\",\"links\":\"$63\"}\n51:{\"vid\":\"$52\",\"revision_user\":\"$58\",\"parent\":\"$5c\"}\n4c:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$4d\",\"attributes\":\"$4f\",\"relationships\":\"$51\"}\n68:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/"])</script><script>self.__next_f.push([1,"roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n67:{\"self\":\"$68\"}\n6a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n69:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$6a\"}\n6e:{\"drupal_internal__target_id\":\"roles\"}\n6d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$6e\"}\n70:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n71:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n6f:{\"related\":\"$70\",\"self\":\"$71\"}\n6c:{\"data\":\"$6d\",\"links\":\"$6f\"}\n74:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n75:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n73:{\"related\":\"$74\",\"self\":\"$75\"}\n72:{\"data\":null,\"links\":\"$73\"}\n7c:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n7b:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$7c\"}\n7a:{\"help\":\"$7b\"}\n79:{\"links\":\"$7a\"}\n78:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$79\"}\n77:[\"$78\"]\n7e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n7f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n7d:{\"related\":\"$7e\",\"self\":\"$7f\"}\n76:{\"data\":\"$77\",\"links\":\"$7d\"}\n6b:{\"vid\":\"$6c\",\"revision_user\":\"$72\",\"parent\":\"$76\"}\n66:{\"type\":\"taxonomy_term--role"])</script><script>self.__next_f.push([1,"s\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$67\",\"attributes\":\"$69\",\"relationships\":\"$6b\"}\n82:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n81:{\"self\":\"$82\"}\n84:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n83:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$84\"}\n88:{\"drupal_internal__target_id\":\"roles\"}\n87:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$88\"}\n8a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n8b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n89:{\"related\":\"$8a\",\"self\":\"$8b\"}\n86:{\"data\":\"$87\",\"links\":\"$89\"}\n8e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n8f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n8d:{\"related\":\"$8e\",\"self\":\"$8f\"}\n8c:{\"data\":null,\"links\":\"$8d\"}\n96:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n95:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$96\"}\n94:{\"help\":\"$95\"}\n93:{\"links\":\"$94\"}\n92:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$93\"}\n91:[\"$92\"]\n98:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n99:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n97:{\"re"])</script><script>self.__next_f.push([1,"lated\":\"$98\",\"self\":\"$99\"}\n90:{\"data\":\"$91\",\"links\":\"$97\"}\n85:{\"vid\":\"$86\",\"revision_user\":\"$8c\",\"parent\":\"$90\"}\n80:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$81\",\"attributes\":\"$83\",\"relationships\":\"$85\"}\n9c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38?resourceVersion=id%3A21\"}\n9b:{\"self\":\"$9c\"}\n9e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n9d:{\"drupal_internal__tid\":21,\"drupal_internal__revision_id\":21,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:35+00:00\",\"status\":true,\"name\":\"Federal Policy \u0026 Guidance\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$9e\"}\na2:{\"drupal_internal__target_id\":\"topics\"}\na1:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$a2\"}\na4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/vid?resourceVersion=id%3A21\"}\na5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/relationships/vid?resourceVersion=id%3A21\"}\na3:{\"related\":\"$a4\",\"self\":\"$a5\"}\na0:{\"data\":\"$a1\",\"links\":\"$a3\"}\na8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/revision_user?resourceVersion=id%3A21\"}\na9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/relationships/revision_user?resourceVersion=id%3A21\"}\na7:{\"related\":\"$a8\",\"self\":\"$a9\"}\na6:{\"data\":null,\"links\":\"$a7\"}\nb0:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\naf:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$b0\"}\nae:{\"help\":\"$af\"}\nad:{\"links\":\"$ae\"}\nac:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$ad\"}\nab:[\"$ac\"]\nb2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/parent?resourceVersion=id%3A21\"}\nb3:"])</script><script>self.__next_f.push([1,"{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/relationships/parent?resourceVersion=id%3A21\"}\nb1:{\"related\":\"$b2\",\"self\":\"$b3\"}\naa:{\"data\":\"$ab\",\"links\":\"$b1\"}\n9f:{\"vid\":\"$a0\",\"revision_user\":\"$a6\",\"parent\":\"$aa\"}\n9a:{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"links\":\"$9b\",\"attributes\":\"$9d\",\"relationships\":\"$9f\"}\nb6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9271f09e-6087-42ce-9b2a-2ddf6888888d?resourceVersion=id%3A19936\"}\nb5:{\"self\":\"$b6\"}\nb8:[]\nba:T4489,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is Zero Trust?\u003c/h2\u003e\u003cp\u003eZero Trust is a security model that is built on continuous validation at every stage of digital interaction. The Zero Trust (ZT) security model, also known as Zero Trust Architecture (ZTA), maintains that no user or application should be trusted by default. As a result, organizations that implement a Zero Trust model move from checking permissions only at initial sign-on to continuously checking permissions as users or devices move through a system. This constant validation provides enhanced security for systems, devices, and users. Below are the associated concepts and policies that go hand-in-hand with the Zero Trust model.\u003c/p\u003e\u003ch3\u003eZero Trust policy: least privilege\u003c/h3\u003e\u003cp\u003eThe policy of least privilege is associated with the Zero Trust model and is designed to give users the least amount of access to a system or device that is required to complete a task. For example, if a system administrator wants to add new users to a given system, only that single permission is granted to complete that task. If the same system administrator wants to perform a different task, like deleting inactive users, their permissions will need to be reevaluated. In this scenario, the extra level of authentication prevents a malicious user from being able to casually use sensitive privileges like deleting users; it also prevents accidents from happening through trusted user error.\u003c/p\u003e\u003ch3\u003eZero Trust policy: assuming compromise\u003c/h3\u003e\u003cp\u003eAssuming compromise means just what it says: as part of the Zero Trust model, we assume that our systems have been compromised by threats. To increase our overall security posture, we design our systems to limit access to data and networks. Limitations can look like restricted connections between networks or different applications. These limitations can prevent malicious users from accessing sensitive data or data that lives on unrelated networks or applications.\u003c/p\u003e\u003cp\u003eAs CMS moves toward a Zero Trust model, you may notice some changes in how you sign in to devices and systems at work. This isnt because we dont trust you we just want to be sure that the person logging in is you so that you can keep doing the great work you do.\u003c/p\u003e\u003ch3\u003eWhere did Zero Trust come from?\u003c/h3\u003e\u003cp\u003eIn May 2021, the Biden Administration issued \u003ca href=\"https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity\"\u003eExecutive Order (EO) 14028\u003c/a\u003e, charging federal agencies with the task of modernizing and enhancing cybersecurity. Executive Order 14028 was quickly followed by guidance from the \u003ca href=\"https://zerotrust.cyber.gov/federal-zero-trust-strategy\"\u003eOffice of Management and Budget (M-22-09)\u003c/a\u003e recommending the introduction of Zero Trust security practices and offering specific steps agencies needed to take to implement them. So what is Zero Trust (ZT), and how will these important changes impact your daily work?\u003c/p\u003e\u003ch2\u003eZero Trust at CMS\u003c/h2\u003e\u003cp\u003eCMSs transition to Zero Trust is a journey. It will involve a series of small adjustments over time that will allow our agency to transition from a traditional perimeter-based security model to a system of continuous authorization, authentication, and validation. You may have already noticed some of the important changes that have been implemented to support Zero Trust at CMS including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe introduction of \u003ca href=\"/learn/cms-cloud-services\"\u003eCMS Cloud\u003c/a\u003e\u003c/li\u003e\u003cli\u003eOur move to the Zscaler integrated platform\u003c/li\u003e\u003cli\u003eThe use of PIV credentials for user authentication\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThere is no single tool that CMS can deploy to instantly implement Zero Trust across all systems; different system architectures will be necessary for different environments. To create those custom architectures, CMS is using the \u003ca href=\"https://www.cisa.gov/zero-trust-maturity-model\"\u003eCybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003eCISA Zero Trust Maturity Model\u003c/h3\u003e\u003cp\u003eThe CISA Zero Trust Maturity Model (ZTMM) is a roadmap designed to transition federal agencies to Zero Trust by assessing their current security stance and recommending specific changes that will improve security moving forward. (\u003ca href=\"https://security.cms.gov/posts/zero-trust-maturity-model-version-2-now-less-trust\"\u003eLearn more about the ZTMM here\u003c/a\u003e.)\u0026nbsp;\u003c/p\u003e\u003ch3\u003eZero Trust pillars\u003c/h3\u003e\u003cp\u003eThe model assesses system components, referred to as “pillars”, as well as general details regarding system \u003cstrong\u003evisibility and analytics\u003c/strong\u003e (how information is collected), \u003cstrong\u003eautomation and orchestration \u003c/strong\u003e(how security is created through automated processes), and \u003cstrong\u003egovernance\u003c/strong\u003e (the policies that guide the work).\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eIdentity\u003c/strong\u003e An attribute or set of attributes that describe a CMS user.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eDevices\u003c/strong\u003e A hardware asset that can be connected to a network, such as a laptop or mobile device provided by CMS. Devices can also include virtual machines and containers.\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eNetworks\u003c/strong\u003e Internal CMS networks, data centers, and internet-based networks.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eApplications and workloads\u003c/strong\u003e CMS systems, computer programs, and services that execute on-premise, as well as in a cloud environment.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eData\u003c/strong\u003e Information that CMS collects, from documents to information collected from the public to fulfill our mission.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eStages of Zero Trust maturity\u003c/h3\u003e\u003cp\u003eFor each pillar, there are specific things we can measure to determine the degree to which an organization has reached Zero Trust maturity. Full information about the maturity stages for each pillar can be found in the ZTMM itself.\u003c/p\u003e\u003cp\u003eIn general, these are the stages that will help CMS track progress towards full adoption and implementation of Zero Trust standards.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTraditional\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe traditional level of maturity is marked by manually configured lifecycles (i.e., from establishment to decommissioning) and assignments of attributes (security and logging); static security policies and solutions that address one pillar at a time with discrete dependencies on external systems; manual response and mitigation deployment; least privilege established only at provisioning; siloed pillars of policy enforcement; and limited correlation of dependencies, logs, and telemetry.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInitial\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAt the level described as initial, increased maturity is demonstrated by starting automation of attribute assignment and configuration of lifecycles, policy decisions, and enforcement, and initial some responsive changes to least privilege after provisioning; cross-pillar solutions with integration of external systems; and aggregated visibility for internal systems.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAdvanced\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAt the advanced level of maturity, wherever applicable, automated controls for lifecycle and assignment of configurations and policies with cross-pillar coordination; response to pre-defined mitigations; changes to least privilege based on risk and posture assessments; policy enforcement integrated across pillars; and centralized visibility and identity control building toward enterprise-wide awareness (including externally hosted resources).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOptimal\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe optimal level of maturity is demonstrated by fully automated, just-in-time lifecycles and assignments of attributes to assets and resources that self-report with dynamic policies based on automated/observed triggers; dynamic least privilege access (just-enough and within thresholds) for assets and their respective dependencies enterprise-wide; cross-pillar interoperability with continuous monitoring; and centralized visibility with comprehensive situational awareness.\u003c/p\u003e\u003cp\u003eAs our Zero Trust rollout continues, System Owners will work with their teams to evaluate their desired level of maturity. While Optimal maturity is the goal for many systems, not all systems will be required to achieve it. Most systems will be required to achieve Advanced maturity, and many systems will be able to use CMS-wide tooling to make changes as your specific system requirements are defined.\u003c/p\u003e\u003cp\u003eIn general, this process will start with homogeneous cloud environments that use the same software and devices. We will then move on to custom environments and systems until all CMS systems have been properly evaluated.\u003c/p\u003e\u003ch2\u003eZero Trust and compliance\u003c/h2\u003e\u003cp\u003eWhile Zero Trust is not a compliance framework, its principles complement the existing compliance frameworks at \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS like Acceptable Risk Safeguards 5.1\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eARS 5.1 already supports many of the best practices offered by Zero Trust, such as the least privilege policy for certain levels of systems (e.g. High and Moderate) and the assumed compromise policy. As all CMS systems move to Zero Trust Architecture, System Owners are encouraged to add their own flair and implement tools and resources that will keep their systems compliant and push them closer to Optimal maturity. As specific implementation expectations are developed, they will be incorporated into future versions of ARS.\u003c/p\u003e\u003cp\u003eISSOs and others directly involved in the compliance process for CMS systems should watch for news and updates from ISPG for information related to Zero Trust implementation and its impact on compliance activities.\u003c/p\u003e\u003ch2\u003eHow will Zero Trust impact me?\u003c/h2\u003e\u003cp\u003eMany of the Zero Trust improvements implemented by CMS will be invisible to users. You may see more instances where youre asked to provide two-factor authentication when accessing websites and apps. Since youre using your work computer, your device will share information with CMS about the status of your system. For example, our networks will know if your computer patches are up to date and if there is a valid device certificate. This information not only keeps your computer and CMS systems safe and secure, but it also increases the amount of trust that CMS has that the person logging in is you.\u003c/p\u003e\u003cp\u003eThroughout the Zero Trust rollout at CMS, we will introduce new tools that will streamline existing processes while also increasing security. Members of OIT or others who run IT infrastructure at CMS will see the biggest changes, and overall, it should improve security while reducing burdens.\u003c/p\u003e\u003cp\u003eApplication Owners will also see changes as the environments they are in have more ZT features available, such as additional multi-factor authentication options for users or increased network encryption. These changes will make applications and systems more resilient to malicious attacks.\u003c/p\u003e\u003ch2\u003eZero Trust FAQs\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eWhere can I read about Zero Trust features, functionality, or offerings applicable to CMS?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCyberGeek is a great place to get started reading more about how Zero Trust will apply to CMS. Most of what we store here will be overviews, though, so as we have more features and functionality available, we will need to move that to internal knowledge repositories.\u003c/p\u003e\u003cp\u003eFor the latest Zero Trust news and updates, see \u003ca href=\"https://security.cms.gov/posts?ispg%5Bmenu%5D%5Bpublisher_title%5D=Zero%20Trust%20Team\"\u003eZero Trust articles on the CyberGeek blog\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eTo the extent possible, we will keep Zero Trust information near where you will use it. If you are building your applications on CMS Cloud, you can find more specific information on \u003ca href=\"http://cloud.cms.gov\"\u003ecloud.cms.gov\u003c/a\u003e. We also have spaces on the internal CODA site and Slack for more information. We also focus on keeping the ISSO community informed through the monthly \u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Forum\"\u003eCMS Cybersecurity Community Forum\u003c/a\u003e (requires CMS login), announcements in Slack, and \u003ca href=\"https://security.cms.gov/posts/read-cms-isso-journal\"\u003ethe ISSO Journal\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWhat is changing for CMS?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eRight now? Not much. Over time we will roll out more options for Multi-factor authentication, access control for data, and micro-segmentation within subnets and applications. A lot of the changes are going to be on a case-by-case basis, though, so its hard to say if there is something everyone is going to have to change.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWhen will we get information on what we need to do on an ADO level? What other processes can we pilot/test drive for you?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eHHS now requires CMS to report on the Zero Trust Maturity of each of our FISMA systems twice a year, so that helps teams identify areas where there is room for improvement. \u0026nbsp;ISPG is not currently (as of September 2024) requiring specific improvements; all improvements are voluntary. \u0026nbsp;\u003ca href=\"https://cloud.cms.gov/zero-trust-maturity-for-aws-on-cms-cloud\"\u003eCMS Hybrid Cloud website\u003c/a\u003e has some suggestions for areas to focus on.\u003c/p\u003e\u003cp\u003eRequests for volunteer ADOs to help us try new Zero Trust Techniques are distributed via the \u003ca href=\"https://security.cms.gov/learn/zero-trust#zero-trust-ambassador-program\"\u003eZero Trust Ambassadors Program\u003c/a\u003e and \u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Forum\"\u003eCMS Cybersecurity Community Forum\u003c/a\u003e (requires CMS login).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow will Zero Trust affect making information accessible to CMS staff and CMS contractors?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIdeally, we will make it easier to make data and information accessible to CMS staff, contractors, and consultants. The increased use of Attribute-based access control through various systems at our disposal can allow us to adapt what data is accessible by authorized persons based on other factors like what team they are on, what role they have, and if they are using GFE that is up-to-date. These changes will be made in upstream systems like IDM/Okta and Kion (nee CloudTamer) so that they can be used easily by different teams.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eThe Maturity Framework Evaluation appears to be scoring questions for an entire team at once: 1/2/3/4 points based on the status of all the systems. But its rare to be equally mature across all systems: perhaps user-facing applications are integrated with the agencys external identity management system, but a tool for team administrators like CI/CD is not. Wouldnt you get a better view of the teams maturity by asking separately about those systems?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThat is a great observation and one that we arrived at when we were adapting the CISA Zero Trust Maturity Model to CMS. CISAs original only had one function listed for Authentication, which was pretty general. When reviewing the CISA Model, we decided to split the authentication questions into three (3) parts:\u003c/p\u003e\u003cul\u003e\u003cli\u003eADO staff/developers\u003c/li\u003e\u003cli\u003eInteractive users of websites\u003c/li\u003e\u003cli\u003eAPI users\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWe recognize that the technology needed for each of those is different and likely matures at different levels. It is a tough balance being granular enough to tease out distinctions like different kinds of users, but not too granular that we have to ask 200 questions to judge maturity level.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow can my system get a Zero Trust evaluation?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eReach out with your request to the \u003ca href=\"mailto:ISPGZeroTrust@cms.hhs.gov\"\u003eISPG Zero Trust Team\u003c/a\u003e. Include information about your system:\u003c/p\u003e\u003cul\u003e\u003cli\u003eName and Acronym\u003c/li\u003e\u003cli\u003eEnvironment it runs in (e.g. AWS for CMS Cloud, Azure for CMS Cloud, Ashburn, etc.)\u003c/li\u003e\u003cli\u003eNames and email addresses of other people to be involved\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eZero Trust Ambassador Program\u003c/h2\u003e\u003cp\u003eThe \u003cstrong\u003eZero Trust Ambassador Program\u003c/strong\u003e is for ISSOs, Security Engineers, Network Engineers, and Application developers who work on systems at CMS. It gives you access to additional Zero Trust content related to CMS environments, so you can:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLearn more about Zero Trust security\u003c/li\u003e\u003cli\u003eTest new Zero Trust recommendations\u003c/li\u003e\u003cli\u003eShare Zero Trust practices with your team\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your team is working on increasing your Zero Trust maturity, this program is for you! Resources include:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMonthly newsletter\u003c/strong\u003e -- with highlights from Zero Trust articles, upcoming presentation topics, and a handy reference guide.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://public.govdelivery.com/accounts/USCMS/subscriber/new?topic_id=USCMS_13166\"\u003eSign up for the newsletter here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eZero Trust articles\u003c/strong\u003e -- with the latest tips and information from the Zero Trust team at CMS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/posts?ispg%5Bmenu%5D%5Bpublisher_title%5D=Zero%20Trust%20Team\"\u003eSee Zero Trust articles\u003c/a\u003e on the ISPG News \u0026amp; Updates blog.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMonthly Office Hours\u003c/strong\u003e -- where you can connect with the Zero Trust Working Group, hear presentations from special guests, and ask questions. Office Hours information is listed below.\u003c/p\u003e\u003ch2\u003eZero Trust Ambassador Office Hours\u003c/h2\u003e\u003cp\u003eEach month, the Zero Trust Working Group holds Office Hours featuring a half hour Zero Trust presentation and a half hour for questions. Office Hours are the \u003cstrong\u003e3rd Tuesday of the month at 1pm ET\u003c/strong\u003e. \u0026nbsp;New time for 2025!\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cms.zoomgov.com/meeting/register/57oW2jbfTT6bnGPiEiz_5Q\"\u003eRegister for upcoming Office Hours here\u003c/a\u003e. \u0026nbsp;There is a new series for 2025.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://confluenceent.cms.gov/display/ISPG/Zero+Trust+Ambassador+Program\"\u003ePast meeting recordings and presentation decks are here\u003c/a\u003e (link requires a CMS login to access).\u003c/p\u003e"])</script><script>self.__next_f.push([1,"bb:T4489,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is Zero Trust?\u003c/h2\u003e\u003cp\u003eZero Trust is a security model that is built on continuous validation at every stage of digital interaction. The Zero Trust (ZT) security model, also known as Zero Trust Architecture (ZTA), maintains that no user or application should be trusted by default. As a result, organizations that implement a Zero Trust model move from checking permissions only at initial sign-on to continuously checking permissions as users or devices move through a system. This constant validation provides enhanced security for systems, devices, and users. Below are the associated concepts and policies that go hand-in-hand with the Zero Trust model.\u003c/p\u003e\u003ch3\u003eZero Trust policy: least privilege\u003c/h3\u003e\u003cp\u003eThe policy of least privilege is associated with the Zero Trust model and is designed to give users the least amount of access to a system or device that is required to complete a task. For example, if a system administrator wants to add new users to a given system, only that single permission is granted to complete that task. If the same system administrator wants to perform a different task, like deleting inactive users, their permissions will need to be reevaluated. In this scenario, the extra level of authentication prevents a malicious user from being able to casually use sensitive privileges like deleting users; it also prevents accidents from happening through trusted user error.\u003c/p\u003e\u003ch3\u003eZero Trust policy: assuming compromise\u003c/h3\u003e\u003cp\u003eAssuming compromise means just what it says: as part of the Zero Trust model, we assume that our systems have been compromised by threats. To increase our overall security posture, we design our systems to limit access to data and networks. Limitations can look like restricted connections between networks or different applications. These limitations can prevent malicious users from accessing sensitive data or data that lives on unrelated networks or applications.\u003c/p\u003e\u003cp\u003eAs CMS moves toward a Zero Trust model, you may notice some changes in how you sign in to devices and systems at work. This isnt because we dont trust you we just want to be sure that the person logging in is you so that you can keep doing the great work you do.\u003c/p\u003e\u003ch3\u003eWhere did Zero Trust come from?\u003c/h3\u003e\u003cp\u003eIn May 2021, the Biden Administration issued \u003ca href=\"https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity\"\u003eExecutive Order (EO) 14028\u003c/a\u003e, charging federal agencies with the task of modernizing and enhancing cybersecurity. Executive Order 14028 was quickly followed by guidance from the \u003ca href=\"https://zerotrust.cyber.gov/federal-zero-trust-strategy\"\u003eOffice of Management and Budget (M-22-09)\u003c/a\u003e recommending the introduction of Zero Trust security practices and offering specific steps agencies needed to take to implement them. So what is Zero Trust (ZT), and how will these important changes impact your daily work?\u003c/p\u003e\u003ch2\u003eZero Trust at CMS\u003c/h2\u003e\u003cp\u003eCMSs transition to Zero Trust is a journey. It will involve a series of small adjustments over time that will allow our agency to transition from a traditional perimeter-based security model to a system of continuous authorization, authentication, and validation. You may have already noticed some of the important changes that have been implemented to support Zero Trust at CMS including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe introduction of \u003ca href=\"/learn/cms-cloud-services\"\u003eCMS Cloud\u003c/a\u003e\u003c/li\u003e\u003cli\u003eOur move to the Zscaler integrated platform\u003c/li\u003e\u003cli\u003eThe use of PIV credentials for user authentication\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThere is no single tool that CMS can deploy to instantly implement Zero Trust across all systems; different system architectures will be necessary for different environments. To create those custom architectures, CMS is using the \u003ca href=\"https://www.cisa.gov/zero-trust-maturity-model\"\u003eCybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003eCISA Zero Trust Maturity Model\u003c/h3\u003e\u003cp\u003eThe CISA Zero Trust Maturity Model (ZTMM) is a roadmap designed to transition federal agencies to Zero Trust by assessing their current security stance and recommending specific changes that will improve security moving forward. (\u003ca href=\"https://security.cms.gov/posts/zero-trust-maturity-model-version-2-now-less-trust\"\u003eLearn more about the ZTMM here\u003c/a\u003e.)\u0026nbsp;\u003c/p\u003e\u003ch3\u003eZero Trust pillars\u003c/h3\u003e\u003cp\u003eThe model assesses system components, referred to as “pillars”, as well as general details regarding system \u003cstrong\u003evisibility and analytics\u003c/strong\u003e (how information is collected), \u003cstrong\u003eautomation and orchestration \u003c/strong\u003e(how security is created through automated processes), and \u003cstrong\u003egovernance\u003c/strong\u003e (the policies that guide the work).\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eIdentity\u003c/strong\u003e An attribute or set of attributes that describe a CMS user.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eDevices\u003c/strong\u003e A hardware asset that can be connected to a network, such as a laptop or mobile device provided by CMS. Devices can also include virtual machines and containers.\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eNetworks\u003c/strong\u003e Internal CMS networks, data centers, and internet-based networks.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eApplications and workloads\u003c/strong\u003e CMS systems, computer programs, and services that execute on-premise, as well as in a cloud environment.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eData\u003c/strong\u003e Information that CMS collects, from documents to information collected from the public to fulfill our mission.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eStages of Zero Trust maturity\u003c/h3\u003e\u003cp\u003eFor each pillar, there are specific things we can measure to determine the degree to which an organization has reached Zero Trust maturity. Full information about the maturity stages for each pillar can be found in the ZTMM itself.\u003c/p\u003e\u003cp\u003eIn general, these are the stages that will help CMS track progress towards full adoption and implementation of Zero Trust standards.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTraditional\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe traditional level of maturity is marked by manually configured lifecycles (i.e., from establishment to decommissioning) and assignments of attributes (security and logging); static security policies and solutions that address one pillar at a time with discrete dependencies on external systems; manual response and mitigation deployment; least privilege established only at provisioning; siloed pillars of policy enforcement; and limited correlation of dependencies, logs, and telemetry.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInitial\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAt the level described as initial, increased maturity is demonstrated by starting automation of attribute assignment and configuration of lifecycles, policy decisions, and enforcement, and initial some responsive changes to least privilege after provisioning; cross-pillar solutions with integration of external systems; and aggregated visibility for internal systems.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAdvanced\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAt the advanced level of maturity, wherever applicable, automated controls for lifecycle and assignment of configurations and policies with cross-pillar coordination; response to pre-defined mitigations; changes to least privilege based on risk and posture assessments; policy enforcement integrated across pillars; and centralized visibility and identity control building toward enterprise-wide awareness (including externally hosted resources).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOptimal\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe optimal level of maturity is demonstrated by fully automated, just-in-time lifecycles and assignments of attributes to assets and resources that self-report with dynamic policies based on automated/observed triggers; dynamic least privilege access (just-enough and within thresholds) for assets and their respective dependencies enterprise-wide; cross-pillar interoperability with continuous monitoring; and centralized visibility with comprehensive situational awareness.\u003c/p\u003e\u003cp\u003eAs our Zero Trust rollout continues, System Owners will work with their teams to evaluate their desired level of maturity. While Optimal maturity is the goal for many systems, not all systems will be required to achieve it. Most systems will be required to achieve Advanced maturity, and many systems will be able to use CMS-wide tooling to make changes as your specific system requirements are defined.\u003c/p\u003e\u003cp\u003eIn general, this process will start with homogeneous cloud environments that use the same software and devices. We will then move on to custom environments and systems until all CMS systems have been properly evaluated.\u003c/p\u003e\u003ch2\u003eZero Trust and compliance\u003c/h2\u003e\u003cp\u003eWhile Zero Trust is not a compliance framework, its principles complement the existing compliance frameworks at \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS like Acceptable Risk Safeguards 5.1\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eARS 5.1 already supports many of the best practices offered by Zero Trust, such as the least privilege policy for certain levels of systems (e.g. High and Moderate) and the assumed compromise policy. As all CMS systems move to Zero Trust Architecture, System Owners are encouraged to add their own flair and implement tools and resources that will keep their systems compliant and push them closer to Optimal maturity. As specific implementation expectations are developed, they will be incorporated into future versions of ARS.\u003c/p\u003e\u003cp\u003eISSOs and others directly involved in the compliance process for CMS systems should watch for news and updates from ISPG for information related to Zero Trust implementation and its impact on compliance activities.\u003c/p\u003e\u003ch2\u003eHow will Zero Trust impact me?\u003c/h2\u003e\u003cp\u003eMany of the Zero Trust improvements implemented by CMS will be invisible to users. You may see more instances where youre asked to provide two-factor authentication when accessing websites and apps. Since youre using your work computer, your device will share information with CMS about the status of your system. For example, our networks will know if your computer patches are up to date and if there is a valid device certificate. This information not only keeps your computer and CMS systems safe and secure, but it also increases the amount of trust that CMS has that the person logging in is you.\u003c/p\u003e\u003cp\u003eThroughout the Zero Trust rollout at CMS, we will introduce new tools that will streamline existing processes while also increasing security. Members of OIT or others who run IT infrastructure at CMS will see the biggest changes, and overall, it should improve security while reducing burdens.\u003c/p\u003e\u003cp\u003eApplication Owners will also see changes as the environments they are in have more ZT features available, such as additional multi-factor authentication options for users or increased network encryption. These changes will make applications and systems more resilient to malicious attacks.\u003c/p\u003e\u003ch2\u003eZero Trust FAQs\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eWhere can I read about Zero Trust features, functionality, or offerings applicable to CMS?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCyberGeek is a great place to get started reading more about how Zero Trust will apply to CMS. Most of what we store here will be overviews, though, so as we have more features and functionality available, we will need to move that to internal knowledge repositories.\u003c/p\u003e\u003cp\u003eFor the latest Zero Trust news and updates, see \u003ca href=\"https://security.cms.gov/posts?ispg%5Bmenu%5D%5Bpublisher_title%5D=Zero%20Trust%20Team\"\u003eZero Trust articles on the CyberGeek blog\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eTo the extent possible, we will keep Zero Trust information near where you will use it. If you are building your applications on CMS Cloud, you can find more specific information on \u003ca href=\"http://cloud.cms.gov\"\u003ecloud.cms.gov\u003c/a\u003e. We also have spaces on the internal CODA site and Slack for more information. We also focus on keeping the ISSO community informed through the monthly \u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Forum\"\u003eCMS Cybersecurity Community Forum\u003c/a\u003e (requires CMS login), announcements in Slack, and \u003ca href=\"https://security.cms.gov/posts/read-cms-isso-journal\"\u003ethe ISSO Journal\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWhat is changing for CMS?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eRight now? Not much. Over time we will roll out more options for Multi-factor authentication, access control for data, and micro-segmentation within subnets and applications. A lot of the changes are going to be on a case-by-case basis, though, so its hard to say if there is something everyone is going to have to change.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWhen will we get information on what we need to do on an ADO level? What other processes can we pilot/test drive for you?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eHHS now requires CMS to report on the Zero Trust Maturity of each of our FISMA systems twice a year, so that helps teams identify areas where there is room for improvement. \u0026nbsp;ISPG is not currently (as of September 2024) requiring specific improvements; all improvements are voluntary. \u0026nbsp;\u003ca href=\"https://cloud.cms.gov/zero-trust-maturity-for-aws-on-cms-cloud\"\u003eCMS Hybrid Cloud website\u003c/a\u003e has some suggestions for areas to focus on.\u003c/p\u003e\u003cp\u003eRequests for volunteer ADOs to help us try new Zero Trust Techniques are distributed via the \u003ca href=\"https://security.cms.gov/learn/zero-trust#zero-trust-ambassador-program\"\u003eZero Trust Ambassadors Program\u003c/a\u003e and \u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Forum\"\u003eCMS Cybersecurity Community Forum\u003c/a\u003e (requires CMS login).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow will Zero Trust affect making information accessible to CMS staff and CMS contractors?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIdeally, we will make it easier to make data and information accessible to CMS staff, contractors, and consultants. The increased use of Attribute-based access control through various systems at our disposal can allow us to adapt what data is accessible by authorized persons based on other factors like what team they are on, what role they have, and if they are using GFE that is up-to-date. These changes will be made in upstream systems like IDM/Okta and Kion (nee CloudTamer) so that they can be used easily by different teams.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eThe Maturity Framework Evaluation appears to be scoring questions for an entire team at once: 1/2/3/4 points based on the status of all the systems. But its rare to be equally mature across all systems: perhaps user-facing applications are integrated with the agencys external identity management system, but a tool for team administrators like CI/CD is not. Wouldnt you get a better view of the teams maturity by asking separately about those systems?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThat is a great observation and one that we arrived at when we were adapting the CISA Zero Trust Maturity Model to CMS. CISAs original only had one function listed for Authentication, which was pretty general. When reviewing the CISA Model, we decided to split the authentication questions into three (3) parts:\u003c/p\u003e\u003cul\u003e\u003cli\u003eADO staff/developers\u003c/li\u003e\u003cli\u003eInteractive users of websites\u003c/li\u003e\u003cli\u003eAPI users\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWe recognize that the technology needed for each of those is different and likely matures at different levels. It is a tough balance being granular enough to tease out distinctions like different kinds of users, but not too granular that we have to ask 200 questions to judge maturity level.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHow can my system get a Zero Trust evaluation?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eReach out with your request to the \u003ca href=\"mailto:ISPGZeroTrust@cms.hhs.gov\"\u003eISPG Zero Trust Team\u003c/a\u003e. Include information about your system:\u003c/p\u003e\u003cul\u003e\u003cli\u003eName and Acronym\u003c/li\u003e\u003cli\u003eEnvironment it runs in (e.g. AWS for CMS Cloud, Azure for CMS Cloud, Ashburn, etc.)\u003c/li\u003e\u003cli\u003eNames and email addresses of other people to be involved\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eZero Trust Ambassador Program\u003c/h2\u003e\u003cp\u003eThe \u003cstrong\u003eZero Trust Ambassador Program\u003c/strong\u003e is for ISSOs, Security Engineers, Network Engineers, and Application developers who work on systems at CMS. It gives you access to additional Zero Trust content related to CMS environments, so you can:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLearn more about Zero Trust security\u003c/li\u003e\u003cli\u003eTest new Zero Trust recommendations\u003c/li\u003e\u003cli\u003eShare Zero Trust practices with your team\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your team is working on increasing your Zero Trust maturity, this program is for you! Resources include:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMonthly newsletter\u003c/strong\u003e -- with highlights from Zero Trust articles, upcoming presentation topics, and a handy reference guide.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://public.govdelivery.com/accounts/USCMS/subscriber/new?topic_id=USCMS_13166\"\u003eSign up for the newsletter here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eZero Trust articles\u003c/strong\u003e -- with the latest tips and information from the Zero Trust team at CMS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/posts?ispg%5Bmenu%5D%5Bpublisher_title%5D=Zero%20Trust%20Team\"\u003eSee Zero Trust articles\u003c/a\u003e on the ISPG News \u0026amp; Updates blog.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMonthly Office Hours\u003c/strong\u003e -- where you can connect with the Zero Trust Working Group, hear presentations from special guests, and ask questions. Office Hours information is listed below.\u003c/p\u003e\u003ch2\u003eZero Trust Ambassador Office Hours\u003c/h2\u003e\u003cp\u003eEach month, the Zero Trust Working Group holds Office Hours featuring a half hour Zero Trust presentation and a half hour for questions. Office Hours are the \u003cstrong\u003e3rd Tuesday of the month at 1pm ET\u003c/strong\u003e. \u0026nbsp;New time for 2025!\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cms.zoomgov.com/meeting/register/57oW2jbfTT6bnGPiEiz_5Q\"\u003eRegister for upcoming Office Hours here\u003c/a\u003e. \u0026nbsp;There is a new series for 2025.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://confluenceent.cms.gov/display/ISPG/Zero+Trust+Ambassador+Program\"\u003ePast meeting recordings and presentation decks are here\u003c/a\u003e (link requires a CMS login to access).\u003c/p\u003e"])</script><script>self.__next_f.push([1,"b9:{\"value\":\"$ba\",\"format\":\"body_text\",\"processed\":\"$bb\"}\nb7:{\"drupal_internal__id\":536,\"drupal_internal__revision_id\":19936,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-02T19:27:06+00:00\",\"parent_id\":\"671\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$b8\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$b9\"}\nbf:{\"drupal_internal__target_id\":\"page_section\"}\nbe:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$bf\"}\nc1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9271f09e-6087-42ce-9b2a-2ddf6888888d/paragraph_type?resourceVersion=id%3A19936\"}\nc2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9271f09e-6087-42ce-9b2a-2ddf6888888d/relationships/paragraph_type?resourceVersion=id%3A19936\"}\nc0:{\"related\":\"$c1\",\"self\":\"$c2\"}\nbd:{\"data\":\"$be\",\"links\":\"$c0\"}\nc5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9271f09e-6087-42ce-9b2a-2ddf6888888d/field_specialty_item?resourceVersion=id%3A19936\"}\nc6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9271f09e-6087-42ce-9b2a-2ddf6888888d/relationships/field_specialty_item?resourceVersion=id%3A19936\"}\nc4:{\"related\":\"$c5\",\"self\":\"$c6\"}\nc3:{\"data\":null,\"links\":\"$c4\"}\nbc:{\"paragraph_type\":\"$bd\",\"field_specialty_item\":\"$c3\"}\nb4:{\"type\":\"paragraph--page_section\",\"id\":\"9271f09e-6087-42ce-9b2a-2ddf6888888d\",\"links\":\"$b5\",\"attributes\":\"$b7\",\"relationships\":\"$bc\"}\nc9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c6911d3e-5198-4b35-ac2a-13d123aedee1?resourceVersion=id%3A19941\"}\nc8:{\"self\":\"$c9\"}\ncb:[]\nca:{\"drupal_internal__id\":3398,\"drupal_internal__revision_id\":19941,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-07-25T19:41:52+00:00\",\"parent_id\":\"671\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$cb\",\"default_langcode\":true,\"revision_translation_affected\":true}\ncf:{\"drupal_internal__target_id\":\"internal_link\"}\nce:{\"type\":\"paragraphs_t"])</script><script>self.__next_f.push([1,"ype--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$cf\"}\nd1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c6911d3e-5198-4b35-ac2a-13d123aedee1/paragraph_type?resourceVersion=id%3A19941\"}\nd2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c6911d3e-5198-4b35-ac2a-13d123aedee1/relationships/paragraph_type?resourceVersion=id%3A19941\"}\nd0:{\"related\":\"$d1\",\"self\":\"$d2\"}\ncd:{\"data\":\"$ce\",\"links\":\"$d0\"}\nd5:{\"drupal_internal__target_id\":1132}\nd4:{\"type\":\"node--blog\",\"id\":\"aca45222-41ba-4c40-b537-5e106036b9e6\",\"meta\":\"$d5\"}\nd7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c6911d3e-5198-4b35-ac2a-13d123aedee1/field_link?resourceVersion=id%3A19941\"}\nd8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c6911d3e-5198-4b35-ac2a-13d123aedee1/relationships/field_link?resourceVersion=id%3A19941\"}\nd6:{\"related\":\"$d7\",\"self\":\"$d8\"}\nd3:{\"data\":\"$d4\",\"links\":\"$d6\"}\ncc:{\"paragraph_type\":\"$cd\",\"field_link\":\"$d3\"}\nc7:{\"type\":\"paragraph--internal_link\",\"id\":\"c6911d3e-5198-4b35-ac2a-13d123aedee1\",\"links\":\"$c8\",\"attributes\":\"$ca\",\"relationships\":\"$cc\"}\ndb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2bcabaa5-d621-42c9-bdc8-e0b80b3869d3?resourceVersion=id%3A19946\"}\nda:{\"self\":\"$db\"}\ndd:[]\ndc:{\"drupal_internal__id\":1616,\"drupal_internal__revision_id\":19946,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-14T16:09:06+00:00\",\"parent_id\":\"671\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$dd\",\"default_langcode\":true,\"revision_translation_affected\":true}\ne1:{\"drupal_internal__target_id\":\"internal_link\"}\ne0:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$e1\"}\ne3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2bcabaa5-d621-42c9-bdc8-e0b80b3869d3/paragraph_type?resourceVersion=id%3A19946\"}\ne4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2bcabaa5-d621-42c9-bdc8-e0b80b3869d3/relationships/paragraph_"])</script><script>self.__next_f.push([1,"type?resourceVersion=id%3A19946\"}\ne2:{\"related\":\"$e3\",\"self\":\"$e4\"}\ndf:{\"data\":\"$e0\",\"links\":\"$e2\"}\ne7:{\"drupal_internal__target_id\":1169}\ne6:{\"type\":\"node--blog\",\"id\":\"bf73d479-26b2-42c1-ad91-4443f37c5ebd\",\"meta\":\"$e7\"}\ne9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2bcabaa5-d621-42c9-bdc8-e0b80b3869d3/field_link?resourceVersion=id%3A19946\"}\nea:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2bcabaa5-d621-42c9-bdc8-e0b80b3869d3/relationships/field_link?resourceVersion=id%3A19946\"}\ne8:{\"related\":\"$e9\",\"self\":\"$ea\"}\ne5:{\"data\":\"$e6\",\"links\":\"$e8\"}\nde:{\"paragraph_type\":\"$df\",\"field_link\":\"$e5\"}\nd9:{\"type\":\"paragraph--internal_link\",\"id\":\"2bcabaa5-d621-42c9-bdc8-e0b80b3869d3\",\"links\":\"$da\",\"attributes\":\"$dc\",\"relationships\":\"$de\"}\ned:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/670741af-bf41-4d99-a21c-a24dc57f4424?resourceVersion=id%3A19951\"}\nec:{\"self\":\"$ed\"}\nef:[]\nee:{\"drupal_internal__id\":3499,\"drupal_internal__revision_id\":19951,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-05-13T10:23:19+00:00\",\"parent_id\":\"671\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$ef\",\"default_langcode\":true,\"revision_translation_affected\":true}\nf3:{\"drupal_internal__target_id\":\"internal_link\"}\nf2:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$f3\"}\nf5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/670741af-bf41-4d99-a21c-a24dc57f4424/paragraph_type?resourceVersion=id%3A19951\"}\nf6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/670741af-bf41-4d99-a21c-a24dc57f4424/relationships/paragraph_type?resourceVersion=id%3A19951\"}\nf4:{\"related\":\"$f5\",\"self\":\"$f6\"}\nf1:{\"data\":\"$f2\",\"links\":\"$f4\"}\nf9:{\"drupal_internal__target_id\":1181}\nf8:{\"type\":\"node--blog\",\"id\":\"e0d23b7f-1209-42b1-80aa-0c39f2b45917\",\"meta\":\"$f9\"}\nfb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/670741af-bf41-4d99-a21c-a24dc57f4424/field_link?resourceVersion=id%3A19"])</script><script>self.__next_f.push([1,"951\"}\nfc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/670741af-bf41-4d99-a21c-a24dc57f4424/relationships/field_link?resourceVersion=id%3A19951\"}\nfa:{\"related\":\"$fb\",\"self\":\"$fc\"}\nf7:{\"data\":\"$f8\",\"links\":\"$fa\"}\nf0:{\"paragraph_type\":\"$f1\",\"field_link\":\"$f7\"}\neb:{\"type\":\"paragraph--internal_link\",\"id\":\"670741af-bf41-4d99-a21c-a24dc57f4424\",\"links\":\"$ec\",\"attributes\":\"$ee\",\"relationships\":\"$f0\"}\nff:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f7a739a6-3d16-4633-bfad-fd8f469ffb64?resourceVersion=id%3A19956\"}\nfe:{\"self\":\"$ff\"}\n101:[]\n100:{\"drupal_internal__id\":1611,\"drupal_internal__revision_id\":19956,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-14T16:04:44+00:00\",\"parent_id\":\"671\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$101\",\"default_langcode\":true,\"revision_translation_affected\":true}\n105:{\"drupal_internal__target_id\":\"internal_link\"}\n104:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$105\"}\n107:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f7a739a6-3d16-4633-bfad-fd8f469ffb64/paragraph_type?resourceVersion=id%3A19956\"}\n108:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f7a739a6-3d16-4633-bfad-fd8f469ffb64/relationships/paragraph_type?resourceVersion=id%3A19956\"}\n106:{\"related\":\"$107\",\"self\":\"$108\"}\n103:{\"data\":\"$104\",\"links\":\"$106\"}\n10b:{\"drupal_internal__target_id\":381}\n10a:{\"type\":\"node--explainer\",\"id\":\"af385f5f-f61b-47af-a235-7dc48efd251e\",\"meta\":\"$10b\"}\n10d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f7a739a6-3d16-4633-bfad-fd8f469ffb64/field_link?resourceVersion=id%3A19956\"}\n10e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f7a739a6-3d16-4633-bfad-fd8f469ffb64/relationships/field_link?resourceVersion=id%3A19956\"}\n10c:{\"related\":\"$10d\",\"self\":\"$10e\"}\n109:{\"data\":\"$10a\",\"links\":\"$10c\"}\n102:{\"paragraph_type\":\"$103\",\"field_link\":\"$109\"}\nfd:{\"type\":\"paragraph--internal_link\",\"id\":\"f7a739"])</script><script>self.__next_f.push([1,"a6-3d16-4633-bfad-fd8f469ffb64\",\"links\":\"$fe\",\"attributes\":\"$100\",\"relationships\":\"$102\"}\n111:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/80d01d00-9ecf-4254-8e6e-a9242e8289f1?resourceVersion=id%3A19961\"}\n110:{\"self\":\"$111\"}\n113:[]\n112:{\"drupal_internal__id\":1621,\"drupal_internal__revision_id\":19961,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-14T16:09:11+00:00\",\"parent_id\":\"671\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$113\",\"default_langcode\":true,\"revision_translation_affected\":true}\n117:{\"drupal_internal__target_id\":\"internal_link\"}\n116:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$117\"}\n119:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/80d01d00-9ecf-4254-8e6e-a9242e8289f1/paragraph_type?resourceVersion=id%3A19961\"}\n11a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/80d01d00-9ecf-4254-8e6e-a9242e8289f1/relationships/paragraph_type?resourceVersion=id%3A19961\"}\n118:{\"related\":\"$119\",\"self\":\"$11a\"}\n115:{\"data\":\"$116\",\"links\":\"$118\"}\n11d:{\"drupal_internal__target_id\":316}\n11c:{\"type\":\"node--explainer\",\"id\":\"a0111527-6756-4576-8c52-5a7f3a032b20\",\"meta\":\"$11d\"}\n11f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/80d01d00-9ecf-4254-8e6e-a9242e8289f1/field_link?resourceVersion=id%3A19961\"}\n120:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/80d01d00-9ecf-4254-8e6e-a9242e8289f1/relationships/field_link?resourceVersion=id%3A19961\"}\n11e:{\"related\":\"$11f\",\"self\":\"$120\"}\n11b:{\"data\":\"$11c\",\"links\":\"$11e\"}\n114:{\"paragraph_type\":\"$115\",\"field_link\":\"$11b\"}\n10f:{\"type\":\"paragraph--internal_link\",\"id\":\"80d01d00-9ecf-4254-8e6e-a9242e8289f1\",\"links\":\"$110\",\"attributes\":\"$112\",\"relationships\":\"$114\"}\n123:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d576257b-f5ba-4ad4-a81b-7628a82e8dce?resourceVersion=id%3A19966\"}\n122:{\"self\":\"$123\"}\n125:[]\n124:{\"drupal_internal__id\":1626,\"drupal_internal__revision_id\":19966,"])</script><script>self.__next_f.push([1,"\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-14T16:09:26+00:00\",\"parent_id\":\"671\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$125\",\"default_langcode\":true,\"revision_translation_affected\":true}\n129:{\"drupal_internal__target_id\":\"internal_link\"}\n128:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$129\"}\n12b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d576257b-f5ba-4ad4-a81b-7628a82e8dce/paragraph_type?resourceVersion=id%3A19966\"}\n12c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d576257b-f5ba-4ad4-a81b-7628a82e8dce/relationships/paragraph_type?resourceVersion=id%3A19966\"}\n12a:{\"related\":\"$12b\",\"self\":\"$12c\"}\n127:{\"data\":\"$128\",\"links\":\"$12a\"}\n12f:{\"drupal_internal__target_id\":326}\n12e:{\"type\":\"node--explainer\",\"id\":\"a279358b-5b24-49bc-a98e-11681bd7e65c\",\"meta\":\"$12f\"}\n131:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d576257b-f5ba-4ad4-a81b-7628a82e8dce/field_link?resourceVersion=id%3A19966\"}\n132:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d576257b-f5ba-4ad4-a81b-7628a82e8dce/relationships/field_link?resourceVersion=id%3A19966\"}\n130:{\"related\":\"$131\",\"self\":\"$132\"}\n12d:{\"data\":\"$12e\",\"links\":\"$130\"}\n126:{\"paragraph_type\":\"$127\",\"field_link\":\"$12d\"}\n121:{\"type\":\"paragraph--internal_link\",\"id\":\"d576257b-f5ba-4ad4-a81b-7628a82e8dce\",\"links\":\"$122\",\"attributes\":\"$124\",\"relationships\":\"$126\"}\n135:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6?resourceVersion=id%3A6201\"}\n134:{\"self\":\"$135\"}\n137:{\"alias\":\"/posts/7-tenets-zero-trust-issos-and-ados\",\"pid\":985,\"langcode\":\"en\"}\n139:T1aef,"])</script><script>self.__next_f.push([1,"\u003cp\u003eAs part of their white paper on \u003ca href=\"https://www.nist.gov/publications/zero-trust-architecture\"\u003eZero Trust SP-800-207\u003c/a\u003e, NIST identified Seven Tenets that form the foundation of Zero Trust. The Zero Trust Workgroup at CMS has applied these tenets to CMS IT. CMS has many initiatives that support Zero Trust architecture, so engaging with those early can set your project up for a more mature Zero Trust architecture in the future and increase security now.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e1. All data sources and computing services are considered resources\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll data sources and computing services that process CMS data are considered resources and should have defined controls and zero trust solutions governing access to them. Data sources include data repositories, file shares, and databases, while computing services include servers, EC2 instances, containers, and AWS lambda functions.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e2. All communication is secured regardless of network location\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTraffic flowing between resources must be secured with appropriate encryption and authentication mechanisms as close to the originating resource as possible -- whether both resources are in the same network or if the data has to transit to another network.\u0026nbsp; Encryption is not only for privacy but also for protection against modification in transit.\u003c/p\u003e\u003cp\u003eThe OIT memo \u003cstrong\u003eCMS Strategy for Encrypting Sensitive Information\u003c/strong\u003e mandates CMS is required to encrypt sensitive information at rest and in transit on all CMS Systems that store process, or transmit such information, especially High Value Assets (HVA), Mission Essential Functions, and Sensitive PII systems.\u0026nbsp; The \u003ca href=\"https://security.cms.gov/learn/cms-enterprise-data-encryption-cede\"\u003eCMS Enterprise Data Encryption Initiative\u003c/a\u003e has been working on helping ISSOs get their data encrypted since 2021.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e3. Access to individual enterprise resources is granted on a per\u003c/strong\u003e-\u003cstrong\u003esession basis\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTrust in the user or developer is evaluated before the access is granted to a specific resource (e.g., authentication), and access should also be granted with the least privileges needed to complete the task (e.g., authorization).\u0026nbsp; Authenticated sessions should be time-bound, with a session lasting less than 24 hours.\u0026nbsp; The length of a session can vary based on the sensitivity of the data as long as it is finite.\u0026nbsp; Additionally, authentication and authorization to one resource should not automatically grant access to a different resource.\u003c/p\u003e\u003cp\u003eUse existing identity management systems \u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=15641880\"\u003esuch as IDM\u003c/a\u003e to the greatest extent possible to perform authentication and authorization -- avoid creating new ones.\u0026nbsp; There are systems available for developers and users alike.\u0026nbsp;\u0026nbsp; Developers should be granted the least amount of privileges to the resource as possible; \u003ca href=\"https://cloud.cms.gov/how-to-use-cloudtamer-cms-gov\"\u003eCloudTamer\u003c/a\u003e, now called Kion, for CMSCloud is a great way to do that.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e4. Access to resources is determined by dynamic policy\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eMature Zero Trust architectures strive to have access policies that take input from external systems, such as the asset they are using or the user's location, to determine the current access level for the user.\u0026nbsp; For example, some government systems cannot be accessed outside the United States.\u0026nbsp; This is often referred to as risk-based or attribute-based authentication.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhile attribute-based authentication is the goal of Zero Trust, the technology is still fairly new.\u0026nbsp; In the future, the Zero Trust Workgroup plans to provide a way for ADOs to do attribute-based authentication, but this is likely a ways off for widespread use.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe enterprise does not inherently trust any asset, whether CMS owns the asset or not.\u0026nbsp; CMS monitors the security posture of every asset, and uses that information when that asset requests access to resources. CMS already employs a dynamic policy for Government Furnished Laptops attempting to access CMSNet. Devices must have a device certificate, certain security software, and have the current security patches installed before it may join the network, and devices that do not meet this are sent to a different network for remediation.\u003c/p\u003e\u003cp\u003eVirtual Machines (VMs) and containers are also assets and should be treated in similar ways. These operating systems must be patched and vulnerability scanned just like physical servers would -- VMs and containers with known vulnerabilities should not be deployed to production. CMSCloud offers a Gold Image for AWS and MAG to help ADOs deploy VMs with the latest patches. ISSOs are encouraged to have ADOs take advantage of these options and existing vulnerability scanning tools.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAccess to resources is subject to a constant cycle of scanning for threats, evaluating trust, and obtaining access. Continuous monitoring with possible reauthentication and reauthorization occurs throughout a user transaction and happens as close to the application as possible.\u003c/p\u003e\u003cp\u003eISSOs should work with the team to determine reasonable user login timeouts based on ARS 5.1 requirements and customer experience.\u0026nbsp; This includes APIs as well as web applications.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAgencies should maintain an ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.\u0026nbsp; This includes continuous visibility into the actions of users, applications, and devices through a centralized log data collection. CMS does this in part through the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics \u0026amp; Mitigation (CDM) program run by ISPG\u003c/a\u003e. CMS uses asset inventories and vulnerability management scanning to keep tabs on both resources that employees use (e.g. laptops) and the applications and infrastructure they use.\u0026nbsp;\u003c/p\u003e\u003cp\u003eADOs can contribute by participating in the CDM program as it becomes available for their infrastructure. ADOs also need to understand the state of their infrastructure, as well as provide those logs and context to central security teams (follow the guidelines in ARS 5.0).\u0026nbsp; Strive to know \"who did what when\" about both your developers and your users.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"13a:T1aef,"])</script><script>self.__next_f.push([1,"\u003cp\u003eAs part of their white paper on \u003ca href=\"https://www.nist.gov/publications/zero-trust-architecture\"\u003eZero Trust SP-800-207\u003c/a\u003e, NIST identified Seven Tenets that form the foundation of Zero Trust. The Zero Trust Workgroup at CMS has applied these tenets to CMS IT. CMS has many initiatives that support Zero Trust architecture, so engaging with those early can set your project up for a more mature Zero Trust architecture in the future and increase security now.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e1. All data sources and computing services are considered resources\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll data sources and computing services that process CMS data are considered resources and should have defined controls and zero trust solutions governing access to them. Data sources include data repositories, file shares, and databases, while computing services include servers, EC2 instances, containers, and AWS lambda functions.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e2. All communication is secured regardless of network location\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTraffic flowing between resources must be secured with appropriate encryption and authentication mechanisms as close to the originating resource as possible -- whether both resources are in the same network or if the data has to transit to another network.\u0026nbsp; Encryption is not only for privacy but also for protection against modification in transit.\u003c/p\u003e\u003cp\u003eThe OIT memo \u003cstrong\u003eCMS Strategy for Encrypting Sensitive Information\u003c/strong\u003e mandates CMS is required to encrypt sensitive information at rest and in transit on all CMS Systems that store process, or transmit such information, especially High Value Assets (HVA), Mission Essential Functions, and Sensitive PII systems.\u0026nbsp; The \u003ca href=\"https://security.cms.gov/learn/cms-enterprise-data-encryption-cede\"\u003eCMS Enterprise Data Encryption Initiative\u003c/a\u003e has been working on helping ISSOs get their data encrypted since 2021.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e3. Access to individual enterprise resources is granted on a per\u003c/strong\u003e-\u003cstrong\u003esession basis\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTrust in the user or developer is evaluated before the access is granted to a specific resource (e.g., authentication), and access should also be granted with the least privileges needed to complete the task (e.g., authorization).\u0026nbsp; Authenticated sessions should be time-bound, with a session lasting less than 24 hours.\u0026nbsp; The length of a session can vary based on the sensitivity of the data as long as it is finite.\u0026nbsp; Additionally, authentication and authorization to one resource should not automatically grant access to a different resource.\u003c/p\u003e\u003cp\u003eUse existing identity management systems \u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=15641880\"\u003esuch as IDM\u003c/a\u003e to the greatest extent possible to perform authentication and authorization -- avoid creating new ones.\u0026nbsp; There are systems available for developers and users alike.\u0026nbsp;\u0026nbsp; Developers should be granted the least amount of privileges to the resource as possible; \u003ca href=\"https://cloud.cms.gov/how-to-use-cloudtamer-cms-gov\"\u003eCloudTamer\u003c/a\u003e, now called Kion, for CMSCloud is a great way to do that.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e4. Access to resources is determined by dynamic policy\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eMature Zero Trust architectures strive to have access policies that take input from external systems, such as the asset they are using or the user's location, to determine the current access level for the user.\u0026nbsp; For example, some government systems cannot be accessed outside the United States.\u0026nbsp; This is often referred to as risk-based or attribute-based authentication.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhile attribute-based authentication is the goal of Zero Trust, the technology is still fairly new.\u0026nbsp; In the future, the Zero Trust Workgroup plans to provide a way for ADOs to do attribute-based authentication, but this is likely a ways off for widespread use.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe enterprise does not inherently trust any asset, whether CMS owns the asset or not.\u0026nbsp; CMS monitors the security posture of every asset, and uses that information when that asset requests access to resources. CMS already employs a dynamic policy for Government Furnished Laptops attempting to access CMSNet. Devices must have a device certificate, certain security software, and have the current security patches installed before it may join the network, and devices that do not meet this are sent to a different network for remediation.\u003c/p\u003e\u003cp\u003eVirtual Machines (VMs) and containers are also assets and should be treated in similar ways. These operating systems must be patched and vulnerability scanned just like physical servers would -- VMs and containers with known vulnerabilities should not be deployed to production. CMSCloud offers a Gold Image for AWS and MAG to help ADOs deploy VMs with the latest patches. ISSOs are encouraged to have ADOs take advantage of these options and existing vulnerability scanning tools.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAccess to resources is subject to a constant cycle of scanning for threats, evaluating trust, and obtaining access. Continuous monitoring with possible reauthentication and reauthorization occurs throughout a user transaction and happens as close to the application as possible.\u003c/p\u003e\u003cp\u003eISSOs should work with the team to determine reasonable user login timeouts based on ARS 5.1 requirements and customer experience.\u0026nbsp; This includes APIs as well as web applications.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAgencies should maintain an ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.\u0026nbsp; This includes continuous visibility into the actions of users, applications, and devices through a centralized log data collection. CMS does this in part through the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics \u0026amp; Mitigation (CDM) program run by ISPG\u003c/a\u003e. CMS uses asset inventories and vulnerability management scanning to keep tabs on both resources that employees use (e.g. laptops) and the applications and infrastructure they use.\u0026nbsp;\u003c/p\u003e\u003cp\u003eADOs can contribute by participating in the CDM program as it becomes available for their infrastructure. ADOs also need to understand the state of their infrastructure, as well as provide those logs and context to central security teams (follow the guidelines in ARS 5.0).\u0026nbsp; Strive to know \"who did what when\" about both your developers and your users.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"138:{\"value\":\"$139\",\"format\":\"body_text\",\"processed\":\"$13a\",\"summary\":\"\"}\n13b:{\"value\":\"A guide to help ADO and ISSOs understand and implement Zero Trust practices \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA guide to help ADO and ISSOs understand and implement Zero Trust practices\u003c/p\u003e\\n\"}\n136:{\"drupal_internal__nid\":1132,\"drupal_internal__vid\":6201,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-22T16:15:40+00:00\",\"status\":true,\"title\":\"The 7 Tenets of Zero Trust for ISSOs and ADOs\",\"created\":\"2023-07-11T16:11:23+00:00\",\"changed\":\"2025-01-22T16:15:40+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$137\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$138\",\"field_short_description\":\"$13b\",\"field_video_link\":null}\n13f:{\"drupal_internal__target_id\":\"blog\"}\n13e:{\"type\":\"node_type--node_type\",\"id\":\"f382c03e-0cc5-4892-aa46-653a2d90fc05\",\"meta\":\"$13f\"}\n141:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/node_type?resourceVersion=id%3A6201\"}\n142:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/node_type?resourceVersion=id%3A6201\"}\n140:{\"related\":\"$141\",\"self\":\"$142\"}\n13d:{\"data\":\"$13e\",\"links\":\"$140\"}\n145:{\"drupal_internal__target_id\":6}\n144:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$145\"}\n147:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/revision_uid?resourceVersion=id%3A6201\"}\n148:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/revision_uid?resourceVersion=id%3A6201\"}\n146:{\"related\":\"$147\",\"self\":\"$148\"}\n143:{\"data\":\"$144\",\"links\":\"$146\"}\n14b:{\"drupal_internal__target_id\":26}\n14a:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$14b\"}\n14d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/"])</script><script>self.__next_f.push([1,"aca45222-41ba-4c40-b537-5e106036b9e6/uid?resourceVersion=id%3A6201\"}\n14e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/uid?resourceVersion=id%3A6201\"}\n14c:{\"related\":\"$14d\",\"self\":\"$14e\"}\n149:{\"data\":\"$14a\",\"links\":\"$14c\"}\n151:{\"drupal_internal__target_id\":111}\n150:{\"type\":\"media--blog_cover_image\",\"id\":\"5603c529-811a-424b-9709-b1a339ee6187\",\"meta\":\"$151\"}\n153:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/field_cover_image?resourceVersion=id%3A6201\"}\n154:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/field_cover_image?resourceVersion=id%3A6201\"}\n152:{\"related\":\"$153\",\"self\":\"$154\"}\n14f:{\"data\":\"$150\",\"links\":\"$152\"}\n157:{\"drupal_internal__target_id\":38}\n156:{\"type\":\"group--team\",\"id\":\"c70bb12a-8822-49ac-b8f6-9e96e3e73389\",\"meta\":\"$157\"}\n159:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/field_publisher_group?resourceVersion=id%3A6201\"}\n15a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/field_publisher_group?resourceVersion=id%3A6201\"}\n158:{\"related\":\"$159\",\"self\":\"$15a\"}\n155:{\"data\":\"$156\",\"links\":\"$158\"}\n15d:{\"drupal_internal__target_id\":106}\n15c:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"cccd136f-b478-40f0-8ff8-fd73f75f4ab0\",\"meta\":\"$15d\"}\n15f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/field_resource_type?resourceVersion=id%3A6201\"}\n160:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/field_resource_type?resourceVersion=id%3A6201\"}\n15e:{\"related\":\"$15f\",\"self\":\"$160\"}\n15b:{\"data\":\"$15c\",\"links\":\"$15e\"}\n164:{\"drupal_internal__target_id\":66}\n163:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$164\"}\n166:{\"drupal_internal__target_id\":81}\n165:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\""])</script><script>self.__next_f.push([1,"$166\"}\n168:{\"drupal_internal__target_id\":61}\n167:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$168\"}\n16a:{\"drupal_internal__target_id\":76}\n169:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$16a\"}\n162:[\"$163\",\"$165\",\"$167\",\"$169\"]\n16c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/field_roles?resourceVersion=id%3A6201\"}\n16d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/field_roles?resourceVersion=id%3A6201\"}\n16b:{\"related\":\"$16c\",\"self\":\"$16d\"}\n161:{\"data\":\"$162\",\"links\":\"$16b\"}\n171:{\"drupal_internal__target_id\":16}\n170:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$171\"}\n173:{\"drupal_internal__target_id\":21}\n172:{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":\"$173\"}\n16f:[\"$170\",\"$172\"]\n175:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/field_topics?resourceVersion=id%3A6201\"}\n176:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/field_topics?resourceVersion=id%3A6201\"}\n174:{\"related\":\"$175\",\"self\":\"$176\"}\n16e:{\"data\":\"$16f\",\"links\":\"$174\"}\n13c:{\"node_type\":\"$13d\",\"revision_uid\":\"$143\",\"uid\":\"$149\",\"field_cover_image\":\"$14f\",\"field_publisher_group\":\"$155\",\"field_resource_type\":\"$15b\",\"field_roles\":\"$161\",\"field_topics\":\"$16e\"}\n133:{\"type\":\"node--blog\",\"id\":\"aca45222-41ba-4c40-b537-5e106036b9e6\",\"links\":\"$134\",\"attributes\":\"$136\",\"relationships\":\"$13c\"}\n179:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd?resourceVersion=id%3A5839\"}\n178:{\"self\":\"$179\"}\n17b:{\"alias\":\"/posts/cryptographic-agility-zeitgeist\",\"pid\":1165,\"langcode\":\"en\"}\n17d:T1331,"])</script><script>self.__next_f.push([1,"\u003cp\u003eCryptographic agility, also called cryptoagility, is the ability for a system to quickly and easily change parts of their encryption mechanism(s).\u0026nbsp; This encompasses changing encryption keys, key lengths, encryption algorithms used, and even changing the libraries used to perform the encryption. \u0026nbsp;\u003c/p\u003e\u003cp\u003eZero Trust architectures feature encryption of data in transit and data at rest heavily, and systems with high Zero Trust maturity feature lots of automation, so it makes sense that cryptoagility would be part of a mature architecture. \u0026nbsp;The CMS Zero Trust Team will put out a couple articles on cryptoagility over the next few months.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhy this?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThere are many reasons to strive for cryptoagility. \u0026nbsp;As computers can do more calculations in less time, we need to occasionally change encryption algorithms or key lengths to take longer to brute force the keys.\u0026nbsp; Beyond that, there are internal factors such as to make it easier to recover from incidents and external ones such as from requirements for FISMA systems. \u0026nbsp;It is a design principle that has been around for a while even if we havent been using that phrase.\u0026nbsp; Systems have long needed the ability to change encryption keys and update the algorithms used, and good architectures facilitate these actions happening efficiently.\u0026nbsp;\u003ca href=\"https://techcrunch.com/2023/09/08/microsoft-hacker-china-government-storm-0558/\"\u003eEncryption keys can get compromised\u003c/a\u003e, key lengths can need to be increased, and bugs can be found in encryption libraries.\u003c/p\u003e\u003cp\u003eOne of the most famous bugs in an encryption library surfaced in the widely used OpenSSL library in 2014 and was called “\u003ca href=\"https://en.wikipedia.org/wiki/Heartbleed\"\u003eHeartbleed\u003c/a\u003e” because the heartbeat function in TLS could be exploited to leak information from memory.\u0026nbsp; An update for OpenSSL was released quickly, but it required many websites to either recompile the programs that used OpenSSL or restart their servers.\u0026nbsp;Additionally, there was a possibility that private keys for SSL certificates were leaked so certificates also had to be regenerated with new key pairs.\u0026nbsp; A month after the announcement, \u003ca href=\"https://www.netcraft.com/blog/keys-left-unchanged-in-many-heartbleed-replacement-certificates/\"\u003eover 50% of impacted systems had not issued new SSL certificates\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eNOTE: There can be tension around remediating a vulnerability in a product that has undergone a process like FIPS 140 validation. \u0026nbsp;How do we do this quickly while preserving the previous \"approval\"? \u0026nbsp;Hopefully cryptoagiity can help us with this in time.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhy now?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eOver the last couple of years there have been Federal directives and CISA guidance that touch on cryptoagility, so it makes sense to explain cryptographic agility and what it involves.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eCryptoagility supports OMB M-23-02 “\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf\"\u003eMigrating to Post-Quantum Cryptography\u003c/a\u003e”.\u0026nbsp; Quantum computing may reach a stage where it can easily brute force some key lengths of modern cryptographic algorithms, so systems need the ability to change those algorithms easily. The agility needed to respond to possible quantum computing attacks on current cryptography will revolve around knowing where encryption that is not quantum-proof is located and then replacing it.\u0026nbsp; Though an actual quantum computing attack is likely in the distant future, agencies can begin identifying the use weaker algorithms, key lengths, or libraries now to allow themselves to make the changes in at a leisurely pace instead of in an emergency.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe release of the \u003ca href=\"https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model\"\u003eCISA Zero Trust Maturity Model v2\u003c/a\u003e added references to “cryptographic agility” to the Advanced and Optimal levels of the Traffic Encryption and Data Encryption functions.\u0026nbsp; CMS included these updates in the \u003ca href=\"https://cloud.cms.gov/zero-trust-maturity-for-aws-on-cms-cloud\"\u003eAWS for CMS Cloud\u003c/a\u003e and \u003ca href=\"https://cloud.cms.gov/zero-trust-maturity-for-mag-on-cms-cloud\"\u003eMicrosoft Azure for Government for CMS Cloud\u003c/a\u003e maturity frameworks (Sorry, these are CMS internal references).\u0026nbsp;\u003c/p\u003e\u003cp\u003eLastly, maintaining records of where different algorithms and implementations are used is a key part of software supply chain management, introduced to Federal Agencies in \u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf\"\u003eOMB M-22-18\u003c/a\u003e.\u0026nbsp;This way when another Heartbleed is found we can more easily identify where we need to patch.\u003c/p\u003e\u003cp\u003eCheck back next month for a \u003ca href=\"https://security.cms.gov/posts/three-elements-cryptographic-agility\"\u003esecond installment on cryptoagility\u003c/a\u003e!\u003c/p\u003e"])</script><script>self.__next_f.push([1,"17e:T1331,"])</script><script>self.__next_f.push([1,"\u003cp\u003eCryptographic agility, also called cryptoagility, is the ability for a system to quickly and easily change parts of their encryption mechanism(s).\u0026nbsp; This encompasses changing encryption keys, key lengths, encryption algorithms used, and even changing the libraries used to perform the encryption. \u0026nbsp;\u003c/p\u003e\u003cp\u003eZero Trust architectures feature encryption of data in transit and data at rest heavily, and systems with high Zero Trust maturity feature lots of automation, so it makes sense that cryptoagility would be part of a mature architecture. \u0026nbsp;The CMS Zero Trust Team will put out a couple articles on cryptoagility over the next few months.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhy this?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThere are many reasons to strive for cryptoagility. \u0026nbsp;As computers can do more calculations in less time, we need to occasionally change encryption algorithms or key lengths to take longer to brute force the keys.\u0026nbsp; Beyond that, there are internal factors such as to make it easier to recover from incidents and external ones such as from requirements for FISMA systems. \u0026nbsp;It is a design principle that has been around for a while even if we havent been using that phrase.\u0026nbsp; Systems have long needed the ability to change encryption keys and update the algorithms used, and good architectures facilitate these actions happening efficiently.\u0026nbsp;\u003ca href=\"https://techcrunch.com/2023/09/08/microsoft-hacker-china-government-storm-0558/\"\u003eEncryption keys can get compromised\u003c/a\u003e, key lengths can need to be increased, and bugs can be found in encryption libraries.\u003c/p\u003e\u003cp\u003eOne of the most famous bugs in an encryption library surfaced in the widely used OpenSSL library in 2014 and was called “\u003ca href=\"https://en.wikipedia.org/wiki/Heartbleed\"\u003eHeartbleed\u003c/a\u003e” because the heartbeat function in TLS could be exploited to leak information from memory.\u0026nbsp; An update for OpenSSL was released quickly, but it required many websites to either recompile the programs that used OpenSSL or restart their servers.\u0026nbsp;Additionally, there was a possibility that private keys for SSL certificates were leaked so certificates also had to be regenerated with new key pairs.\u0026nbsp; A month after the announcement, \u003ca href=\"https://www.netcraft.com/blog/keys-left-unchanged-in-many-heartbleed-replacement-certificates/\"\u003eover 50% of impacted systems had not issued new SSL certificates\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eNOTE: There can be tension around remediating a vulnerability in a product that has undergone a process like FIPS 140 validation. \u0026nbsp;How do we do this quickly while preserving the previous \"approval\"? \u0026nbsp;Hopefully cryptoagiity can help us with this in time.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhy now?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eOver the last couple of years there have been Federal directives and CISA guidance that touch on cryptoagility, so it makes sense to explain cryptographic agility and what it involves.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eCryptoagility supports OMB M-23-02 “\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf\"\u003eMigrating to Post-Quantum Cryptography\u003c/a\u003e”.\u0026nbsp; Quantum computing may reach a stage where it can easily brute force some key lengths of modern cryptographic algorithms, so systems need the ability to change those algorithms easily. The agility needed to respond to possible quantum computing attacks on current cryptography will revolve around knowing where encryption that is not quantum-proof is located and then replacing it.\u0026nbsp; Though an actual quantum computing attack is likely in the distant future, agencies can begin identifying the use weaker algorithms, key lengths, or libraries now to allow themselves to make the changes in at a leisurely pace instead of in an emergency.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe release of the \u003ca href=\"https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model\"\u003eCISA Zero Trust Maturity Model v2\u003c/a\u003e added references to “cryptographic agility” to the Advanced and Optimal levels of the Traffic Encryption and Data Encryption functions.\u0026nbsp; CMS included these updates in the \u003ca href=\"https://cloud.cms.gov/zero-trust-maturity-for-aws-on-cms-cloud\"\u003eAWS for CMS Cloud\u003c/a\u003e and \u003ca href=\"https://cloud.cms.gov/zero-trust-maturity-for-mag-on-cms-cloud\"\u003eMicrosoft Azure for Government for CMS Cloud\u003c/a\u003e maturity frameworks (Sorry, these are CMS internal references).\u0026nbsp;\u003c/p\u003e\u003cp\u003eLastly, maintaining records of where different algorithms and implementations are used is a key part of software supply chain management, introduced to Federal Agencies in \u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf\"\u003eOMB M-22-18\u003c/a\u003e.\u0026nbsp;This way when another Heartbleed is found we can more easily identify where we need to patch.\u003c/p\u003e\u003cp\u003eCheck back next month for a \u003ca href=\"https://security.cms.gov/posts/three-elements-cryptographic-agility\"\u003esecond installment on cryptoagility\u003c/a\u003e!\u003c/p\u003e"])</script><script>self.__next_f.push([1,"17c:{\"value\":\"$17d\",\"format\":\"body_text\",\"processed\":\"$17e\",\"summary\":\"\"}\n17f:{\"value\":\"Cryptographic agility has become a topic for Federal security teams to address. This post helps explain what it is and why we are talking about it now.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCryptographic agility has become a topic for Federal security teams to address. This post helps explain what it is and why we are talking about it now.\u003c/p\u003e\\n\"}\n17a:{\"drupal_internal__nid\":1169,\"drupal_internal__vid\":5839,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-06T16:39:00+00:00\",\"status\":true,\"title\":\"Cryptographic agility in the zeitgeist\",\"created\":\"2024-01-26T23:36:41+00:00\",\"changed\":\"2024-08-06T16:39:00+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$17b\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$17c\",\"field_short_description\":\"$17f\",\"field_video_link\":null}\n183:{\"drupal_internal__target_id\":\"blog\"}\n182:{\"type\":\"node_type--node_type\",\"id\":\"f382c03e-0cc5-4892-aa46-653a2d90fc05\",\"meta\":\"$183\"}\n185:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/node_type?resourceVersion=id%3A5839\"}\n186:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/node_type?resourceVersion=id%3A5839\"}\n184:{\"related\":\"$185\",\"self\":\"$186\"}\n181:{\"data\":\"$182\",\"links\":\"$184\"}\n189:{\"drupal_internal__target_id\":94}\n188:{\"type\":\"user--user\",\"id\":\"c34b79d4-f936-45dd-968f-7efc22d4370b\",\"meta\":\"$189\"}\n18b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/revision_uid?resourceVersion=id%3A5839\"}\n18c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/revision_uid?resourceVersion=id%3A5839\"}\n18a:{\"related\":\"$18b\",\"self\":\"$18c\"}\n187:{\"data\":\"$188\",\"links\":\"$18a\"}\n18f:{\"drupal_internal__target_id\":"])</script><script>self.__next_f.push([1,"138}\n18e:{\"type\":\"user--user\",\"id\":\"bebd6b4a-b250-4060-a68d-15e540df32b8\",\"meta\":\"$18f\"}\n191:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/uid?resourceVersion=id%3A5839\"}\n192:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/uid?resourceVersion=id%3A5839\"}\n190:{\"related\":\"$191\",\"self\":\"$192\"}\n18d:{\"data\":\"$18e\",\"links\":\"$190\"}\n195:{\"drupal_internal__target_id\":81}\n194:{\"type\":\"media--blog_cover_image\",\"id\":\"d946f427-2467-4a4f-af13-c0d61e5d898e\",\"meta\":\"$195\"}\n197:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/field_cover_image?resourceVersion=id%3A5839\"}\n198:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/field_cover_image?resourceVersion=id%3A5839\"}\n196:{\"related\":\"$197\",\"self\":\"$198\"}\n193:{\"data\":\"$194\",\"links\":\"$196\"}\n19b:{\"drupal_internal__target_id\":38}\n19a:{\"type\":\"group--team\",\"id\":\"c70bb12a-8822-49ac-b8f6-9e96e3e73389\",\"meta\":\"$19b\"}\n19d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/field_publisher_group?resourceVersion=id%3A5839\"}\n19e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/field_publisher_group?resourceVersion=id%3A5839\"}\n19c:{\"related\":\"$19d\",\"self\":\"$19e\"}\n199:{\"data\":\"$19a\",\"links\":\"$19c\"}\n1a1:{\"drupal_internal__target_id\":106}\n1a0:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"cccd136f-b478-40f0-8ff8-fd73f75f4ab0\",\"meta\":\"$1a1\"}\n1a3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/field_resource_type?resourceVersion=id%3A5839\"}\n1a4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/field_resource_type?resourceVersion=id%3A5839\"}\n1a2:{\"related\":\"$1a3\",\"self\":\"$1a4\"}\n19f:{\"data\":\"$1a0\",\"links\":\"$1a2\"}\n1a8:{\"drupal_internal__target_id\":61}\n1a7:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e"])</script><script>self.__next_f.push([1,"5ab\",\"meta\":\"$1a8\"}\n1aa:{\"drupal_internal__target_id\":71}\n1a9:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$1aa\"}\n1a6:[\"$1a7\",\"$1a9\"]\n1ac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/field_roles?resourceVersion=id%3A5839\"}\n1ad:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/field_roles?resourceVersion=id%3A5839\"}\n1ab:{\"related\":\"$1ac\",\"self\":\"$1ad\"}\n1a5:{\"data\":\"$1a6\",\"links\":\"$1ab\"}\n1b1:{\"drupal_internal__target_id\":41}\n1b0:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":\"$1b1\"}\n1af:[\"$1b0\"]\n1b3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/field_topics?resourceVersion=id%3A5839\"}\n1b4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/field_topics?resourceVersion=id%3A5839\"}\n1b2:{\"related\":\"$1b3\",\"self\":\"$1b4\"}\n1ae:{\"data\":\"$1af\",\"links\":\"$1b2\"}\n180:{\"node_type\":\"$181\",\"revision_uid\":\"$187\",\"uid\":\"$18d\",\"field_cover_image\":\"$193\",\"field_publisher_group\":\"$199\",\"field_resource_type\":\"$19f\",\"field_roles\":\"$1a5\",\"field_topics\":\"$1ae\"}\n177:{\"type\":\"node--blog\",\"id\":\"bf73d479-26b2-42c1-ad91-4443f37c5ebd\",\"links\":\"$178\",\"attributes\":\"$17a\",\"relationships\":\"$180\"}\n1b7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917?resourceVersion=id%3A5838\"}\n1b6:{\"self\":\"$1b7\"}\n1b9:{\"alias\":\"/posts/three-elements-cryptographic-agility\",\"pid\":1187,\"langcode\":\"en\"}\n1bb:T280e,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is cryptographic agility?\u003c/h2\u003e\u003cp\u003eCryptographic agility, also called cryptoagility, is the ability for a system to quickly and easily change parts of their encryption mechanism(s). This encompasses changing encryption keys, key lengths, encryption algorithms used, and even changing the libraries used to perform the encryption.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThere is not currently an official cryptoagility standard for Federal Agencies, but research into it and \u003ca href=\"https://www.dhs.gov/sites/default/files/2022-05/22_0512_plcy_2966-01_cryptographic-agility-infographic.pdf\"\u003eresources from the Cybersecurity and Infrastructure Security Agency\u003c/a\u003e (CISA) led the ISPG Zero Trust team to identify three elements of a Cryptographically Agile system:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eUse modern cryptography.\u0026nbsp;\u003c/li\u003e\u003cli\u003eMaintain an accurate cryptographic inventory.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEngineer in the ability to make encryption changes quickly and efficiently.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis document sets out further definitions of cryptographic agility for CMS Federal Information Security Modernization Act (FISMA) Systems to strive for.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eUse modern cryptography\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003eFISMA Systems should use modern cryptographic algorithms, robust key lengths, and well-tested implementations of said algorithms. The National Institute of Standards and Technology (NIST) has written much on the topic, but a good rule of thumb is to stick with implementations that are FIPS 140-2 validated (see note below). Tools that are FedRAMP approved will be FIPS 140-2 validated.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt3r1.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eNIST Special Publication 800-57 Part 3\u003c/a\u003e has detailed information about preferred cryptographic algorithms and key lengths. They can be summarized as:\u0026nbsp;\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eKey Type\u003c/strong\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eAlgorithms and\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMinimum Key Sizes\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePublic Key Infrastructure (PKI).\u0026nbsp;\u003c/td\u003e\u003ctd\u003eDigital Signature keys used for authentication (for Users or Devices)\u0026nbsp;\u003c/td\u003e\u003ctd\u003eRSA (2048 bits). ECDSA (Curve P-256)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eDigital Signature keys used for non-repudiation (for Users or Devices)\u0026nbsp;\u003c/td\u003e\u003ctd\u003eRSA (2048 bits) ECDSA (Curves P-256 or P-384)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eKey Establishment keys (for Users or Devices)\u0026nbsp;\u003c/td\u003e\u003ctd\u003eRSA (2048 bits) Diffie-Hellman (2048 bits) ECDH (Curves P-256 or P-384)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEncryption for Data at Rest\u0026nbsp;\u003c/td\u003e\u003ctd\u003eSymmetric key\u0026nbsp;\u003c/td\u003e\u003ctd\u003eAES (128 bits)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHashing and Message Digests\u0026nbsp;\u003c/td\u003e\u003ctd\u003eOne-Way Hash, unkeyed\u0026nbsp;\u003c/td\u003e\u003ctd\u003eSHA-256\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eWebsites and other internet services that operate over TCP/IP shall use Transport Layer Security (TLS) version 1.3 to encrypt the network traffic. TLS 1.3 is based on PKI, and the above algorithms and key lengths are also recommended. If a system has devices that cannot use TLS 1.3, the connection may fall back to TLS 1.2. \u003ca href=\"https://www.cms.gov/files/document/hhsencryption-policy.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eTLS 1.0 and 1.1 shall not be used\u003c/a\u003e as per the HHS Policy for Encryption of Computing Devices and Information in Section 6.23.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn the event that your software needs to directly perform cryptographic operations, here at CMS we prefer that you do not implement your own cryptographic algorithms and instead use a well-established library that is FIPS 140-2 approved such as OpenSSL. Wikipedia has a chart \u003ca href=\"https://en.wikipedia.org/wiki/Comparison_of_cryptography_libraries\" target=\"_blank\" rel=\"noreferrer noopener\"\u003ecomparing different cryptography libraries\u003c/a\u003e and includes their FIPS 140 status.\u0026nbsp;\u003c/p\u003e\u003cp\u003eA Note on FIPS 140: A new version of FIPS 140 has been released, version 3, and systems will be required to use only FIPS 140-3 compliant tools starting in September 2026. As of December 2023,there are \u003ca href=\"https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Advanced\u0026amp;Standard=140-3\u0026amp;CertificateStatus=Active\u0026amp;ValidationYear=0\" target=\"_blank\" rel=\"noreferrer noopener\"\u003efew validated FIPS 14-3 implementations,\u003c/a\u003e but many popular services and hardware are \u003ca href=\"https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eundergoing evaluations.\u003c/a\u003e If selecting a new product, it would be wise to choose one that is undergoing evaluation.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eMaintain an accurate cryptographic inventory\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003eTo know what to fix, we need to know what we cryptographic algorithms we are using in our various systems. This will include data in transit, data at rest, and (as the technology becomes more accessible) data in use.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhile having an accurate inventory is important, it is not expected that CMS FISMA Systems will have a unified, automated solution that contains all the different encryptions just yet. Teams may need to look in different places to collect all this information. The Zero Trust program in ISPG is researching an automated solution that would be suitable for CMS.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe inventory will need to include where the encryption is being used (in transit, at rest, or in use), what algorithm is used, what key length is used, and (where available) what library or tool is providing the encryption. It is also desirable to be able to explain why a particular setup is used or note any exceptions.\u0026nbsp;\u003c/p\u003e\u003cp\u003eInfrastructure as a Service (IaaS) providers often have a key management service for storing keys used for encrypting data at rest, and they often have a service for storing TLS certificates, but they are likely not the same service.For example, AWS provides the \u003ca href=\"https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eKey Management System\u003c/a\u003e for general key management, and the \u003ca href=\"https://aws.amazon.com/certificate-manager/\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eAWS Certificate Manager\u003c/a\u003e is available for your TLS certificates.\u0026nbsp;\u003c/p\u003e\u003cp lang=\"EN-US\"\u003eThe Office of Management and Budget (OMB) requires agencies to report on their cryptographic inventories \u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf\"\u003eunder M-23-02\u003c/a\u003e, though they are slowly rolling out which systems are included in their reports. The Zero Trust Program will reach out to the ISSOs of FISMA systems required to submit for 2024.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eEngineer in the ability to make encryption changes quickly and efficiently\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://www.dictionary.com/browse/agility\"\u003eAgility\u003c/a\u003e in general is the “the power of moving quickly and easily.”, so cryptoagility is the ability to move quickly and easily around all things encryption.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/policy-guidance/cms-key-management-handbook#key-management-lifecycle-best-practices\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eKey Management Handbook from ISPG\u003c/a\u003e recommends that systems rotate encryption keys once per year (see the “Key Rotation” section). \u0026nbsp;Teams should have a documented process, whether the process is manual or automated. This includes both TLS certificates and database (or other storage) encryption keys.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIdeally, a team should be able to rotate keys and certificates in minutes not hours so that if a key compromise happens response time is low.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen using libraries to implement encryption functions in software, the software should be architected in a way to allow for the library to be updated without having to change the code (assuming that the new version of the library is backwards compatible). Where possible, key length should not be hard coded, and instead provided via a configuration file. Use of specific algorithms should be abstracted in such a way that if the team wanted to use a different algorithm or different library for the same algorithm the code can be changed in one place and used everywhere.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn“\u003ca href=\"https://security.cms.gov/posts/cryptographic-agility-zeitgeist\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eCryptoAgility in the Zeitgeist\u003c/a\u003e”, we talked about the 2014 Heartbleed exploit for OpenSSL. While a patch was available quickly for OpenSSL, it took months for most systems to be updated. As we seek to balance security and process, we need to contemplate the speed at which we want to mitigate and remediate such exploits.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen designing software and development processes, consider these guidelines for how long it should take for a system to make these changes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eMinutes to update and rotate a key\u0026nbsp;\u003c/li\u003e\u003cli\u003eMinutes to update a library to a new version\u0026nbsp;\u003c/li\u003e\u003cli\u003eHours to change key lengths\u0026nbsp;\u003c/li\u003e\u003cli\u003eLess than 1 sprint to change the algorithm or library\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eConclusion\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003eCryptoAgility is an integral part not just of Zero Trust, but a mature software development process. By factoring the three main elements of CryptoAgility into processes early, we can improve our ability to respond to cryptographic issues early. It may take time to add CryptoAgility into existing systems, but the Zero Trust team is here to support teams. We will be releasing specific guidance on implementation for different environments, such as AWS, via the internal CMS Cloud documentation in the coming months. \u0026nbsp;\u003c/p\u003e\u003cp\u003eIn the meantime, think about how the three elements apply to your systems:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eUse modern cryptography.\u0026nbsp;\u003c/li\u003e\u003cli\u003eMaintain an accurate cryptographic inventory.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEngineer in the ability to make encryption changes quickly and efficiently.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1bc:T280e,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is cryptographic agility?\u003c/h2\u003e\u003cp\u003eCryptographic agility, also called cryptoagility, is the ability for a system to quickly and easily change parts of their encryption mechanism(s). This encompasses changing encryption keys, key lengths, encryption algorithms used, and even changing the libraries used to perform the encryption.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThere is not currently an official cryptoagility standard for Federal Agencies, but research into it and \u003ca href=\"https://www.dhs.gov/sites/default/files/2022-05/22_0512_plcy_2966-01_cryptographic-agility-infographic.pdf\"\u003eresources from the Cybersecurity and Infrastructure Security Agency\u003c/a\u003e (CISA) led the ISPG Zero Trust team to identify three elements of a Cryptographically Agile system:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eUse modern cryptography.\u0026nbsp;\u003c/li\u003e\u003cli\u003eMaintain an accurate cryptographic inventory.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEngineer in the ability to make encryption changes quickly and efficiently.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis document sets out further definitions of cryptographic agility for CMS Federal Information Security Modernization Act (FISMA) Systems to strive for.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eUse modern cryptography\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003eFISMA Systems should use modern cryptographic algorithms, robust key lengths, and well-tested implementations of said algorithms. The National Institute of Standards and Technology (NIST) has written much on the topic, but a good rule of thumb is to stick with implementations that are FIPS 140-2 validated (see note below). Tools that are FedRAMP approved will be FIPS 140-2 validated.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt3r1.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eNIST Special Publication 800-57 Part 3\u003c/a\u003e has detailed information about preferred cryptographic algorithms and key lengths. They can be summarized as:\u0026nbsp;\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eKey Type\u003c/strong\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eAlgorithms and\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMinimum Key Sizes\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePublic Key Infrastructure (PKI).\u0026nbsp;\u003c/td\u003e\u003ctd\u003eDigital Signature keys used for authentication (for Users or Devices)\u0026nbsp;\u003c/td\u003e\u003ctd\u003eRSA (2048 bits). ECDSA (Curve P-256)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eDigital Signature keys used for non-repudiation (for Users or Devices)\u0026nbsp;\u003c/td\u003e\u003ctd\u003eRSA (2048 bits) ECDSA (Curves P-256 or P-384)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eKey Establishment keys (for Users or Devices)\u0026nbsp;\u003c/td\u003e\u003ctd\u003eRSA (2048 bits) Diffie-Hellman (2048 bits) ECDH (Curves P-256 or P-384)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEncryption for Data at Rest\u0026nbsp;\u003c/td\u003e\u003ctd\u003eSymmetric key\u0026nbsp;\u003c/td\u003e\u003ctd\u003eAES (128 bits)\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHashing and Message Digests\u0026nbsp;\u003c/td\u003e\u003ctd\u003eOne-Way Hash, unkeyed\u0026nbsp;\u003c/td\u003e\u003ctd\u003eSHA-256\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eWebsites and other internet services that operate over TCP/IP shall use Transport Layer Security (TLS) version 1.3 to encrypt the network traffic. TLS 1.3 is based on PKI, and the above algorithms and key lengths are also recommended. If a system has devices that cannot use TLS 1.3, the connection may fall back to TLS 1.2. \u003ca href=\"https://www.cms.gov/files/document/hhsencryption-policy.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eTLS 1.0 and 1.1 shall not be used\u003c/a\u003e as per the HHS Policy for Encryption of Computing Devices and Information in Section 6.23.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn the event that your software needs to directly perform cryptographic operations, here at CMS we prefer that you do not implement your own cryptographic algorithms and instead use a well-established library that is FIPS 140-2 approved such as OpenSSL. Wikipedia has a chart \u003ca href=\"https://en.wikipedia.org/wiki/Comparison_of_cryptography_libraries\" target=\"_blank\" rel=\"noreferrer noopener\"\u003ecomparing different cryptography libraries\u003c/a\u003e and includes their FIPS 140 status.\u0026nbsp;\u003c/p\u003e\u003cp\u003eA Note on FIPS 140: A new version of FIPS 140 has been released, version 3, and systems will be required to use only FIPS 140-3 compliant tools starting in September 2026. As of December 2023,there are \u003ca href=\"https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Advanced\u0026amp;Standard=140-3\u0026amp;CertificateStatus=Active\u0026amp;ValidationYear=0\" target=\"_blank\" rel=\"noreferrer noopener\"\u003efew validated FIPS 14-3 implementations,\u003c/a\u003e but many popular services and hardware are \u003ca href=\"https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eundergoing evaluations.\u003c/a\u003e If selecting a new product, it would be wise to choose one that is undergoing evaluation.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eMaintain an accurate cryptographic inventory\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003eTo know what to fix, we need to know what we cryptographic algorithms we are using in our various systems. This will include data in transit, data at rest, and (as the technology becomes more accessible) data in use.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhile having an accurate inventory is important, it is not expected that CMS FISMA Systems will have a unified, automated solution that contains all the different encryptions just yet. Teams may need to look in different places to collect all this information. The Zero Trust program in ISPG is researching an automated solution that would be suitable for CMS.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe inventory will need to include where the encryption is being used (in transit, at rest, or in use), what algorithm is used, what key length is used, and (where available) what library or tool is providing the encryption. It is also desirable to be able to explain why a particular setup is used or note any exceptions.\u0026nbsp;\u003c/p\u003e\u003cp\u003eInfrastructure as a Service (IaaS) providers often have a key management service for storing keys used for encrypting data at rest, and they often have a service for storing TLS certificates, but they are likely not the same service.For example, AWS provides the \u003ca href=\"https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eKey Management System\u003c/a\u003e for general key management, and the \u003ca href=\"https://aws.amazon.com/certificate-manager/\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eAWS Certificate Manager\u003c/a\u003e is available for your TLS certificates.\u0026nbsp;\u003c/p\u003e\u003cp lang=\"EN-US\"\u003eThe Office of Management and Budget (OMB) requires agencies to report on their cryptographic inventories \u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf\"\u003eunder M-23-02\u003c/a\u003e, though they are slowly rolling out which systems are included in their reports. The Zero Trust Program will reach out to the ISSOs of FISMA systems required to submit for 2024.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eEngineer in the ability to make encryption changes quickly and efficiently\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://www.dictionary.com/browse/agility\"\u003eAgility\u003c/a\u003e in general is the “the power of moving quickly and easily.”, so cryptoagility is the ability to move quickly and easily around all things encryption.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/policy-guidance/cms-key-management-handbook#key-management-lifecycle-best-practices\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eKey Management Handbook from ISPG\u003c/a\u003e recommends that systems rotate encryption keys once per year (see the “Key Rotation” section). \u0026nbsp;Teams should have a documented process, whether the process is manual or automated. This includes both TLS certificates and database (or other storage) encryption keys.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIdeally, a team should be able to rotate keys and certificates in minutes not hours so that if a key compromise happens response time is low.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen using libraries to implement encryption functions in software, the software should be architected in a way to allow for the library to be updated without having to change the code (assuming that the new version of the library is backwards compatible). Where possible, key length should not be hard coded, and instead provided via a configuration file. Use of specific algorithms should be abstracted in such a way that if the team wanted to use a different algorithm or different library for the same algorithm the code can be changed in one place and used everywhere.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn“\u003ca href=\"https://security.cms.gov/posts/cryptographic-agility-zeitgeist\" target=\"_blank\" rel=\"noreferrer noopener\"\u003eCryptoAgility in the Zeitgeist\u003c/a\u003e”, we talked about the 2014 Heartbleed exploit for OpenSSL. While a patch was available quickly for OpenSSL, it took months for most systems to be updated. As we seek to balance security and process, we need to contemplate the speed at which we want to mitigate and remediate such exploits.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen designing software and development processes, consider these guidelines for how long it should take for a system to make these changes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eMinutes to update and rotate a key\u0026nbsp;\u003c/li\u003e\u003cli\u003eMinutes to update a library to a new version\u0026nbsp;\u003c/li\u003e\u003cli\u003eHours to change key lengths\u0026nbsp;\u003c/li\u003e\u003cli\u003eLess than 1 sprint to change the algorithm or library\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eConclusion\u003c/strong\u003e\u0026nbsp;\u003c/h2\u003e\u003cp\u003eCryptoAgility is an integral part not just of Zero Trust, but a mature software development process. By factoring the three main elements of CryptoAgility into processes early, we can improve our ability to respond to cryptographic issues early. It may take time to add CryptoAgility into existing systems, but the Zero Trust team is here to support teams. We will be releasing specific guidance on implementation for different environments, such as AWS, via the internal CMS Cloud documentation in the coming months. \u0026nbsp;\u003c/p\u003e\u003cp\u003eIn the meantime, think about how the three elements apply to your systems:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eUse modern cryptography.\u0026nbsp;\u003c/li\u003e\u003cli\u003eMaintain an accurate cryptographic inventory.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEngineer in the ability to make encryption changes quickly and efficiently.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1ba:{\"value\":\"$1bb\",\"format\":\"body_text\",\"processed\":\"$1bc\",\"summary\":\"\"}\n1bd:{\"value\":\"Cryptographic agility is achieved through modern crypto, accurate inventories, and engineering in the ability to make encryption changes quickly and efficiently\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCryptographic agility is achieved through modern crypto, accurate inventories, and engineering in the ability to make encryption changes quickly and efficiently\u003c/p\u003e\\n\"}\n1b8:{\"drupal_internal__nid\":1181,\"drupal_internal__vid\":5838,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-06T16:38:48+00:00\",\"status\":true,\"title\":\"Three elements of cryptographic agility\",\"created\":\"2024-04-17T22:16:09+00:00\",\"changed\":\"2024-08-06T16:38:48+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1b9\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$1ba\",\"field_short_description\":\"$1bd\",\"field_video_link\":null}\n1c1:{\"drupal_internal__target_id\":\"blog\"}\n1c0:{\"type\":\"node_type--node_type\",\"id\":\"f382c03e-0cc5-4892-aa46-653a2d90fc05\",\"meta\":\"$1c1\"}\n1c3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/node_type?resourceVersion=id%3A5838\"}\n1c4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/node_type?resourceVersion=id%3A5838\"}\n1c2:{\"related\":\"$1c3\",\"self\":\"$1c4\"}\n1bf:{\"data\":\"$1c0\",\"links\":\"$1c2\"}\n1c7:{\"drupal_internal__target_id\":94}\n1c6:{\"type\":\"user--user\",\"id\":\"c34b79d4-f936-45dd-968f-7efc22d4370b\",\"meta\":\"$1c7\"}\n1c9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/revision_uid?resourceVersion=id%3A5838\"}\n1ca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/revision_uid?resourceVersion=id%3A5838\"}\n1c8:{\"related\":\"$1c9\",\"self\":\"$1ca\"}\n1c5:{\"data\":\"$1c6\",\"links\":\"$1c8\"}\n1cd:{\"drupal_in"])</script><script>self.__next_f.push([1,"ternal__target_id\":138}\n1cc:{\"type\":\"user--user\",\"id\":\"bebd6b4a-b250-4060-a68d-15e540df32b8\",\"meta\":\"$1cd\"}\n1cf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/uid?resourceVersion=id%3A5838\"}\n1d0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/uid?resourceVersion=id%3A5838\"}\n1ce:{\"related\":\"$1cf\",\"self\":\"$1d0\"}\n1cb:{\"data\":\"$1cc\",\"links\":\"$1ce\"}\n1d3:{\"drupal_internal__target_id\":81}\n1d2:{\"type\":\"media--blog_cover_image\",\"id\":\"d946f427-2467-4a4f-af13-c0d61e5d898e\",\"meta\":\"$1d3\"}\n1d5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/field_cover_image?resourceVersion=id%3A5838\"}\n1d6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/field_cover_image?resourceVersion=id%3A5838\"}\n1d4:{\"related\":\"$1d5\",\"self\":\"$1d6\"}\n1d1:{\"data\":\"$1d2\",\"links\":\"$1d4\"}\n1d9:{\"drupal_internal__target_id\":38}\n1d8:{\"type\":\"group--team\",\"id\":\"c70bb12a-8822-49ac-b8f6-9e96e3e73389\",\"meta\":\"$1d9\"}\n1db:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/field_publisher_group?resourceVersion=id%3A5838\"}\n1dc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/field_publisher_group?resourceVersion=id%3A5838\"}\n1da:{\"related\":\"$1db\",\"self\":\"$1dc\"}\n1d7:{\"data\":\"$1d8\",\"links\":\"$1da\"}\n1df:{\"drupal_internal__target_id\":106}\n1de:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"cccd136f-b478-40f0-8ff8-fd73f75f4ab0\",\"meta\":\"$1df\"}\n1e1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/field_resource_type?resourceVersion=id%3A5838\"}\n1e2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/field_resource_type?resourceVersion=id%3A5838\"}\n1e0:{\"related\":\"$1e1\",\"self\":\"$1e2\"}\n1dd:{\"data\":\"$1de\",\"links\":\"$1e0\"}\n1e6:{\"drupal_internal__target_id\":61}\n1e5:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-"])</script><script>self.__next_f.push([1,"474f-8536-ad7db1b2e5ab\",\"meta\":\"$1e6\"}\n1e8:{\"drupal_internal__target_id\":71}\n1e7:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$1e8\"}\n1e4:[\"$1e5\",\"$1e7\"]\n1ea:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/field_roles?resourceVersion=id%3A5838\"}\n1eb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/field_roles?resourceVersion=id%3A5838\"}\n1e9:{\"related\":\"$1ea\",\"self\":\"$1eb\"}\n1e3:{\"data\":\"$1e4\",\"links\":\"$1e9\"}\n1ef:{\"drupal_internal__target_id\":41}\n1ee:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":\"$1ef\"}\n1ed:[\"$1ee\"]\n1f1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/field_topics?resourceVersion=id%3A5838\"}\n1f2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/field_topics?resourceVersion=id%3A5838\"}\n1f0:{\"related\":\"$1f1\",\"self\":\"$1f2\"}\n1ec:{\"data\":\"$1ed\",\"links\":\"$1f0\"}\n1be:{\"node_type\":\"$1bf\",\"revision_uid\":\"$1c5\",\"uid\":\"$1cb\",\"field_cover_image\":\"$1d1\",\"field_publisher_group\":\"$1d7\",\"field_resource_type\":\"$1dd\",\"field_roles\":\"$1e3\",\"field_topics\":\"$1ec\"}\n1b5:{\"type\":\"node--blog\",\"id\":\"e0d23b7f-1209-42b1-80aa-0c39f2b45917\",\"links\":\"$1b6\",\"attributes\":\"$1b8\",\"relationships\":\"$1be\"}\n1f5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e?resourceVersion=id%3A5993\"}\n1f4:{\"self\":\"$1f5\"}\n1f7:{\"alias\":\"/learn/national-institute-standards-and-technology-nist\",\"pid\":371,\"langcode\":\"en\"}\n1f8:{\"value\":\"Information about NIST and how the agency's policies and guidance relate to security and privacy at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eInformation about NIST and how the agency\u0026#039;s policies and guidance relate to security and privacy at CMS\u003c/p\u003e\\n\"}\n1f9:[\"#security_community\"]\n1f6:{\"drupal_internal__nid\":381,\"drupal_internal__vid\":5993,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-03T14:43:06+00:00\",\"status\":tr"])</script><script>self.__next_f.push([1,"ue,\"title\":\"National Institute of Standards and Technology (NIST)\",\"created\":\"2022-08-29T16:46:36+00:00\",\"changed\":\"2024-12-03T14:43:06+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1f7\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$1f8\",\"field_slack_channel\":\"$1f9\"}\n1fd:{\"drupal_internal__target_id\":\"explainer\"}\n1fc:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$1fd\"}\n1ff:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/node_type?resourceVersion=id%3A5993\"}\n200:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/node_type?resourceVersion=id%3A5993\"}\n1fe:{\"related\":\"$1ff\",\"self\":\"$200\"}\n1fb:{\"data\":\"$1fc\",\"links\":\"$1fe\"}\n203:{\"drupal_internal__target_id\":6}\n202:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$203\"}\n205:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/revision_uid?resourceVersion=id%3A5993\"}\n206:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/revision_uid?resourceVersion=id%3A5993\"}\n204:{\"related\":\"$205\",\"self\":\"$206\"}\n201:{\"data\":\"$202\",\"links\":\"$204\"}\n209:{\"drupal_internal__target_id\":26}\n208:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$209\"}\n20b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/uid?resourceVersion=id%3A5993\"}\n20c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/uid?resourceVersion=id%3A5993\"}\n20a:{\"related\":\"$20b\",\"self\":\"$20c\"}\n207:{\"data\":\"$208\",\"links\":\"$20a\"}\n210:{\"target_revi"])</script><script>self.__next_f.push([1,"sion_id\":19645,\"drupal_internal__target_id\":496}\n20f:{\"type\":\"paragraph--page_section\",\"id\":\"65807e01-7389-4561-8818-b4453d59c7ac\",\"meta\":\"$210\"}\n20e:[\"$20f\"]\n212:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_page_section?resourceVersion=id%3A5993\"}\n213:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_page_section?resourceVersion=id%3A5993\"}\n211:{\"related\":\"$212\",\"self\":\"$213\"}\n20d:{\"data\":\"$20e\",\"links\":\"$211\"}\n217:{\"target_revision_id\":19646,\"drupal_internal__target_id\":2001}\n216:{\"type\":\"paragraph--internal_link\",\"id\":\"858b57e7-3499-42a6-9fd4-b045a2aa9c42\",\"meta\":\"$217\"}\n219:{\"target_revision_id\":19647,\"drupal_internal__target_id\":2011}\n218:{\"type\":\"paragraph--internal_link\",\"id\":\"d171c5fe-3bb3-47be-bd3e-c53cc75c4f9e\",\"meta\":\"$219\"}\n21b:{\"target_revision_id\":19648,\"drupal_internal__target_id\":2286}\n21a:{\"type\":\"paragraph--internal_link\",\"id\":\"26c9c7a0-fcc3-4d04-ab8c-21924a868e28\",\"meta\":\"$21b\"}\n21d:{\"target_revision_id\":19649,\"drupal_internal__target_id\":2281}\n21c:{\"type\":\"paragraph--internal_link\",\"id\":\"4e888450-31b6-43e1-95a0-9ac56298fcc9\",\"meta\":\"$21d\"}\n21f:{\"target_revision_id\":19650,\"drupal_internal__target_id\":2291}\n21e:{\"type\":\"paragraph--internal_link\",\"id\":\"f43c4cb2-4d4e-4020-a165-aab378f6254d\",\"meta\":\"$21f\"}\n215:[\"$216\",\"$218\",\"$21a\",\"$21c\",\"$21e\"]\n221:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_related_collection?resourceVersion=id%3A5993\"}\n222:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_related_collection?resourceVersion=id%3A5993\"}\n220:{\"related\":\"$221\",\"self\":\"$222\"}\n214:{\"data\":\"$215\",\"links\":\"$220\"}\n225:{\"drupal_internal__target_id\":131}\n224:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$225\"}\n227:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_resource_"])</script><script>self.__next_f.push([1,"type?resourceVersion=id%3A5993\"}\n228:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_resource_type?resourceVersion=id%3A5993\"}\n226:{\"related\":\"$227\",\"self\":\"$228\"}\n223:{\"data\":\"$224\",\"links\":\"$226\"}\n22a:[]\n22c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_roles?resourceVersion=id%3A5993\"}\n22d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_roles?resourceVersion=id%3A5993\"}\n22b:{\"related\":\"$22c\",\"self\":\"$22d\"}\n229:{\"data\":\"$22a\",\"links\":\"$22b\"}\n231:{\"drupal_internal__target_id\":21}\n230:{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":\"$231\"}\n22f:[\"$230\"]\n233:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_topics?resourceVersion=id%3A5993\"}\n234:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_topics?resourceVersion=id%3A5993\"}\n232:{\"related\":\"$233\",\"self\":\"$234\"}\n22e:{\"data\":\"$22f\",\"links\":\"$232\"}\n1fa:{\"node_type\":\"$1fb\",\"revision_uid\":\"$201\",\"uid\":\"$207\",\"field_page_section\":\"$20d\",\"field_related_collection\":\"$214\",\"field_resource_type\":\"$223\",\"field_roles\":\"$229\",\"field_topics\":\"$22e\"}\n1f3:{\"type\":\"node--explainer\",\"id\":\"af385f5f-f61b-47af-a235-7dc48efd251e\",\"links\":\"$1f4\",\"attributes\":\"$1f6\",\"relationships\":\"$1fa\"}\n237:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20?resourceVersion=id%3A5748\"}\n236:{\"self\":\"$237\"}\n239:{\"alias\":\"/learn/federal-information-security-modernization-act-fisma\",\"pid\":306,\"langcode\":\"en\"}\n23a:{\"value\":\"FISMA is federal legislation that defines a framework of guidelines and security standards to protect government information and operations\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eFISMA is federal legislation that defines a framework of guidelines and security standards to protect government information and o"])</script><script>self.__next_f.push([1,"perations\u003c/p\u003e\\n\"}\n23b:[\"#ispg-sec_privacy-policy\"]\n238:{\"drupal_internal__nid\":316,\"drupal_internal__vid\":5748,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T15:50:25+00:00\",\"status\":true,\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"created\":\"2022-08-29T15:11:08+00:00\",\"changed\":\"2024-08-05T15:50:25+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$239\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$23a\",\"field_slack_channel\":\"$23b\"}\n23f:{\"drupal_internal__target_id\":\"explainer\"}\n23e:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$23f\"}\n241:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/node_type?resourceVersion=id%3A5748\"}\n242:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/node_type?resourceVersion=id%3A5748\"}\n240:{\"related\":\"$241\",\"self\":\"$242\"}\n23d:{\"data\":\"$23e\",\"links\":\"$240\"}\n245:{\"drupal_internal__target_id\":159}\n244:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":\"$245\"}\n247:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/revision_uid?resourceVersion=id%3A5748\"}\n248:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/revision_uid?resourceVersion=id%3A5748\"}\n246:{\"related\":\"$247\",\"self\":\"$248\"}\n243:{\"data\":\"$244\",\"links\":\"$246\"}\n24b:{\"drupal_internal__target_id\":26}\n24a:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$24b\"}\n24d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/uid?resourceVersion=id%3A5748\"}\n24e:{\"href\":\"https://cybergeek.cms.gov/jsona"])</script><script>self.__next_f.push([1,"pi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/uid?resourceVersion=id%3A5748\"}\n24c:{\"related\":\"$24d\",\"self\":\"$24e\"}\n249:{\"data\":\"$24a\",\"links\":\"$24c\"}\n252:{\"target_revision_id\":19016,\"drupal_internal__target_id\":1146}\n251:{\"type\":\"paragraph--page_section\",\"id\":\"4ffd074a-8ca7-41ad-8c6c-d270330af3fa\",\"meta\":\"$252\"}\n250:[\"$251\"]\n254:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_page_section?resourceVersion=id%3A5748\"}\n255:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_page_section?resourceVersion=id%3A5748\"}\n253:{\"related\":\"$254\",\"self\":\"$255\"}\n24f:{\"data\":\"$250\",\"links\":\"$253\"}\n259:{\"target_revision_id\":19017,\"drupal_internal__target_id\":1941}\n258:{\"type\":\"paragraph--internal_link\",\"id\":\"3d88d941-7844-4a24-8d87-b884cf205f36\",\"meta\":\"$259\"}\n25b:{\"target_revision_id\":19018,\"drupal_internal__target_id\":1946}\n25a:{\"type\":\"paragraph--internal_link\",\"id\":\"5087f368-5c99-41a5-b39b-e27bc9df3950\",\"meta\":\"$25b\"}\n25d:{\"target_revision_id\":19019,\"drupal_internal__target_id\":1951}\n25c:{\"type\":\"paragraph--internal_link\",\"id\":\"4b2ee6b4-cbfd-46c8-a65f-9b2b18e1a793\",\"meta\":\"$25d\"}\n25f:{\"target_revision_id\":19020,\"drupal_internal__target_id\":3517}\n25e:{\"type\":\"paragraph--internal_link\",\"id\":\"dd735dee-c392-4312-bc59-7a2163ad21a6\",\"meta\":\"$25f\"}\n261:{\"target_revision_id\":19021,\"drupal_internal__target_id\":3518}\n260:{\"type\":\"paragraph--internal_link\",\"id\":\"b88a7b64-a818-4f85-b969-a2f77482f8ce\",\"meta\":\"$261\"}\n257:[\"$258\",\"$25a\",\"$25c\",\"$25e\",\"$260\"]\n263:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_related_collection?resourceVersion=id%3A5748\"}\n264:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_related_collection?resourceVersion=id%3A5748\"}\n262:{\"related\":\"$263\",\"self\":\"$264\"}\n256:{\"data\":\"$257\",\"links\":\"$262\"}\n267:{\"drupal_internal__target_id\":131}\n266:{\"type\":\"taxonomy_ter"])</script><script>self.__next_f.push([1,"m--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$267\"}\n269:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_resource_type?resourceVersion=id%3A5748\"}\n26a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_resource_type?resourceVersion=id%3A5748\"}\n268:{\"related\":\"$269\",\"self\":\"$26a\"}\n265:{\"data\":\"$266\",\"links\":\"$268\"}\n26e:{\"drupal_internal__target_id\":66}\n26d:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$26e\"}\n270:{\"drupal_internal__target_id\":81}\n26f:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\"$270\"}\n272:{\"drupal_internal__target_id\":61}\n271:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$272\"}\n274:{\"drupal_internal__target_id\":76}\n273:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$274\"}\n276:{\"drupal_internal__target_id\":71}\n275:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$276\"}\n26c:[\"$26d\",\"$26f\",\"$271\",\"$273\",\"$275\"]\n278:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_roles?resourceVersion=id%3A5748\"}\n279:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_roles?resourceVersion=id%3A5748\"}\n277:{\"related\":\"$278\",\"self\":\"$279\"}\n26b:{\"data\":\"$26c\",\"links\":\"$277\"}\n27d:{\"drupal_internal__target_id\":21}\n27c:{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":\"$27d\"}\n27b:[\"$27c\"]\n27f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_topics?resourceVersion=id%3A5748\"}\n280:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_topics?resourceVersion=id%3A5748\"}\n27e:{\"related\":\"$27f\",\"self\":\"$280\"}\n27a:{\"data\":\"$27b\",\"links\":\"$27e\"}\n23c:{\"node_typ"])</script><script>self.__next_f.push([1,"e\":\"$23d\",\"revision_uid\":\"$243\",\"uid\":\"$249\",\"field_page_section\":\"$24f\",\"field_related_collection\":\"$256\",\"field_resource_type\":\"$265\",\"field_roles\":\"$26b\",\"field_topics\":\"$27a\"}\n235:{\"type\":\"node--explainer\",\"id\":\"a0111527-6756-4576-8c52-5a7f3a032b20\",\"links\":\"$236\",\"attributes\":\"$238\",\"relationships\":\"$23c\"}\n283:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c?resourceVersion=id%3A5942\"}\n282:{\"self\":\"$283\"}\n285:{\"alias\":\"/learn/fedramp\",\"pid\":316,\"langcode\":\"en\"}\n286:{\"value\":\"Provides a federally-recognized and standardized security framework for all cloud products and services\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProvides a federally-recognized and standardized security framework for all cloud products and services\u003c/p\u003e\\n\"}\n287:[\"#fedramp\"]\n284:{\"drupal_internal__nid\":326,\"drupal_internal__vid\":5942,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-17T14:55:23+00:00\",\"status\":true,\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"created\":\"2022-08-29T15:22:00+00:00\",\"changed\":\"2024-10-17T14:55:23+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$285\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"FedRAMP@cms.hhs.gov\",\"field_contact_name\":\"CMS FedRAMP PMO\",\"field_short_description\":\"$286\",\"field_slack_channel\":\"$287\"}\n28b:{\"drupal_internal__target_id\":\"explainer\"}\n28a:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$28b\"}\n28d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/node_type?resourceVersion=id%3A5942\"}\n28e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/node_type?resourceVersion=id%3A5942\"}\n28c:{\"related\":\"$28d\",\"self\":\"$28e\"}\n289:{\"data\":\"$28a\",\"links\":\"$28c\"}\n291:{\"drupal_internal__targ"])</script><script>self.__next_f.push([1,"et_id\":114}\n290:{\"type\":\"user--user\",\"id\":\"d3421e1d-1fda-4bd0-83ab-e404455b0e66\",\"meta\":\"$291\"}\n293:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/revision_uid?resourceVersion=id%3A5942\"}\n294:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/revision_uid?resourceVersion=id%3A5942\"}\n292:{\"related\":\"$293\",\"self\":\"$294\"}\n28f:{\"data\":\"$290\",\"links\":\"$292\"}\n297:{\"drupal_internal__target_id\":26}\n296:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$297\"}\n299:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/uid?resourceVersion=id%3A5942\"}\n29a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/uid?resourceVersion=id%3A5942\"}\n298:{\"related\":\"$299\",\"self\":\"$29a\"}\n295:{\"data\":\"$296\",\"links\":\"$298\"}\n29e:{\"target_revision_id\":19451,\"drupal_internal__target_id\":1171}\n29d:{\"type\":\"paragraph--page_section\",\"id\":\"2ce39e48-81e4-4bea-a0ff-04f25ddd0041\",\"meta\":\"$29e\"}\n2a0:{\"target_revision_id\":19452,\"drupal_internal__target_id\":1211}\n29f:{\"type\":\"paragraph--page_section\",\"id\":\"77ea2e89-2433-4815-b869-52b2d900029e\",\"meta\":\"$2a0\"}\n2a2:{\"target_revision_id\":19462,\"drupal_internal__target_id\":3431}\n2a1:{\"type\":\"paragraph--page_section\",\"id\":\"deedf0fe-44e9-4015-90a1-f86ce6cbaf24\",\"meta\":\"$2a2\"}\n2a4:{\"target_revision_id\":19472,\"drupal_internal__target_id\":1261}\n2a3:{\"type\":\"paragraph--page_section\",\"id\":\"2b2216d8-24c3-4940-930f-6e79f68a279a\",\"meta\":\"$2a4\"}\n2a6:{\"target_revision_id\":19474,\"drupal_internal__target_id\":1266}\n2a5:{\"type\":\"paragraph--page_section\",\"id\":\"cbda5c42-489d-4480-85f5-db10db44de3e\",\"meta\":\"$2a6\"}\n2a8:{\"target_revision_id\":19475,\"drupal_internal__target_id\":3433}\n2a7:{\"type\":\"paragraph--page_section\",\"id\":\"37970dd4-a515-4370-a09f-f5177c2f98c2\",\"meta\":\"$2a8\"}\n2aa:{\"target_revision_id\":19476,\"drupal_internal__target_id\":3434}\n2a9:{\"type\":\"paragraph--page_section\",\"id\":\"434b1960-73e8-43fa-9b"])</script><script>self.__next_f.push([1,"9e-253ce35fa55a\",\"meta\":\"$2aa\"}\n29c:[\"$29d\",\"$29f\",\"$2a1\",\"$2a3\",\"$2a5\",\"$2a7\",\"$2a9\"]\n2ac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_page_section?resourceVersion=id%3A5942\"}\n2ad:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_page_section?resourceVersion=id%3A5942\"}\n2ab:{\"related\":\"$2ac\",\"self\":\"$2ad\"}\n29b:{\"data\":\"$29c\",\"links\":\"$2ab\"}\n2b1:{\"target_revision_id\":19477,\"drupal_internal__target_id\":1956}\n2b0:{\"type\":\"paragraph--internal_link\",\"id\":\"7a5f06f0-e0ba-4ed2-aade-79b2233ec125\",\"meta\":\"$2b1\"}\n2b3:{\"target_revision_id\":19478,\"drupal_internal__target_id\":1961}\n2b2:{\"type\":\"paragraph--internal_link\",\"id\":\"61509c21-9c9e-48d0-8110-b98574cee727\",\"meta\":\"$2b3\"}\n2b5:{\"target_revision_id\":19479,\"drupal_internal__target_id\":1966}\n2b4:{\"type\":\"paragraph--internal_link\",\"id\":\"c2480fc7-b7c3-49d4-8643-cd42bcd3b56b\",\"meta\":\"$2b5\"}\n2b7:{\"target_revision_id\":19480,\"drupal_internal__target_id\":3435}\n2b6:{\"type\":\"paragraph--internal_link\",\"id\":\"63dffb2c-c587-4991-8523-142b2378a5aa\",\"meta\":\"$2b7\"}\n2af:[\"$2b0\",\"$2b2\",\"$2b4\",\"$2b6\"]\n2b9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_related_collection?resourceVersion=id%3A5942\"}\n2ba:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_related_collection?resourceVersion=id%3A5942\"}\n2b8:{\"related\":\"$2b9\",\"self\":\"$2ba\"}\n2ae:{\"data\":\"$2af\",\"links\":\"$2b8\"}\n2bd:{\"drupal_internal__target_id\":131}\n2bc:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$2bd\"}\n2bf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_resource_type?resourceVersion=id%3A5942\"}\n2c0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_resource_type?resourceVersion=id%3A5942\"}\n2be:{\"related\":\"$2bf\",\"self\":\"$2c0\"}\n2bb:{\"data\":\""])</script><script>self.__next_f.push([1,"$2bc\",\"links\":\"$2be\"}\n2c4:{\"drupal_internal__target_id\":66}\n2c3:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$2c4\"}\n2c6:{\"drupal_internal__target_id\":61}\n2c5:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$2c6\"}\n2c8:{\"drupal_internal__target_id\":76}\n2c7:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$2c8\"}\n2c2:[\"$2c3\",\"$2c5\",\"$2c7\"]\n2ca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_roles?resourceVersion=id%3A5942\"}\n2cb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_roles?resourceVersion=id%3A5942\"}\n2c9:{\"related\":\"$2ca\",\"self\":\"$2cb\"}\n2c1:{\"data\":\"$2c2\",\"links\":\"$2c9\"}\n2cf:{\"drupal_internal__target_id\":21}\n2ce:{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":\"$2cf\"}\n2cd:[\"$2ce\"]\n2d1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_topics?resourceVersion=id%3A5942\"}\n2d2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_topics?resourceVersion=id%3A5942\"}\n2d0:{\"related\":\"$2d1\",\"self\":\"$2d2\"}\n2cc:{\"data\":\"$2cd\",\"links\":\"$2d0\"}\n288:{\"node_type\":\"$289\",\"revision_uid\":\"$28f\",\"uid\":\"$295\",\"field_page_section\":\"$29b\",\"field_related_collection\":\"$2ae\",\"field_resource_type\":\"$2bb\",\"field_roles\":\"$2c1\",\"field_topics\":\"$2cc\"}\n281:{\"type\":\"node--explainer\",\"id\":\"a279358b-5b24-49bc-a98e-11681bd7e65c\",\"links\":\"$282\",\"attributes\":\"$284\",\"relationships\":\"$288\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf?resourceVersion=id%3A6076\"}},\"attributes\":{\"drupal_internal__nid\":671,\"drupal_internal__vid\":6076,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-15T16:28:16+00:00\",\"status\":true,\"title\":\"Zero Trust \",\"created\":\"2023-02-02T19:12:26+00:00\",\"changed\":\"2025-01-15T16:28:16+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/zero-trust\",\"pid\":661,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ISPGZeroTrust@cms.hhs.gov\",\"field_contact_name\":\"Zero Trust Team\",\"field_short_description\":{\"value\":\"Security paradigm that requires the continuous verification of system users to promote system security\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSecurity paradigm that requires the continuous verification of system users to promote system security\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cms-zero-trust\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/node_type?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/node_type?resourceVersion=id%3A6076\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"bebd6b4a-b250-4060-a68d-15e540df32b8\",\"meta\":{\"drupal_internal__target_id\":138}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/revision_uid?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/revision_uid?resourceVersion=id%3A6076\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/uid?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/uid?resourceVersion=id%3A6076\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"9271f09e-6087-42ce-9b2a-2ddf6888888d\",\"meta\":{\"target_revision_id\":19936,\"drupal_internal__target_id\":536}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_page_section?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_page_section?resourceVersion=id%3A6076\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"c6911d3e-5198-4b35-ac2a-13d123aedee1\",\"meta\":{\"target_revision_id\":19941,\"drupal_internal__target_id\":3398}},{\"type\":\"paragraph--internal_link\",\"id\":\"2bcabaa5-d621-42c9-bdc8-e0b80b3869d3\",\"meta\":{\"target_revision_id\":19946,\"drupal_internal__target_id\":1616}},{\"type\":\"paragraph--internal_link\",\"id\":\"670741af-bf41-4d99-a21c-a24dc57f4424\",\"meta\":{\"target_revision_id\":19951,\"drupal_internal__target_id\":3499}},{\"type\":\"paragraph--internal_link\",\"id\":\"f7a739a6-3d16-4633-bfad-fd8f469ffb64\",\"meta\":{\"target_revision_id\":19956,\"drupal_internal__target_id\":1611}},{\"type\":\"paragraph--internal_link\",\"id\":\"80d01d00-9ecf-4254-8e6e-a9242e8289f1\",\"meta\":{\"target_revision_id\":19961,\"drupal_internal__target_id\":1621}},{\"type\":\"paragraph--internal_link\",\"id\":\"d576257b-f5ba-4ad4-a81b-7628a82e8dce\",\"meta\":{\"target_revision_id\":19966,\"drupal_internal__target_id\":1626}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_related_collection?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_related_collection?resourceVersion=id%3A6076\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_resource_type?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_resource_type?resourceVersion=id%3A6076\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_roles?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_roles?resourceVersion=id%3A6076\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":{\"drupal_internal__target_id\":21}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_topics?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_topics?resourceVersion=id%3A6076\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"bebd6b4a-b250-4060-a68d-15e540df32b8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/bebd6b4a-b250-4060-a68d-15e540df32b8\"}},\"attributes\":{\"display_name\":\"eschweinsberg\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}},\"attributes\":{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38?resourceVersion=id%3A21\"}},\"attributes\":{\"drupal_internal__tid\":21,\"drupal_internal__revision_id\":21,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:35+00:00\",\"status\":true,\"name\":\"Federal Policy \u0026 Guidance\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/vid?resourceVersion=id%3A21\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/relationships/vid?resourceVersion=id%3A21\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/revision_user?resourceVersion=id%3A21\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/relationships/revision_user?resourceVersion=id%3A21\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/parent?resourceVersion=id%3A21\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/relationships/parent?resourceVersion=id%3A21\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"9271f09e-6087-42ce-9b2a-2ddf6888888d\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9271f09e-6087-42ce-9b2a-2ddf6888888d?resourceVersion=id%3A19936\"}},\"attributes\":{\"drupal_internal__id\":536,\"drupal_internal__revision_id\":19936,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-02T19:27:06+00:00\",\"parent_id\":\"671\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9271f09e-6087-42ce-9b2a-2ddf6888888d/paragraph_type?resourceVersion=id%3A19936\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9271f09e-6087-42ce-9b2a-2ddf6888888d/relationships/paragraph_type?resourceVersion=id%3A19936\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9271f09e-6087-42ce-9b2a-2ddf6888888d/field_specialty_item?resourceVersion=id%3A19936\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9271f09e-6087-42ce-9b2a-2ddf6888888d/relationships/field_specialty_item?resourceVersion=id%3A19936\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"c6911d3e-5198-4b35-ac2a-13d123aedee1\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c6911d3e-5198-4b35-ac2a-13d123aedee1?resourceVersion=id%3A19941\"}},\"attributes\":{\"drupal_internal__id\":3398,\"drupal_internal__revision_id\":19941,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-07-25T19:41:52+00:00\",\"parent_id\":\"671\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c6911d3e-5198-4b35-ac2a-13d123aedee1/paragraph_type?resourceVersion=id%3A19941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c6911d3e-5198-4b35-ac2a-13d123aedee1/relationships/paragraph_type?resourceVersion=id%3A19941\"}}},\"field_link\":{\"data\":{\"type\":\"node--blog\",\"id\":\"aca45222-41ba-4c40-b537-5e106036b9e6\",\"meta\":{\"drupal_internal__target_id\":1132}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c6911d3e-5198-4b35-ac2a-13d123aedee1/field_link?resourceVersion=id%3A19941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c6911d3e-5198-4b35-ac2a-13d123aedee1/relationships/field_link?resourceVersion=id%3A19941\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"2bcabaa5-d621-42c9-bdc8-e0b80b3869d3\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2bcabaa5-d621-42c9-bdc8-e0b80b3869d3?resourceVersion=id%3A19946\"}},\"attributes\":{\"drupal_internal__id\":1616,\"drupal_internal__revision_id\":19946,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-14T16:09:06+00:00\",\"parent_id\":\"671\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2bcabaa5-d621-42c9-bdc8-e0b80b3869d3/paragraph_type?resourceVersion=id%3A19946\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2bcabaa5-d621-42c9-bdc8-e0b80b3869d3/relationships/paragraph_type?resourceVersion=id%3A19946\"}}},\"field_link\":{\"data\":{\"type\":\"node--blog\",\"id\":\"bf73d479-26b2-42c1-ad91-4443f37c5ebd\",\"meta\":{\"drupal_internal__target_id\":1169}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2bcabaa5-d621-42c9-bdc8-e0b80b3869d3/field_link?resourceVersion=id%3A19946\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/2bcabaa5-d621-42c9-bdc8-e0b80b3869d3/relationships/field_link?resourceVersion=id%3A19946\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"670741af-bf41-4d99-a21c-a24dc57f4424\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/670741af-bf41-4d99-a21c-a24dc57f4424?resourceVersion=id%3A19951\"}},\"attributes\":{\"drupal_internal__id\":3499,\"drupal_internal__revision_id\":19951,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-05-13T10:23:19+00:00\",\"parent_id\":\"671\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/670741af-bf41-4d99-a21c-a24dc57f4424/paragraph_type?resourceVersion=id%3A19951\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/670741af-bf41-4d99-a21c-a24dc57f4424/relationships/paragraph_type?resourceVersion=id%3A19951\"}}},\"field_link\":{\"data\":{\"type\":\"node--blog\",\"id\":\"e0d23b7f-1209-42b1-80aa-0c39f2b45917\",\"meta\":{\"drupal_internal__target_id\":1181}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/670741af-bf41-4d99-a21c-a24dc57f4424/field_link?resourceVersion=id%3A19951\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/670741af-bf41-4d99-a21c-a24dc57f4424/relationships/field_link?resourceVersion=id%3A19951\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"f7a739a6-3d16-4633-bfad-fd8f469ffb64\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f7a739a6-3d16-4633-bfad-fd8f469ffb64?resourceVersion=id%3A19956\"}},\"attributes\":{\"drupal_internal__id\":1611,\"drupal_internal__revision_id\":19956,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-14T16:04:44+00:00\",\"parent_id\":\"671\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f7a739a6-3d16-4633-bfad-fd8f469ffb64/paragraph_type?resourceVersion=id%3A19956\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f7a739a6-3d16-4633-bfad-fd8f469ffb64/relationships/paragraph_type?resourceVersion=id%3A19956\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"af385f5f-f61b-47af-a235-7dc48efd251e\",\"meta\":{\"drupal_internal__target_id\":381}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f7a739a6-3d16-4633-bfad-fd8f469ffb64/field_link?resourceVersion=id%3A19956\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f7a739a6-3d16-4633-bfad-fd8f469ffb64/relationships/field_link?resourceVersion=id%3A19956\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"80d01d00-9ecf-4254-8e6e-a9242e8289f1\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/80d01d00-9ecf-4254-8e6e-a9242e8289f1?resourceVersion=id%3A19961\"}},\"attributes\":{\"drupal_internal__id\":1621,\"drupal_internal__revision_id\":19961,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-14T16:09:11+00:00\",\"parent_id\":\"671\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/80d01d00-9ecf-4254-8e6e-a9242e8289f1/paragraph_type?resourceVersion=id%3A19961\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/80d01d00-9ecf-4254-8e6e-a9242e8289f1/relationships/paragraph_type?resourceVersion=id%3A19961\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"a0111527-6756-4576-8c52-5a7f3a032b20\",\"meta\":{\"drupal_internal__target_id\":316}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/80d01d00-9ecf-4254-8e6e-a9242e8289f1/field_link?resourceVersion=id%3A19961\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/80d01d00-9ecf-4254-8e6e-a9242e8289f1/relationships/field_link?resourceVersion=id%3A19961\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"d576257b-f5ba-4ad4-a81b-7628a82e8dce\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d576257b-f5ba-4ad4-a81b-7628a82e8dce?resourceVersion=id%3A19966\"}},\"attributes\":{\"drupal_internal__id\":1626,\"drupal_internal__revision_id\":19966,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-14T16:09:26+00:00\",\"parent_id\":\"671\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d576257b-f5ba-4ad4-a81b-7628a82e8dce/paragraph_type?resourceVersion=id%3A19966\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d576257b-f5ba-4ad4-a81b-7628a82e8dce/relationships/paragraph_type?resourceVersion=id%3A19966\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"a279358b-5b24-49bc-a98e-11681bd7e65c\",\"meta\":{\"drupal_internal__target_id\":326}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d576257b-f5ba-4ad4-a81b-7628a82e8dce/field_link?resourceVersion=id%3A19966\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d576257b-f5ba-4ad4-a81b-7628a82e8dce/relationships/field_link?resourceVersion=id%3A19966\"}}}}},{\"type\":\"node--blog\",\"id\":\"aca45222-41ba-4c40-b537-5e106036b9e6\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6?resourceVersion=id%3A6201\"}},\"attributes\":{\"drupal_internal__nid\":1132,\"drupal_internal__vid\":6201,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-22T16:15:40+00:00\",\"status\":true,\"title\":\"The 7 Tenets of Zero Trust for ISSOs and ADOs\",\"created\":\"2023-07-11T16:11:23+00:00\",\"changed\":\"2025-01-22T16:15:40+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/posts/7-tenets-zero-trust-issos-and-ados\",\"pid\":985,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\",\"summary\":\"\"},\"field_short_description\":{\"value\":\"A guide to help ADO and ISSOs understand and implement Zero Trust practices \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA guide to help ADO and ISSOs understand and implement Zero Trust practices\u003c/p\u003e\\n\"},\"field_video_link\":null},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"f382c03e-0cc5-4892-aa46-653a2d90fc05\",\"meta\":{\"drupal_internal__target_id\":\"blog\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/node_type?resourceVersion=id%3A6201\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/node_type?resourceVersion=id%3A6201\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/revision_uid?resourceVersion=id%3A6201\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/revision_uid?resourceVersion=id%3A6201\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/uid?resourceVersion=id%3A6201\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/uid?resourceVersion=id%3A6201\"}}},\"field_cover_image\":{\"data\":{\"type\":\"media--blog_cover_image\",\"id\":\"5603c529-811a-424b-9709-b1a339ee6187\",\"meta\":{\"drupal_internal__target_id\":111}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/field_cover_image?resourceVersion=id%3A6201\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/field_cover_image?resourceVersion=id%3A6201\"}}},\"field_publisher_group\":{\"data\":{\"type\":\"group--team\",\"id\":\"c70bb12a-8822-49ac-b8f6-9e96e3e73389\",\"meta\":{\"drupal_internal__target_id\":38}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/field_publisher_group?resourceVersion=id%3A6201\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/field_publisher_group?resourceVersion=id%3A6201\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"cccd136f-b478-40f0-8ff8-fd73f75f4ab0\",\"meta\":{\"drupal_internal__target_id\":106}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/field_resource_type?resourceVersion=id%3A6201\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/field_resource_type?resourceVersion=id%3A6201\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/field_roles?resourceVersion=id%3A6201\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/field_roles?resourceVersion=id%3A6201\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":{\"drupal_internal__target_id\":21}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/field_topics?resourceVersion=id%3A6201\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/aca45222-41ba-4c40-b537-5e106036b9e6/relationships/field_topics?resourceVersion=id%3A6201\"}}}}},{\"type\":\"node--blog\",\"id\":\"bf73d479-26b2-42c1-ad91-4443f37c5ebd\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd?resourceVersion=id%3A5839\"}},\"attributes\":{\"drupal_internal__nid\":1169,\"drupal_internal__vid\":5839,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-06T16:39:00+00:00\",\"status\":true,\"title\":\"Cryptographic agility in the zeitgeist\",\"created\":\"2024-01-26T23:36:41+00:00\",\"changed\":\"2024-08-06T16:39:00+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/posts/cryptographic-agility-zeitgeist\",\"pid\":1165,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1c\",\"format\":\"body_text\",\"processed\":\"$1d\",\"summary\":\"\"},\"field_short_description\":{\"value\":\"Cryptographic agility has become a topic for Federal security teams to address. This post helps explain what it is and why we are talking about it now.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCryptographic agility has become a topic for Federal security teams to address. This post helps explain what it is and why we are talking about it now.\u003c/p\u003e\\n\"},\"field_video_link\":null},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"f382c03e-0cc5-4892-aa46-653a2d90fc05\",\"meta\":{\"drupal_internal__target_id\":\"blog\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/node_type?resourceVersion=id%3A5839\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/node_type?resourceVersion=id%3A5839\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"c34b79d4-f936-45dd-968f-7efc22d4370b\",\"meta\":{\"drupal_internal__target_id\":94}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/revision_uid?resourceVersion=id%3A5839\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/revision_uid?resourceVersion=id%3A5839\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"bebd6b4a-b250-4060-a68d-15e540df32b8\",\"meta\":{\"drupal_internal__target_id\":138}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/uid?resourceVersion=id%3A5839\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/uid?resourceVersion=id%3A5839\"}}},\"field_cover_image\":{\"data\":{\"type\":\"media--blog_cover_image\",\"id\":\"d946f427-2467-4a4f-af13-c0d61e5d898e\",\"meta\":{\"drupal_internal__target_id\":81}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/field_cover_image?resourceVersion=id%3A5839\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/field_cover_image?resourceVersion=id%3A5839\"}}},\"field_publisher_group\":{\"data\":{\"type\":\"group--team\",\"id\":\"c70bb12a-8822-49ac-b8f6-9e96e3e73389\",\"meta\":{\"drupal_internal__target_id\":38}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/field_publisher_group?resourceVersion=id%3A5839\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/field_publisher_group?resourceVersion=id%3A5839\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"cccd136f-b478-40f0-8ff8-fd73f75f4ab0\",\"meta\":{\"drupal_internal__target_id\":106}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/field_resource_type?resourceVersion=id%3A5839\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/field_resource_type?resourceVersion=id%3A5839\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/field_roles?resourceVersion=id%3A5839\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/field_roles?resourceVersion=id%3A5839\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/field_topics?resourceVersion=id%3A5839\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bf73d479-26b2-42c1-ad91-4443f37c5ebd/relationships/field_topics?resourceVersion=id%3A5839\"}}}}},{\"type\":\"node--blog\",\"id\":\"e0d23b7f-1209-42b1-80aa-0c39f2b45917\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917?resourceVersion=id%3A5838\"}},\"attributes\":{\"drupal_internal__nid\":1181,\"drupal_internal__vid\":5838,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-06T16:38:48+00:00\",\"status\":true,\"title\":\"Three elements of cryptographic agility\",\"created\":\"2024-04-17T22:16:09+00:00\",\"changed\":\"2024-08-06T16:38:48+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/posts/three-elements-cryptographic-agility\",\"pid\":1187,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1e\",\"format\":\"body_text\",\"processed\":\"$1f\",\"summary\":\"\"},\"field_short_description\":{\"value\":\"Cryptographic agility is achieved through modern crypto, accurate inventories, and engineering in the ability to make encryption changes quickly and efficiently\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCryptographic agility is achieved through modern crypto, accurate inventories, and engineering in the ability to make encryption changes quickly and efficiently\u003c/p\u003e\\n\"},\"field_video_link\":null},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"f382c03e-0cc5-4892-aa46-653a2d90fc05\",\"meta\":{\"drupal_internal__target_id\":\"blog\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/node_type?resourceVersion=id%3A5838\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/node_type?resourceVersion=id%3A5838\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"c34b79d4-f936-45dd-968f-7efc22d4370b\",\"meta\":{\"drupal_internal__target_id\":94}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/revision_uid?resourceVersion=id%3A5838\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/revision_uid?resourceVersion=id%3A5838\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"bebd6b4a-b250-4060-a68d-15e540df32b8\",\"meta\":{\"drupal_internal__target_id\":138}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/uid?resourceVersion=id%3A5838\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/uid?resourceVersion=id%3A5838\"}}},\"field_cover_image\":{\"data\":{\"type\":\"media--blog_cover_image\",\"id\":\"d946f427-2467-4a4f-af13-c0d61e5d898e\",\"meta\":{\"drupal_internal__target_id\":81}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/field_cover_image?resourceVersion=id%3A5838\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/field_cover_image?resourceVersion=id%3A5838\"}}},\"field_publisher_group\":{\"data\":{\"type\":\"group--team\",\"id\":\"c70bb12a-8822-49ac-b8f6-9e96e3e73389\",\"meta\":{\"drupal_internal__target_id\":38}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/field_publisher_group?resourceVersion=id%3A5838\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/field_publisher_group?resourceVersion=id%3A5838\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"cccd136f-b478-40f0-8ff8-fd73f75f4ab0\",\"meta\":{\"drupal_internal__target_id\":106}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/field_resource_type?resourceVersion=id%3A5838\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/field_resource_type?resourceVersion=id%3A5838\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/field_roles?resourceVersion=id%3A5838\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/field_roles?resourceVersion=id%3A5838\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/field_topics?resourceVersion=id%3A5838\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/e0d23b7f-1209-42b1-80aa-0c39f2b45917/relationships/field_topics?resourceVersion=id%3A5838\"}}}}},{\"type\":\"node--explainer\",\"id\":\"af385f5f-f61b-47af-a235-7dc48efd251e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e?resourceVersion=id%3A5993\"}},\"attributes\":{\"drupal_internal__nid\":381,\"drupal_internal__vid\":5993,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-03T14:43:06+00:00\",\"status\":true,\"title\":\"National Institute of Standards and Technology (NIST)\",\"created\":\"2022-08-29T16:46:36+00:00\",\"changed\":\"2024-12-03T14:43:06+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/national-institute-standards-and-technology-nist\",\"pid\":371,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Information about NIST and how the agency's policies and guidance relate to security and privacy at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eInformation about NIST and how the agency\u0026#039;s policies and guidance relate to security and privacy at CMS\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#security_community\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/node_type?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/node_type?resourceVersion=id%3A5993\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/revision_uid?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/revision_uid?resourceVersion=id%3A5993\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/uid?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/uid?resourceVersion=id%3A5993\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"65807e01-7389-4561-8818-b4453d59c7ac\",\"meta\":{\"target_revision_id\":19645,\"drupal_internal__target_id\":496}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_page_section?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_page_section?resourceVersion=id%3A5993\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"858b57e7-3499-42a6-9fd4-b045a2aa9c42\",\"meta\":{\"target_revision_id\":19646,\"drupal_internal__target_id\":2001}},{\"type\":\"paragraph--internal_link\",\"id\":\"d171c5fe-3bb3-47be-bd3e-c53cc75c4f9e\",\"meta\":{\"target_revision_id\":19647,\"drupal_internal__target_id\":2011}},{\"type\":\"paragraph--internal_link\",\"id\":\"26c9c7a0-fcc3-4d04-ab8c-21924a868e28\",\"meta\":{\"target_revision_id\":19648,\"drupal_internal__target_id\":2286}},{\"type\":\"paragraph--internal_link\",\"id\":\"4e888450-31b6-43e1-95a0-9ac56298fcc9\",\"meta\":{\"target_revision_id\":19649,\"drupal_internal__target_id\":2281}},{\"type\":\"paragraph--internal_link\",\"id\":\"f43c4cb2-4d4e-4020-a165-aab378f6254d\",\"meta\":{\"target_revision_id\":19650,\"drupal_internal__target_id\":2291}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_related_collection?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_related_collection?resourceVersion=id%3A5993\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_resource_type?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_resource_type?resourceVersion=id%3A5993\"}}},\"field_roles\":{\"data\":[],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_roles?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_roles?resourceVersion=id%3A5993\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":{\"drupal_internal__target_id\":21}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_topics?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_topics?resourceVersion=id%3A5993\"}}}}},{\"type\":\"node--explainer\",\"id\":\"a0111527-6756-4576-8c52-5a7f3a032b20\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20?resourceVersion=id%3A5748\"}},\"attributes\":{\"drupal_internal__nid\":316,\"drupal_internal__vid\":5748,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T15:50:25+00:00\",\"status\":true,\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"created\":\"2022-08-29T15:11:08+00:00\",\"changed\":\"2024-08-05T15:50:25+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/federal-information-security-modernization-act-fisma\",\"pid\":306,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"FISMA is federal legislation that defines a framework of guidelines and security standards to protect government information and operations\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eFISMA is federal legislation that defines a framework of guidelines and security standards to protect government information and operations\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-sec_privacy-policy\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/node_type?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/node_type?resourceVersion=id%3A5748\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/revision_uid?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/revision_uid?resourceVersion=id%3A5748\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/uid?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/uid?resourceVersion=id%3A5748\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"4ffd074a-8ca7-41ad-8c6c-d270330af3fa\",\"meta\":{\"target_revision_id\":19016,\"drupal_internal__target_id\":1146}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_page_section?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_page_section?resourceVersion=id%3A5748\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"3d88d941-7844-4a24-8d87-b884cf205f36\",\"meta\":{\"target_revision_id\":19017,\"drupal_internal__target_id\":1941}},{\"type\":\"paragraph--internal_link\",\"id\":\"5087f368-5c99-41a5-b39b-e27bc9df3950\",\"meta\":{\"target_revision_id\":19018,\"drupal_internal__target_id\":1946}},{\"type\":\"paragraph--internal_link\",\"id\":\"4b2ee6b4-cbfd-46c8-a65f-9b2b18e1a793\",\"meta\":{\"target_revision_id\":19019,\"drupal_internal__target_id\":1951}},{\"type\":\"paragraph--internal_link\",\"id\":\"dd735dee-c392-4312-bc59-7a2163ad21a6\",\"meta\":{\"target_revision_id\":19020,\"drupal_internal__target_id\":3517}},{\"type\":\"paragraph--internal_link\",\"id\":\"b88a7b64-a818-4f85-b969-a2f77482f8ce\",\"meta\":{\"target_revision_id\":19021,\"drupal_internal__target_id\":3518}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_related_collection?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_related_collection?resourceVersion=id%3A5748\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_resource_type?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_resource_type?resourceVersion=id%3A5748\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_roles?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_roles?resourceVersion=id%3A5748\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":{\"drupal_internal__target_id\":21}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/field_topics?resourceVersion=id%3A5748\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a0111527-6756-4576-8c52-5a7f3a032b20/relationships/field_topics?resourceVersion=id%3A5748\"}}}}},{\"type\":\"node--explainer\",\"id\":\"a279358b-5b24-49bc-a98e-11681bd7e65c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c?resourceVersion=id%3A5942\"}},\"attributes\":{\"drupal_internal__nid\":326,\"drupal_internal__vid\":5942,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-17T14:55:23+00:00\",\"status\":true,\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"created\":\"2022-08-29T15:22:00+00:00\",\"changed\":\"2024-10-17T14:55:23+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/fedramp\",\"pid\":316,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"FedRAMP@cms.hhs.gov\",\"field_contact_name\":\"CMS FedRAMP PMO\",\"field_short_description\":{\"value\":\"Provides a federally-recognized and standardized security framework for all cloud products and services\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProvides a federally-recognized and standardized security framework for all cloud products and services\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#fedramp\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/node_type?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/node_type?resourceVersion=id%3A5942\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"d3421e1d-1fda-4bd0-83ab-e404455b0e66\",\"meta\":{\"drupal_internal__target_id\":114}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/revision_uid?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/revision_uid?resourceVersion=id%3A5942\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/uid?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/uid?resourceVersion=id%3A5942\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"2ce39e48-81e4-4bea-a0ff-04f25ddd0041\",\"meta\":{\"target_revision_id\":19451,\"drupal_internal__target_id\":1171}},{\"type\":\"paragraph--page_section\",\"id\":\"77ea2e89-2433-4815-b869-52b2d900029e\",\"meta\":{\"target_revision_id\":19452,\"drupal_internal__target_id\":1211}},{\"type\":\"paragraph--page_section\",\"id\":\"deedf0fe-44e9-4015-90a1-f86ce6cbaf24\",\"meta\":{\"target_revision_id\":19462,\"drupal_internal__target_id\":3431}},{\"type\":\"paragraph--page_section\",\"id\":\"2b2216d8-24c3-4940-930f-6e79f68a279a\",\"meta\":{\"target_revision_id\":19472,\"drupal_internal__target_id\":1261}},{\"type\":\"paragraph--page_section\",\"id\":\"cbda5c42-489d-4480-85f5-db10db44de3e\",\"meta\":{\"target_revision_id\":19474,\"drupal_internal__target_id\":1266}},{\"type\":\"paragraph--page_section\",\"id\":\"37970dd4-a515-4370-a09f-f5177c2f98c2\",\"meta\":{\"target_revision_id\":19475,\"drupal_internal__target_id\":3433}},{\"type\":\"paragraph--page_section\",\"id\":\"434b1960-73e8-43fa-9b9e-253ce35fa55a\",\"meta\":{\"target_revision_id\":19476,\"drupal_internal__target_id\":3434}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_page_section?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_page_section?resourceVersion=id%3A5942\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"7a5f06f0-e0ba-4ed2-aade-79b2233ec125\",\"meta\":{\"target_revision_id\":19477,\"drupal_internal__target_id\":1956}},{\"type\":\"paragraph--internal_link\",\"id\":\"61509c21-9c9e-48d0-8110-b98574cee727\",\"meta\":{\"target_revision_id\":19478,\"drupal_internal__target_id\":1961}},{\"type\":\"paragraph--internal_link\",\"id\":\"c2480fc7-b7c3-49d4-8643-cd42bcd3b56b\",\"meta\":{\"target_revision_id\":19479,\"drupal_internal__target_id\":1966}},{\"type\":\"paragraph--internal_link\",\"id\":\"63dffb2c-c587-4991-8523-142b2378a5aa\",\"meta\":{\"target_revision_id\":19480,\"drupal_internal__target_id\":3435}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_related_collection?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_related_collection?resourceVersion=id%3A5942\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_resource_type?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_resource_type?resourceVersion=id%3A5942\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_roles?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_roles?resourceVersion=id%3A5942\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":{\"drupal_internal__target_id\":21}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_topics?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_topics?resourceVersion=id%3A5942\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$20\",\"bebd6b4a-b250-4060-a68d-15e540df32b8\":\"$2a\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$2e\",\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\":\"$32\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$4c\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$66\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$80\",\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\":\"$9a\",\"9271f09e-6087-42ce-9b2a-2ddf6888888d\":\"$b4\",\"c6911d3e-5198-4b35-ac2a-13d123aedee1\":\"$c7\",\"2bcabaa5-d621-42c9-bdc8-e0b80b3869d3\":\"$d9\",\"670741af-bf41-4d99-a21c-a24dc57f4424\":\"$eb\",\"f7a739a6-3d16-4633-bfad-fd8f469ffb64\":\"$fd\",\"80d01d00-9ecf-4254-8e6e-a9242e8289f1\":\"$10f\",\"d576257b-f5ba-4ad4-a81b-7628a82e8dce\":\"$121\",\"aca45222-41ba-4c40-b537-5e106036b9e6\":\"$133\",\"bf73d479-26b2-42c1-ad91-4443f37c5ebd\":\"$177\",\"e0d23b7f-1209-42b1-80aa-0c39f2b45917\":\"$1b5\",\"af385f5f-f61b-47af-a235-7dc48efd251e\":\"$1f3\",\"a0111527-6756-4576-8c52-5a7f3a032b20\":\"$235\",\"a279358b-5b24-49bc-a98e-11681bd7e65c\":\"$281\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Zero Trust | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Security paradigm that requires the continuous verification of system users to promote system security\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/zero-trust\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"Zero Trust | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Security paradigm that requires the continuous verification of system users to promote system security\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/zero-trust\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/zero-trust/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"Zero Trust | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Security paradigm that requires the continuous verification of system users to promote system security\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/zero-trust/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink