publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
264 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>CMS Information System Contingency Plan (ISCP) Exercise Handbook | CMS Information Security &amp; Privacy Group</title><meta name="description" content="Information and resources for teams to help them complete their annual Information System Contingency Plan (ISCP) exercise"/><link rel="canonical" href="https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="CMS Information System Contingency Plan (ISCP) Exercise Handbook | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="Information and resources for teams to help them complete their annual Information System Contingency Plan (ISCP) exercise"/><meta property="og:url" content="https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook/opengraph-image.jpg?a856d5522b751df7"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="CMS Information System Contingency Plan (ISCP) Exercise Handbook | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="Information and resources for teams to help them complete their annual Information System Contingency Plan (ISCP) exercise"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook/opengraph-image.jpg?a856d5522b751df7"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-library undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">CMS Information System Contingency Plan (ISCP) Exercise Handbook</h1><p class="hero__description">Information and resources for teams to help them complete their annual Information System Contingency Plan (ISCP) exercise</p><p class="font-sans-2xs line-height-sans-5 margin-bottom-0">Last reviewed<!-- -->: <!-- -->4/3/2023</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:ISPG_Policy_Mailbox@cms.hhs.gov">ISPG_Policy_Mailbox@cms.hhs.gov</a></span></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8"><section class="resource-collection radius-md padding-y-2 padding-x-3 bg-base-lightest"><h1 class="resource-collection__header h3 margin-top-0 margin-bottom-2">Related Resources</h1><div class="grid-row grid-gap-4"><div class="tablet:grid-col-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="https://csrc.nist.gov/pubs/sp/800/34/r1/upd1/final">Contingency Planning Guide for Federal Information Systems<svg class="usa-icon" aria-hidden="true" role="img" data-testid="library-resources-external"><use href="/assets/img/sprite.svg#launch"></use></svg></a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf">NIST Master Scenario Events List (MSEL)<svg class="usa-icon" aria-hidden="true" role="img" data-testid="library-resources-external"><use href="/assets/img/sprite.svg#launch"></use></svg></a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/policy-guidance/cms-information-system-contingency-plan-iscp-handbook">Information System Contingency Plan (CP)</a></div></div></section><section><div class="text-block text-block--theme-library"><h2>Contingency Planning at CMS&nbsp;</h2><p>Contingency planning at the Center for Medicare and Medicaid Services (CMS) is essential for protecting the organization from potential risks and ensuring the continuity of its operations. An <a href="https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook">Information System Contingency Plan (ISCP)</a> is the cornerstone document of contingency planning for information systems, and every CMS FISMA system must have one in place. The ISCP provides a framework for responding to and mitigating the effects of unexpected events, such as natural disasters, data breaches, and public health crises.&nbsp;</p><p>ISCPs outline risk management strategies, such as crisis management protocols, data backup and recovery procedures, business continuity plans, and roles and responsibilities. The plans generally include one or more of the following approaches to restore disrupted services:</p><ul><li>Restoring information systems using alternate equipment in case of an equipment failure</li><li>Alternate data processing means&nbsp;</li><li>Alternate location(s) in case of a natural disaster&nbsp;</li></ul><p>Contingency planning also involves establishing clear communication channels between CMS and its stakeholders, such as healthcare providers, patients, and the general public. By being prepared for potential risks, CMS can ensure that its operations remain uninterrupted and that its stakeholders are kept informed of any changes. CMS utilizes guidance provided by the <a href="https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final">National Institute of Standards and Technology (NIST) SP 800-53</a> and the Federal Information Systems Management Act (FISMA) to inform its internal contingency planning process.</p><h2>ISCP Testing, Training and Exercise (TT&amp;E)</h2><p>System/Business Owners are required to schedule and perform <strong>Testing, Training, and Exercise (TT&amp;E)</strong> for their ISCPs annually. They must also oversee the development and completion of corrective action plans for vulnerabilities noted during the testing. Exercising an ISCP ensures that in the event of a system failure, the system team is prepared to take the steps necessary to protect security and privacy.&nbsp;</p><p>To make sure that CMS FISMA systems can recover from outages or issues, it's important that everyone knows what they need to do, has been trained on how to fix problems, and that those solutions are tested to make sure they actually work. Therefore, every System/Business Owner and Information System Security Officer (ISSO)&nbsp;will implement a robust TT&amp;E program for contingency planning. Your systems impact level will determine the specific requirements of your TT&amp;E program. As you develop and complete your TT&amp;E, you will also need to update your ISCP as new information becomes available and changes to your system occur.&nbsp;</p><p>A successful TT&amp;E program should include several types of events to ensure the availability of a wide range of methods for validating various planning elements in the context of cyber incidents.</p><h3>Tests</h3><p>Tests are evaluation tools that use quantifiable metrics to ensure that a FISMA system or system component is functioning properly. A test is conducted in as close to an operational environment as possible; if feasible, an actual test of the components or systems used to conduct daily operations for the organization should be used. The scope of testing can range from individual system components or systems to comprehensive tests of all systems and components that support the ISCP. Tests often focus on recovery and backup operations; however, testing varies depending on the goal of the test and its relation to a specific plan.</p><h3>Training</h3><p>Training allows personnel to understand their roles and responsibilities within a systems ISCP. Training opportunities teach staff skills such as decision making and offer information about best practices. It prepares the them for participation in exercises, tests, and actual emergency situations related to the ISCP. Training is typically split between a presentation on roles and responsibilities, and activities that allow personnel to demonstrate their understanding of the subject matter.</p><p>All training should be coordinated by and centrally documented with the ISSO. Training must include, but will not be limited to the following:</p><ul><li>Emergency response best practices</li><li>Disaster declaration criteria and declaration authorities</li><li>Functional recovery prioritizations and Recovery Time Objectives (RTOs)&nbsp; of interdependent systems</li><li>Validation of the approved recovery strategies and strategy implementation</li><li>Verification of ISCP implementation procedures</li><li>Validation of recovery personnel assignments, roles and responsibilities</li></ul><p>ISCP Coordinators must develop a training program for all personnel assigned to recovery responsibilities within the ISCP. Training must be provided within 90 days of assignment to recovery responsibilities with refresher training conducted at least annually thereafter.</p><h3>Exercises</h3><p>An exercise is a simulation of an emergency designed to validate the viability of one or more aspects of an ISCP. In an exercise, personnel with roles and responsibilities within the ISCP meet to validate the content of the plan through discussion of their roles and their responses to emergency situations, execution of responses in a simulated operational environment, or other means of validating responses that does not involve using the actual operational environment. Exercises are scenario-driven, such as a power failure in one of the organizations data centers or a fire causing certain systems to be damaged, with additional situations often being presented during the course of an exercise.&nbsp;</p><p>The purpose of exercising an ISCP is to identify and fix deficiencies in the system itself and the overall planning process. ISCPs are not exercised to test the technical competence of personnel with recovery responsibilities. Exercises do serve as training for personnel who will be called upon to execute the ISCP in the event of a system outage. Exercises should include the following areas:</p><ul><li>Notification and escalation procedures</li><li>System recovery on an alternate platform from backup media</li><li>Internal and external connectivity</li><li>Actual operational functional support from the recovered system</li><li>System restoration</li><li>Smooth resumption of normal operations</li></ul><p>At CMS, there are two main types of exercises used to validate ISCPs:&nbsp;</p><h4>Tabletop Exercises</h4><p>Tabletop exercises are discussion-based exercises where personnel meet in a classroom setting or in breakout groups to discuss their roles during an emergency and their responses to a particular emergency situation. A Facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources.&nbsp;</p><p>The primary goals of a successful Tabletop Exercise are:&nbsp;</p><ul><li>Validation of <strong>Recovery Time Objectives (RTOs)</strong> and functional <strong>Maximum Tolerable Downtimes (MTDs)</strong></li><li>Validation of response and recovery procedures</li><li>Guidelines and procedures for coordinated, timely, and effective response and recovery</li><li>Call tree information verification</li><li>Discovery of any weaknesses in the ISCP</li><li>Verification of recovery procedures</li></ul><h4>Functional Exercises</h4><p>Functional exercises allow personnel to validate their operational readiness for emergencies by performing their duties in a simulated operational environment. Functional exercises are designed to exercise the roles and responsibilities of specific team members, procedures, and assets involved in one or more functional aspects of a plan (e.g., communications, emergency notifications, IT equipment setup). Functional exercises vary in complexity and scope, from validating specific aspects of a plan to full-scale exercises that address all plan elements. Functional exercises allow staff to execute their roles and responsibilities as they would in an actual emergency situation, but in a simulated manner.</p><p>A successful Functional Exercise achieves the following goals:</p><ul><li>The ability to continue functional processing in backup mode</li><li>Application/system interdependencies and data flow verification</li><li>Compatibility of data backups with the primary and backup systems</li><li>Data storage and recovery processes</li><li>The ability to extend the system to users at alternate processing and telework sites</li></ul><h4>Selecting the correct exercise for your system</h4><p>The type of exercise selected should reflect the <a href="https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf">FIPS 199 level</a> of the system.</p><ul><li><strong>Low-impact </strong>systems can be tested with a Tabletop Exercise</li><li><strong>Moderate-impact </strong>systems should undergo a Functional Exercise</li><li><strong>High-impact </strong>systems must utilize a full-scale Functional Exercise (also known as a <strong>Technical Exercise</strong>)&nbsp; with system failover to the alternate site if required</li></ul><p><strong>Note:</strong> Actively exercising the system ISCP as part of a larger, coordinated technical exercise of the hosting system satisfies the annual requirement.</p><h2>Developing your ISCP Exercise Plan</h2><p>Developing a realistic and efficient ISCP Exercise is critical to the success of your systems ISCP in the event of an outage. Because ISCP Exercises occur only once or twice a year, its important that a <strong>ISCP Exercise Plan</strong> is created and reviewed prior to each exercise. This ensures that all information is accurate and relevant, and that all roles on the team remain accurate. The ISCP Exercise Plan is approved by the System/Business Owner prior to the event. All exercise plans must include:</p><ul><li>An identified Exercise Facilitator for central management during the exercise</li><li>Observers/Monitors for objective exercise evaluation</li><li>Exercise participants</li><li>Exercise objectives</li><li>Exercise metrics to determine how well objectives were met</li><li>Required materials</li><li>Exercise timeline</li><li>Any assumptions</li><li>Exercise scenario to include scripts and injects</li></ul><h3>ISCP Exercise Plan preparation</h3><p>Before drafting your ISCP Exercise Plan, its important that each member of the system team has done their part to ensure that the following items have been reviewed for accuracy and completeness.&nbsp;</p><p>Before drafting your systems ISCP Exercise, the <strong>System/Business Owner </strong>must have developed and approved:</p><ul><li>Maximum Tolerable Downtime (MTD) of the function(s) that is/are supported by the system</li><li>Recovery Time Objective (RTO) of the system</li><li>Recovery Point Objective (RPO) of the associated data</li><li>Work Recovery Time (WRT) of the associated functional processes</li><li>An <a href="https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook">up-to-date ISCP</a> for the system</li><li>The type of exercise (Tabletop or Functional) in accordance with guidance from CMS and NIST</li><li>All relevant personnel with recovery responsibilities have been trained&nbsp;</li></ul><p>The systems ISSO will work with the System/Business Owner to complete the tasks above. Additionally, <strong>all system team members</strong> must have completed the following tasks before any ISCP Exercise occurs:&nbsp;</p><ul><li>Review the <a href="https://cfacts.cms.gov/apps/ArcherApp/Home.aspx">CFACTS</a> CP control descriptions to ensure the plan as exercised is consistent with existing control requirements and implementation descriptions; if there have been changes to control requirements, you may need to update your approved recovery strategies</li><li>Review the documented information system and business risks for any changes to the business process MTD, threats, vulnerabilities, or likelihood of occurrence for existing threats</li><li>Determine and plan for the necessary logistics and supplies, such as booking conference rooms, setting up Zoom calls, sourcing a white board and markers, or providing note sheets for Data Gatherers</li></ul><h3>Drafting your ISCP Exercise Plan&nbsp;</h3><h4>Set objectives&nbsp;</h4><p>Objectives are brief statements that have measurable outcomes. Measurable outcomes refer to specific and observable results that can be measured using data. They provide a way to track progress and determine the success of a particular activity or project.</p><p>Measurable outcomes are typically expressed in terms of specific goals, targets, or objectives. For example, a measurable outcome for your ISCP Exercise could be to have all system staff trained on new procedures within 90 days. This outcome can be easily measured by tracking successful completion of training within the set time period. Objectives should also track:&nbsp;</p><p><strong>Maximum Tolerable Downtime (MTD) - </strong>All ISCP Exercises must ensure all functional MTDs can be met and if not, either adjust the MTD(s) or upgrade the recovery procedures to reduce the amount of time permitted for the RTO.</p><p><strong>Recovery Time Objective (RTO) -</strong> In order to ensure functional recovery, critical systems must be recovered quickly enough to allow for system operations, data loading and validation, and backlog processing. If the system cannot be recovered quickly enough to meet the functional MTD(s) then the recovery strategy must be upgraded to reduce the time required for the RTO.</p><p><strong>Recovery Point Objective (RPO)</strong> If data recovery and validation are insufficient to support the functional MTD(s) then the data backup strategy must be upgraded to support a more current (shorter) RPO.</p><p><strong>Work Recovery Time (WRT) </strong> In order to ensure the functional MTD(s) can be met, the time it takes to validate recovered data, update all data to current day and time and clear any transaction backlogs must be addressed If an exercise determines that the functional MTD cannot be met after the system is recovered within its RTO, and the data is recovered within its RPO, then all recovery strategies may need to be upgraded.</p><p><strong>Validation of response and recovery procedures </strong> WRT must be validated to ensure that the RTO and the processes necessary to achieve a normal state of functionality to include transactions are properly validated and do not exceed the MTD.</p><p><strong>Verification of call tree information </strong>Valid names and contact information are needed. Corrections to this list should also be made to the plan document.</p><p><strong>Identification of inaccuracies or errors in the ISCP </strong> Any errors must be identified and corrected.</p><p>Measurable outcomes are important because they help to focus efforts, set clear expectations, and evaluate progress. By defining specific, measurable outcomes, your team can determine whether they are on track to achieving the goals identified in the ISCP Exercise Plan and make adjustments as needed to ensure success.&nbsp;</p><h4>Determine time frame&nbsp;</h4><p>Each ISCP Exercise requires two time-frames: the <strong>actual time </strong>that is set aside for the exercise (normally 1 to 4 hours of active time spread across a number of days) and the <strong>elapsed time</strong>, which is the total number of days required to complete the CP Exercise in total. The elapsed time must be of sufficient length to encompass the system RTO, data RPO and the MTD of the function that relies on the system being tested.</p><h4>Identify personnel &amp; assign roles&nbsp;</h4><p>Based on the objectives and time frame, determine the personnel who are required to attend your ISCP Exercise. The System/Business Owner should also identify the following individuals with recovery roles in the ISCP:</p><p><strong>Facilitator </strong>The exercise Facilitator is the System/Business Owner or designee. The Facilitator is responsible for:</p><ul><li>Obtaining approval for the ISCP Exercise Plan</li><li>Ensuring all personnel involved with the exercise are notified</li><li>Providing pre-exercise and post-exercise briefings as required</li><li>Conducting the exercise in accordance with the exercise plan</li><li>Developing the AAR</li></ul><p><strong>Data Gatherers </strong> The Data Gatherers should be the ISSO, CPC or their designee(s), and other functional experts as appropriate.&nbsp; They are responsible for:</p><ul><li>Reviewing and being familiar with all information and procedures in the ISCP</li><li>Reviewing and being familiar with the business processes that rely on the system to be exercised</li><li>Reviewing and being able to determine, with the participants, when recovery procedures or other information in the ISCP do not meet the requirements of an effective ISCP</li></ul><p><strong>Participants </strong>Participants are personnel who have recovery responsibilities that are relevant to the scope of the exercise as determined by the Facilitator and approved by the System/Business Owner.</p><p><strong>Note: </strong>If the exercise is a <strong>Technical Exercise</strong>, the System/Business Owner, ISSO, and CPC will also coordinate with appropriate Information Technology (IT) infrastructure personnel for technical recovery expertise.</p><h4>Determine assumptions and limitations</h4><p>Assumptions refer to the beliefs or predictions that the ISCP is based on. For example, an ISCP for a data breach may assume that the organization's data encryption measures are effective or that the attacker's motive is to steal sensitive information. These assumptions help shape the response plan and determine the actions to be taken.</p><p>Limitations refer to the factors that may prevent the contingency plan from being fully effective. For example, a contingency plan for a power outage may be limited by the availability of backup generators or the capacity of the electrical grid. It is important to understand these limitations in order to develop a realistic and effective plan.</p><h4>Develop injects&nbsp;</h4><p>Injects are hypothetical scenarios that are introduced into the ISCP Exercise in order to test the plan's effectiveness and identify any potential weaknesses. Injects offer different scenarios that could happen, and the ISCP Exercise participants are responsible for figuring out how to handle those scenarios. By introducing different injects, the team can see how well the plan works and make adjustments if necessary.</p><p>For example, let's say your team is exercising your ISCP for a breach event. You might introduce an inject scenario where the breach is more severe than initially expected, or where backup systems fail. By practicing how they would respond to these scenarios, the team can better prepare for a real emergency. NIST has created the <a href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf">Master Scenario Events List (MSEL)</a>, an outline of the simulated events and key event descriptions that participants will be asked to respond to during an exercise. Your team can reference the MSEL when drafting the ISCP Exercise Plan.&nbsp;</p><h4>Set a date</h4><p>Establish a day-and-time to start your ISCP Exercise. Be sure that all team members with recovery responsibilities are available to participate for the entire duration of the ISCP Exercise. Obtain final approval from the System/Business Owner and the ISSO/CPC.</p><h2>Conducting your ISCP Exercise&nbsp;</h2><p>Once your ISCP Exercise Plan has been completed and approved, your team is ready to conduct your ISCP Exercise. A successful ISCP Exercise will have active participation from all team members and identify areas for improvement and result in actions that are taken to improve the ISCP.&nbsp;</p><p>1. Ensure all personnel who have been identified in the ISCP Exercise Plan are present. For any absentees, ensure a viable replacement is present.</p><p>2. Make sure that all personnel have the required information. The Facilitator should have their own copy of the ISCP, the developed ISCP Exercise scenario, prepared injects, and evaluation sheets. Participants should come to the exercise with their own copy of the ISCP. If they do not, this should be recorded as a deficiency/finding.</p><p>3. The Facilitator will kick off the Exercise by presenting the senior participant with the initial inject.</p><p>4. The team will follow the documented ISCP step by step.</p><p>5. As the participants respond to the first inject the Facilitator leads the discussion focusing on the recovery procedures in the ISCP. They will continue this process with each subsequent inject until normal operations are restored to the system within the Exercise and the ISCP Exercise is complete.</p><p>6. Upon conclusion, the Facilitator should have a quick discussion with the Data Gatherers to determine when their notes are due. The team should then immediately begin the process of compiling documentation of the exercise using the <a href="https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook#tabletop-exercise-scenario-template">Tabletop Exercise Scenario Template</a> and <a href="https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook#after-action-report-aar-template">After Action Report (AAR) Template</a>, as well as other documentation required to address any ISCP deficiencies.&nbsp;</p><h2>Post-Exercise activities&nbsp;</h2><p>There are a number of activities that must be completed immediately following your ISCP Exercise. The most important of these activities is the <strong>After Action Report (AAR)</strong>. The AAR is a comprehensive review of your completed ISCP Exercise that identifies areas of strength, areas for improvement, and lessons learned. It provides a basis for ongoing refinement of the contingency plan. This helps to ensure that the plan is always up-to-date and effective.</p><p>Teams, led by the System/Business Owner, must complete the following steps after the ISCP Exercise is finished:</p><p>1. Conduct an initial out-brief with all persons identified in the scenario and record any lessons learned in the format provided in <a href="https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook#tabletop-exercise-scenario-template">Tabletop Exercise Scenario Template</a> and <a href="https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook#after-action-report-aar-template">After Action Report (AAR) Template</a>.</p><p>2. Collect all logs and exercise-related documentation from all personnel who participated.</p><p>3. Review all narrative comments.</p><p>4. In the event of a discrepancy between two participants (or data gatherers) giving different results for the same objective, discuss the results with them and, if possible, come to agreement.</p><p>5. When all results conflicts have been resolved, develop the AAR with significant results.</p><p>6. Include in the AAR any recommendations for improvements to any area of the systems recovery plan or overall recovery capability.&nbsp;</p><p>7. Attach the completed Exercise Scenario to the AAR.</p><p>8. Submit the AAR to the Business Owner for review and approval.</p><p>9. Update the ISCP with the exercise results, lessons learned, and any comments provided by the Business Owner.</p><p>10. Update ISCP training materials to reflect necessary changes to the ISCP as a result of the exercise and lessons learned.</p><p>11. The System/Business Owner and ISSO create a Plan of Action &amp; Milestones (POA&amp;M) for any weakness or deficiency in the ISCP that cannot be addressed in a timely manner, e.g. prior to the next ISCP testing date. This will identify the vulnerability and plan out the corrective actions necessary to reduce the weakness to an acceptable level.</p><h2>ISCP Exercise roles and responsibilities</h2><p>The following system team members are involved in the ISCP Exercise process:&nbsp;</p><ul><li>System/Business Owner</li><li>Information System Security Officer (ISSO)</li><li>CMS Contingency Plan Coordinator (CPC)</li><li>ISCP Exercise Facilitator</li></ul><p>It is critical that each member of the system team understands their role in the execution of the ISCP, as well as their responsibilities related to ISCP Exercises.&nbsp;</p><h3>System/Business Owners&nbsp;</h3><p>All System/Business Owners are the leaders of the Contingency Planning process. As a result, they are responsible for the following when exercising an ISCP:</p><ul><li>Develop, distribute, and maintain ISCPs&nbsp;</li><li>Ensure each plan under their purview is exercised at least annually</li><li>Ensure a technical test for each system is conducted at least every other year</li><li>Review and correct plan deficiencies discovered during an exercise or outage in a timely manner</li><li>Ensure the annual ISCP Exercise includes an analysis of the identified recovery strategies to ensure recovery strategies take full advantage of all possible cost savings and efficiencies</li><li>Obtain appropriate resourcing to include funding and staffing, for recovery planning requirements</li><li>Ensure all personnel with recovery responsibilities are trained to consider recovery preparedness part of their normal duties</li><li>Determine and manage information system and data backup storage and alternate processing facility agreements</li><li>Ensure a copy of the most current ISCP is maintained at the alternate processing location</li></ul><h3>Information System Security Officer (ISSO)</h3><p>ISSOs serve as the partner to the System/Business Owner throughout the ISCP process. During the ISCP Exercise, the ISSO is responsible for:&nbsp;</p><ul><li>Assist the System/Business Owner with training for staff related to the ISCP Exercise&nbsp;</li><li>Assist the System/Business Owner in correcting deficiencies and issues discovered during the ISCP Exercise process&nbsp;</li><li>Review&nbsp;all information and procedures in the ISCP</li><li>Review the business processes that rely on the system to be exercised</li><li>Review and determine, with the exercise participants, when recovery procedures or other information in the ISCP do not meet the requirements of an effective ISCP</li><li>Submit updated ISCP documentation and information to CFACTS&nbsp;</li></ul><h3>Contingency Plan Coordinator (CPC)</h3><p>The CPC assists the System/Business Owner with their CP Exercise efforts. Sometimes the CPC and ISSO roles overlap during the CP Exercise process. Your individual team led by your System/Business Owner will determine the appropriate makeup for your team. During an exercise, the CPC will:</p><ul><li>Oversee and coordinate all CP Exercises</li><li>Oversee and coordinate the recovery-related training and awareness program for all</li><li>personnel</li><li>Coordinate recovery team staffing with the System/Business Owner, CISOs office, and Emergency Preparedness and Response Operations (EPRO) Office</li><li>Assist ISSOs in event response until it is determined that contingency execution is not warranted</li></ul><h3>CP Exercise Facilitator</h3><p>The CP Exercise Facilitator is a single individual identified in the CP Exercise Plan. The Facilitator is typically the System/Business Owner, but this is not always the case. Sometimes the System/Business Owner may designate another team member to serve as Facilitator. The Facilitator is responsible for the following:</p><ul><li>Obtaining approval for the CP Exercise Plan</li><li>Ensuring all personnel involved with the exercise are notified of the exercise and that they are available to participate for however long the exercise is scheduled for</li><li>Providing pre-exercise and post- exercise briefings as required</li><li>Conducting the exercise in accordance with the exercise plan</li><li>Developing the AAR</li></ul><h2>Tabletop Exercise Scenario Template&nbsp;</h2><p>The following template provides placeholder content for a Tabletop Exercise Scenario that you can copy and paste into a document. It is for planning your Tabletop Exercise and summarizing the outcomes. It is signed by the Data Gatherer. It is submitted to the Business Owner as part of the After Action Report (AAR).</p><p><em>Copy and paste the information below into a document to begin planning your Tabletop Exercise.</em></p><h3>Exercise scenario format</h3><p>System:</p><p>Date:</p><p>Type of exercise:</p><p>Person(s) planning the exercise:</p><h3>Exercise Facilitator(s)</h3><p>Facilitator name:</p><p>Facilitator name:</p><h3>Exercise Data Gatherer(s)</h3><p>Data Gatherer name:</p><p>Data Gatherer name:</p><h3>Exercise participants</h3><p>Participant name and role:</p><p>Participant name and role:</p><p>Participant name and role:</p><p>(add more as needed)</p><h3>Timelines</h3><p>Actual exercise time:</p><p>Exercise (simulated) time:</p><h3>Exercise objectives</h3><p>Objective 1:</p><p>Objective 2:</p><p>Objective 3:</p><p>(add more as needed)</p><h3>Exercise scenario</h3><p>Incident:</p><p>Impact to system(s):</p><p>Impact to operation(s):</p><h3>Required supplies and documentation</h3><p>List supplies and documentation that will be needed for the exercise.</p><ul><li>Item</li><li>Item</li><li>Item</li><li>Add more as needed</li></ul><h3>Assumptions</h3><p>Assumption 1:</p><p>Assumption 2:</p><p>Assumption 3:</p><p>(add more as needed)</p><h3>Lessons Learned</h3><p>(Use this space to summarize the lessons learned from conducting the Tabletop Exercise.)</p><h3>Objective fulfillment</h3><p><em>(Use this space to summarize whether objectives were met, and to provide details.)</em></p><ul><li>Objective 1 was / was not met. Specifically;</li><li>Objective 2 was / was not met. Specifically;</li><li>Objective 3 was / was not met. Specifically;</li><li>(add more as needed)</li></ul><h3>Evaluation sheet</h3><p>Objective 1: (re-state the objective here)</p><p>Comments:</p><p>Objective 2: (re-state the objective here)</p><p>Comments:</p><p>Objective 3: (re-state the objective here)</p><p>Comments:</p><h3>Signature</h3><h3>&nbsp;</h3><p>_____________________________________</p><p>Data Gatherers name&nbsp;<br>&nbsp;</p><p>_____________________________________</p><p>Data Gatherers signature and date</p><h2>After Action Report (AAR) Template</h2><p>The following template provides placeholder content that you can copy and paste into a document to create your <strong>After Action Report (AAR)</strong>. This is a comprehensive review of your completed CP Exercise that identifies areas of strength, areas for improvement, and lessons learned.</p><p><em>Copy and paste the information below into a document to begin your After Action Report. Then modify the details for your specific CP Exercise.</em></p><h3>Introduction</h3><p>A Tabletop Exercise was conducted for the &lt;System Name (system acronym)<em>&gt;</em> Information System Contingency Plan (CP) on &lt;date&gt;.&nbsp;</p><h3>Participants</h3><p>The participants and their assigned roles are listed below.</p><p><strong>Exercise Facilitator </strong>(Facilitates the CP Exercise and develops the AAR)</p><p>Name:</p><p>Organization:</p><p>Phone:</p><p><strong>CP Coordinator</strong> (Ensures accurate damage assessment and system recovery)</p><p>Name:</p><p>Organization:</p><p>Phone:</p><p><strong>Exercise Data Gatherer</strong> (Determines whether recovery procedures meet the requirements of an effective CP)</p><p>Name:</p><p>Organization:</p><p>Phone:</p><p><strong>Recovery Management Team Member</strong> (Ensures accurate damage assessment and system recovery)</p><p>Name:</p><p>Organization:</p><p>Phone:</p><p><strong>&lt;System Name&gt; Technical Lead</strong> (Ensures system is recovered to trusted state and verifies all processing and data integrity)</p><p>Name:</p><p>Organization:</p><p>Phone:</p><h3>Scenario</h3><p>The CP tabletop exercise was conducted in accordance with the &lt;System Name&gt; CP Exercise Plan, dated &lt;date&gt;. The exercise plan was developed around the following scenario:</p><p>&lt;Synopsis of the scenario&gt;</p><p>The exercise was developed to determine the following objectives:</p><ul><li>Determine weaknesses in the Contingency Plan</li><li>Objective 2</li><li>Objective 3</li><li>&lt;Add additional objectives as necessary&gt;</li></ul><p>The CP exercise evaluated the status of contingency planning for the system and provided a forum for identifying outdated contingency planning information and for providing updates as required.&nbsp; The exercise plan and detailed results are contained in the Appendix to this report.</p><h3>Summary of Exercise Results</h3><p>Significant results from the exercise were:</p><ul><li>&lt;Result one&gt;</li><li>&lt;Result two&gt;</li><li>&lt;Result three&gt;</li><li>&lt;Add additional results as necessary&gt;</li></ul><h3>Recommendations</h3><p>The following recommendations are provided as a result of the exercise:</p><ul><li>&lt;Recommendation one&gt;</li><li>&lt;Recommendation two&gt;</li><li>&lt;Recommendation three&gt;</li><li>&lt;Add additional recommendations as necessary&gt;</li></ul><h3>Signature</h3><p>&nbsp;</p><p>_____________________________________</p><p>Facilitators name and date</p><p>&nbsp;</p><p>_____________________________________</p><p>Approved by and date</p><p>&nbsp;</p><p>_____________________________________</p><p>System/Business Owners name and date</p><p>&lt;System Acronym&gt; System/Business Owner, &lt;title&gt;</p><p><em>Following this report, insert Appendix material as necessary (such as the exercise plan and any supporting documentation.)</em></p></div></section></div></div></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"cms-contingency-plan-exercise-handbook\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"policy-guidance\",\"cms-contingency-plan-exercise-handbook\"],\"initialTree\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"cms-contingency-plan-exercise-handbook\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"cms-contingency-plan-exercise-handbook\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[3055,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"907\",\"static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js\"],\"default\"]\n18:T888b,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eContingency Planning at CMS\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eContingency planning at the Center for Medicare and Medicaid Services (CMS) is essential for protecting the organization from potential risks and ensuring the continuity of its operations. An \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook\"\u003eInformation System Contingency Plan (ISCP)\u003c/a\u003e is the cornerstone document of contingency planning for information systems, and every CMS FISMA system must have one in place. The ISCP provides a framework for responding to and mitigating the effects of unexpected events, such as natural disasters, data breaches, and public health crises.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISCPs outline risk management strategies, such as crisis management protocols, data backup and recovery procedures, business continuity plans, and roles and responsibilities. The plans generally include one or more of the following approaches to restore disrupted services:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRestoring information systems using alternate equipment in case of an equipment failure\u003c/li\u003e\u003cli\u003eAlternate data processing means\u0026nbsp;\u003c/li\u003e\u003cli\u003eAlternate location(s) in case of a natural disaster\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eContingency planning also involves establishing clear communication channels between CMS and its stakeholders, such as healthcare providers, patients, and the general public. By being prepared for potential risks, CMS can ensure that its operations remain uninterrupted and that its stakeholders are kept informed of any changes. CMS utilizes guidance provided by the \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNational Institute of Standards and Technology (NIST) SP 800-53\u003c/a\u003e and the Federal Information Systems Management Act (FISMA) to inform its internal contingency planning process.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eISCP Testing, Training and Exercise (TT\u0026amp;E)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSystem/Business Owners are required to schedule and perform \u003cstrong\u003eTesting, Training, and Exercise (TT\u0026amp;E)\u003c/strong\u003e for their ISCPs annually. They must also oversee the development and completion of corrective action plans for vulnerabilities noted during the testing. Exercising an ISCP ensures that in the event of a system failure, the system team is prepared to take the steps necessary to protect security and privacy.\u0026nbsp;\u003c/p\u003e\u003cp\u003eTo make sure that CMS FISMA systems can recover from outages or issues, it's important that everyone knows what they need to do, has been trained on how to fix problems, and that those solutions are tested to make sure they actually work. Therefore, every System/Business Owner and Information System Security Officer (ISSO)\u0026nbsp;will implement a robust TT\u0026amp;E program for contingency planning. Your systems impact level will determine the specific requirements of your TT\u0026amp;E program. As you develop and complete your TT\u0026amp;E, you will also need to update your ISCP as new information becomes available and changes to your system occur.\u0026nbsp;\u003c/p\u003e\u003cp\u003eA successful TT\u0026amp;E program should include several types of events to ensure the availability of a wide range of methods for validating various planning elements in the context of cyber incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTests\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTests are evaluation tools that use quantifiable metrics to ensure that a FISMA system or system component is functioning properly. A test is conducted in as close to an operational environment as possible; if feasible, an actual test of the components or systems used to conduct daily operations for the organization should be used. The scope of testing can range from individual system components or systems to comprehensive tests of all systems and components that support the ISCP. Tests often focus on recovery and backup operations; however, testing varies depending on the goal of the test and its relation to a specific plan.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTraining\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTraining allows personnel to understand their roles and responsibilities within a systems ISCP. Training opportunities teach staff skills such as decision making and offer information about best practices. It prepares the them for participation in exercises, tests, and actual emergency situations related to the ISCP. Training is typically split between a presentation on roles and responsibilities, and activities that allow personnel to demonstrate their understanding of the subject matter.\u003c/p\u003e\u003cp\u003eAll training should be coordinated by and centrally documented with the ISSO. Training must include, but will not be limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency response best practices\u003c/li\u003e\u003cli\u003eDisaster declaration criteria and declaration authorities\u003c/li\u003e\u003cli\u003eFunctional recovery prioritizations and Recovery Time Objectives (RTOs)\u0026nbsp; of interdependent systems\u003c/li\u003e\u003cli\u003eValidation of the approved recovery strategies and strategy implementation\u003c/li\u003e\u003cli\u003eVerification of ISCP implementation procedures\u003c/li\u003e\u003cli\u003eValidation of recovery personnel assignments, roles and responsibilities\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISCP Coordinators must develop a training program for all personnel assigned to recovery responsibilities within the ISCP. Training must be provided within 90 days of assignment to recovery responsibilities with refresher training conducted at least annually thereafter.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eExercises\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAn exercise is a simulation of an emergency designed to validate the viability of one or more aspects of an ISCP. In an exercise, personnel with roles and responsibilities within the ISCP meet to validate the content of the plan through discussion of their roles and their responses to emergency situations, execution of responses in a simulated operational environment, or other means of validating responses that does not involve using the actual operational environment. Exercises are scenario-driven, such as a power failure in one of the organizations data centers or a fire causing certain systems to be damaged, with additional situations often being presented during the course of an exercise.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe purpose of exercising an ISCP is to identify and fix deficiencies in the system itself and the overall planning process. ISCPs are not exercised to test the technical competence of personnel with recovery responsibilities. Exercises do serve as training for personnel who will be called upon to execute the ISCP in the event of a system outage. Exercises should include the following areas:\u003c/p\u003e\u003cul\u003e\u003cli\u003eNotification and escalation procedures\u003c/li\u003e\u003cli\u003eSystem recovery on an alternate platform from backup media\u003c/li\u003e\u003cli\u003eInternal and external connectivity\u003c/li\u003e\u003cli\u003eActual operational functional support from the recovered system\u003c/li\u003e\u003cli\u003eSystem restoration\u003c/li\u003e\u003cli\u003eSmooth resumption of normal operations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAt CMS, there are two main types of exercises used to validate ISCPs:\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eTabletop Exercises\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eTabletop exercises are discussion-based exercises where personnel meet in a classroom setting or in breakout groups to discuss their roles during an emergency and their responses to a particular emergency situation. A Facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe primary goals of a successful Tabletop Exercise are:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eValidation of \u003cstrong\u003eRecovery Time Objectives (RTOs)\u003c/strong\u003e and functional \u003cstrong\u003eMaximum Tolerable Downtimes (MTDs)\u003c/strong\u003e\u003c/li\u003e\u003cli\u003eValidation of response and recovery procedures\u003c/li\u003e\u003cli\u003eGuidelines and procedures for coordinated, timely, and effective response and recovery\u003c/li\u003e\u003cli\u003eCall tree information verification\u003c/li\u003e\u003cli\u003eDiscovery of any weaknesses in the ISCP\u003c/li\u003e\u003cli\u003eVerification of recovery procedures\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eFunctional Exercises\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eFunctional exercises allow personnel to validate their operational readiness for emergencies by performing their duties in a simulated operational environment. Functional exercises are designed to exercise the roles and responsibilities of specific team members, procedures, and assets involved in one or more functional aspects of a plan (e.g., communications, emergency notifications, IT equipment setup). Functional exercises vary in complexity and scope, from validating specific aspects of a plan to full-scale exercises that address all plan elements. Functional exercises allow staff to execute their roles and responsibilities as they would in an actual emergency situation, but in a simulated manner.\u003c/p\u003e\u003cp\u003eA successful Functional Exercise achieves the following goals:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ability to continue functional processing in backup mode\u003c/li\u003e\u003cli\u003eApplication/system interdependencies and data flow verification\u003c/li\u003e\u003cli\u003eCompatibility of data backups with the primary and backup systems\u003c/li\u003e\u003cli\u003eData storage and recovery processes\u003c/li\u003e\u003cli\u003eThe ability to extend the system to users at alternate processing and telework sites\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSelecting the correct exercise for your system\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe type of exercise selected should reflect the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFIPS 199 level\u003c/a\u003e of the system.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eLow-impact \u003c/strong\u003esystems can be tested with a Tabletop Exercise\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eModerate-impact \u003c/strong\u003esystems should undergo a Functional Exercise\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eHigh-impact \u003c/strong\u003esystems must utilize a full-scale Functional Exercise (also known as a \u003cstrong\u003eTechnical Exercise\u003c/strong\u003e)\u0026nbsp; with system failover to the alternate site if required\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eNote:\u003c/strong\u003e Actively exercising the system ISCP as part of a larger, coordinated technical exercise of the hosting system satisfies the annual requirement.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eDeveloping your ISCP Exercise Plan\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eDeveloping a realistic and efficient ISCP Exercise is critical to the success of your systems ISCP in the event of an outage. Because ISCP Exercises occur only once or twice a year, its important that a \u003cstrong\u003eISCP Exercise Plan\u003c/strong\u003e is created and reviewed prior to each exercise. This ensures that all information is accurate and relevant, and that all roles on the team remain accurate. The ISCP Exercise Plan is approved by the System/Business Owner prior to the event. All exercise plans must include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAn identified Exercise Facilitator for central management during the exercise\u003c/li\u003e\u003cli\u003eObservers/Monitors for objective exercise evaluation\u003c/li\u003e\u003cli\u003eExercise participants\u003c/li\u003e\u003cli\u003eExercise objectives\u003c/li\u003e\u003cli\u003eExercise metrics to determine how well objectives were met\u003c/li\u003e\u003cli\u003eRequired materials\u003c/li\u003e\u003cli\u003eExercise timeline\u003c/li\u003e\u003cli\u003eAny assumptions\u003c/li\u003e\u003cli\u003eExercise scenario to include scripts and injects\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eISCP Exercise Plan preparation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBefore drafting your ISCP Exercise Plan, its important that each member of the system team has done their part to ensure that the following items have been reviewed for accuracy and completeness.\u0026nbsp;\u003c/p\u003e\u003cp\u003eBefore drafting your systems ISCP Exercise, the \u003cstrong\u003eSystem/Business Owner \u003c/strong\u003emust have developed and approved:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaximum Tolerable Downtime (MTD) of the function(s) that is/are supported by the system\u003c/li\u003e\u003cli\u003eRecovery Time Objective (RTO) of the system\u003c/li\u003e\u003cli\u003eRecovery Point Objective (RPO) of the associated data\u003c/li\u003e\u003cli\u003eWork Recovery Time (WRT) of the associated functional processes\u003c/li\u003e\u003cli\u003eAn \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook\"\u003eup-to-date ISCP\u003c/a\u003e for the system\u003c/li\u003e\u003cli\u003eThe type of exercise (Tabletop or Functional) in accordance with guidance from CMS and NIST\u003c/li\u003e\u003cli\u003eAll relevant personnel with recovery responsibilities have been trained\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe systems ISSO will work with the System/Business Owner to complete the tasks above. Additionally, \u003cstrong\u003eall system team members\u003c/strong\u003e must have completed the following tasks before any ISCP Exercise occurs:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview the \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCFACTS\u003c/a\u003e CP control descriptions to ensure the plan as exercised is consistent with existing control requirements and implementation descriptions; if there have been changes to control requirements, you may need to update your approved recovery strategies\u003c/li\u003e\u003cli\u003eReview the documented information system and business risks for any changes to the business process MTD, threats, vulnerabilities, or likelihood of occurrence for existing threats\u003c/li\u003e\u003cli\u003eDetermine and plan for the necessary logistics and supplies, such as booking conference rooms, setting up Zoom calls, sourcing a white board and markers, or providing note sheets for Data Gatherers\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eDrafting your ISCP Exercise Plan\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eSet objectives\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eObjectives are brief statements that have measurable outcomes. Measurable outcomes refer to specific and observable results that can be measured using data. They provide a way to track progress and determine the success of a particular activity or project.\u003c/p\u003e\u003cp\u003eMeasurable outcomes are typically expressed in terms of specific goals, targets, or objectives. For example, a measurable outcome for your ISCP Exercise could be to have all system staff trained on new procedures within 90 days. This outcome can be easily measured by tracking successful completion of training within the set time period. Objectives should also track:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMaximum Tolerable Downtime (MTD) - \u003c/strong\u003eAll ISCP Exercises must ensure all functional MTDs can be met and if not, either adjust the MTD(s) or upgrade the recovery procedures to reduce the amount of time permitted for the RTO.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecovery Time Objective (RTO) -\u003c/strong\u003e In order to ensure functional recovery, critical systems must be recovered quickly enough to allow for system operations, data loading and validation, and backlog processing. If the system cannot be recovered quickly enough to meet the functional MTD(s) then the recovery strategy must be upgraded to reduce the time required for the RTO.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecovery Point Objective (RPO)\u003c/strong\u003e If data recovery and validation are insufficient to support the functional MTD(s) then the data backup strategy must be upgraded to support a more current (shorter) RPO.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWork Recovery Time (WRT) \u003c/strong\u003e In order to ensure the functional MTD(s) can be met, the time it takes to validate recovered data, update all data to current day and time and clear any transaction backlogs must be addressed If an exercise determines that the functional MTD cannot be met after the system is recovered within its RTO, and the data is recovered within its RPO, then all recovery strategies may need to be upgraded.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eValidation of response and recovery procedures \u003c/strong\u003e WRT must be validated to ensure that the RTO and the processes necessary to achieve a normal state of functionality to include transactions are properly validated and do not exceed the MTD.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVerification of call tree information \u003c/strong\u003eValid names and contact information are needed. Corrections to this list should also be made to the plan document.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIdentification of inaccuracies or errors in the ISCP \u003c/strong\u003e Any errors must be identified and corrected.\u003c/p\u003e\u003cp\u003eMeasurable outcomes are important because they help to focus efforts, set clear expectations, and evaluate progress. By defining specific, measurable outcomes, your team can determine whether they are on track to achieving the goals identified in the ISCP Exercise Plan and make adjustments as needed to ensure success.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eDetermine time frame\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eEach ISCP Exercise requires two time-frames: the \u003cstrong\u003eactual time \u003c/strong\u003ethat is set aside for the exercise (normally 1 to 4 hours of active time spread across a number of days) and the \u003cstrong\u003eelapsed time\u003c/strong\u003e, which is the total number of days required to complete the CP Exercise in total. The elapsed time must be of sufficient length to encompass the system RTO, data RPO and the MTD of the function that relies on the system being tested.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIdentify personnel \u0026amp; assign roles\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eBased on the objectives and time frame, determine the personnel who are required to attend your ISCP Exercise. The System/Business Owner should also identify the following individuals with recovery roles in the ISCP:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFacilitator \u003c/strong\u003eThe exercise Facilitator is the System/Business Owner or designee. The Facilitator is responsible for:\u003c/p\u003e\u003cul\u003e\u003cli\u003eObtaining approval for the ISCP Exercise Plan\u003c/li\u003e\u003cli\u003eEnsuring all personnel involved with the exercise are notified\u003c/li\u003e\u003cli\u003eProviding pre-exercise and post-exercise briefings as required\u003c/li\u003e\u003cli\u003eConducting the exercise in accordance with the exercise plan\u003c/li\u003e\u003cli\u003eDeveloping the AAR\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eData Gatherers \u003c/strong\u003e The Data Gatherers should be the ISSO, CPC or their designee(s), and other functional experts as appropriate.\u0026nbsp; They are responsible for:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReviewing and being familiar with all information and procedures in the ISCP\u003c/li\u003e\u003cli\u003eReviewing and being familiar with the business processes that rely on the system to be exercised\u003c/li\u003e\u003cli\u003eReviewing and being able to determine, with the participants, when recovery procedures or other information in the ISCP do not meet the requirements of an effective ISCP\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eParticipants \u003c/strong\u003eParticipants are personnel who have recovery responsibilities that are relevant to the scope of the exercise as determined by the Facilitator and approved by the System/Business Owner.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNote: \u003c/strong\u003eIf the exercise is a \u003cstrong\u003eTechnical Exercise\u003c/strong\u003e, the System/Business Owner, ISSO, and CPC will also coordinate with appropriate Information Technology (IT) infrastructure personnel for technical recovery expertise.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eDetermine assumptions and limitations\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAssumptions refer to the beliefs or predictions that the ISCP is based on. For example, an ISCP for a data breach may assume that the organization's data encryption measures are effective or that the attacker's motive is to steal sensitive information. These assumptions help shape the response plan and determine the actions to be taken.\u003c/p\u003e\u003cp\u003eLimitations refer to the factors that may prevent the contingency plan from being fully effective. For example, a contingency plan for a power outage may be limited by the availability of backup generators or the capacity of the electrical grid. It is important to understand these limitations in order to develop a realistic and effective plan.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eDevelop injects\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eInjects are hypothetical scenarios that are introduced into the ISCP Exercise in order to test the plan's effectiveness and identify any potential weaknesses. Injects offer different scenarios that could happen, and the ISCP Exercise participants are responsible for figuring out how to handle those scenarios. By introducing different injects, the team can see how well the plan works and make adjustments if necessary.\u003c/p\u003e\u003cp\u003eFor example, let's say your team is exercising your ISCP for a breach event. You might introduce an inject scenario where the breach is more severe than initially expected, or where backup systems fail. By practicing how they would respond to these scenarios, the team can better prepare for a real emergency. NIST has created the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf\"\u003eMaster Scenario Events List (MSEL)\u003c/a\u003e, an outline of the simulated events and key event descriptions that participants will be asked to respond to during an exercise. Your team can reference the MSEL when drafting the ISCP Exercise Plan.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSet a date\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eEstablish a day-and-time to start your ISCP Exercise. Be sure that all team members with recovery responsibilities are available to participate for the entire duration of the ISCP Exercise. Obtain final approval from the System/Business Owner and the ISSO/CPC.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eConducting your ISCP Exercise\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eOnce your ISCP Exercise Plan has been completed and approved, your team is ready to conduct your ISCP Exercise. A successful ISCP Exercise will have active participation from all team members and identify areas for improvement and result in actions that are taken to improve the ISCP.\u0026nbsp;\u003c/p\u003e\u003cp\u003e1. Ensure all personnel who have been identified in the ISCP Exercise Plan are present. For any absentees, ensure a viable replacement is present.\u003c/p\u003e\u003cp\u003e2. Make sure that all personnel have the required information. The Facilitator should have their own copy of the ISCP, the developed ISCP Exercise scenario, prepared injects, and evaluation sheets. Participants should come to the exercise with their own copy of the ISCP. If they do not, this should be recorded as a deficiency/finding.\u003c/p\u003e\u003cp\u003e3. The Facilitator will kick off the Exercise by presenting the senior participant with the initial inject.\u003c/p\u003e\u003cp\u003e4. The team will follow the documented ISCP step by step.\u003c/p\u003e\u003cp\u003e5. As the participants respond to the first inject the Facilitator leads the discussion focusing on the recovery procedures in the ISCP. They will continue this process with each subsequent inject until normal operations are restored to the system within the Exercise and the ISCP Exercise is complete.\u003c/p\u003e\u003cp\u003e6. Upon conclusion, the Facilitator should have a quick discussion with the Data Gatherers to determine when their notes are due. The team should then immediately begin the process of compiling documentation of the exercise using the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook#tabletop-exercise-scenario-template\"\u003eTabletop Exercise Scenario Template\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook#after-action-report-aar-template\"\u003eAfter Action Report (AAR) Template\u003c/a\u003e, as well as other documentation required to address any ISCP deficiencies.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePost-Exercise activities\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThere are a number of activities that must be completed immediately following your ISCP Exercise. The most important of these activities is the \u003cstrong\u003eAfter Action Report (AAR)\u003c/strong\u003e. The AAR is a comprehensive review of your completed ISCP Exercise that identifies areas of strength, areas for improvement, and lessons learned. It provides a basis for ongoing refinement of the contingency plan. This helps to ensure that the plan is always up-to-date and effective.\u003c/p\u003e\u003cp\u003eTeams, led by the System/Business Owner, must complete the following steps after the ISCP Exercise is finished:\u003c/p\u003e\u003cp\u003e1. Conduct an initial out-brief with all persons identified in the scenario and record any lessons learned in the format provided in \u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook#tabletop-exercise-scenario-template\"\u003eTabletop Exercise Scenario Template\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook#after-action-report-aar-template\"\u003eAfter Action Report (AAR) Template\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e2. Collect all logs and exercise-related documentation from all personnel who participated.\u003c/p\u003e\u003cp\u003e3. Review all narrative comments.\u003c/p\u003e\u003cp\u003e4. In the event of a discrepancy between two participants (or data gatherers) giving different results for the same objective, discuss the results with them and, if possible, come to agreement.\u003c/p\u003e\u003cp\u003e5. When all results conflicts have been resolved, develop the AAR with significant results.\u003c/p\u003e\u003cp\u003e6. Include in the AAR any recommendations for improvements to any area of the systems recovery plan or overall recovery capability.\u0026nbsp;\u003c/p\u003e\u003cp\u003e7. Attach the completed Exercise Scenario to the AAR.\u003c/p\u003e\u003cp\u003e8. Submit the AAR to the Business Owner for review and approval.\u003c/p\u003e\u003cp\u003e9. Update the ISCP with the exercise results, lessons learned, and any comments provided by the Business Owner.\u003c/p\u003e\u003cp\u003e10. Update ISCP training materials to reflect necessary changes to the ISCP as a result of the exercise and lessons learned.\u003c/p\u003e\u003cp\u003e11. The System/Business Owner and ISSO create a Plan of Action \u0026amp; Milestones (POA\u0026amp;M) for any weakness or deficiency in the ISCP that cannot be addressed in a timely manner, e.g. prior to the next ISCP testing date. This will identify the vulnerability and plan out the corrective actions necessary to reduce the weakness to an acceptable level.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eISCP Exercise roles and responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe following system team members are involved in the ISCP Exercise process:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem/Business Owner\u003c/li\u003e\u003cli\u003eInformation System Security Officer (ISSO)\u003c/li\u003e\u003cli\u003eCMS Contingency Plan Coordinator (CPC)\u003c/li\u003e\u003cli\u003eISCP Exercise Facilitator\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIt is critical that each member of the system team understands their role in the execution of the ISCP, as well as their responsibilities related to ISCP Exercises.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem/Business Owners\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll System/Business Owners are the leaders of the Contingency Planning process. As a result, they are responsible for the following when exercising an ISCP:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop, distribute, and maintain ISCPs\u0026nbsp;\u003c/li\u003e\u003cli\u003eEnsure each plan under their purview is exercised at least annually\u003c/li\u003e\u003cli\u003eEnsure a technical test for each system is conducted at least every other year\u003c/li\u003e\u003cli\u003eReview and correct plan deficiencies discovered during an exercise or outage in a timely manner\u003c/li\u003e\u003cli\u003eEnsure the annual ISCP Exercise includes an analysis of the identified recovery strategies to ensure recovery strategies take full advantage of all possible cost savings and efficiencies\u003c/li\u003e\u003cli\u003eObtain appropriate resourcing to include funding and staffing, for recovery planning requirements\u003c/li\u003e\u003cli\u003eEnsure all personnel with recovery responsibilities are trained to consider recovery preparedness part of their normal duties\u003c/li\u003e\u003cli\u003eDetermine and manage information system and data backup storage and alternate processing facility agreements\u003c/li\u003e\u003cli\u003eEnsure a copy of the most current ISCP is maintained at the alternate processing location\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eISSOs serve as the partner to the System/Business Owner throughout the ISCP process. During the ISCP Exercise, the ISSO is responsible for:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAssist the System/Business Owner with training for staff related to the ISCP Exercise\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssist the System/Business Owner in correcting deficiencies and issues discovered during the ISCP Exercise process\u0026nbsp;\u003c/li\u003e\u003cli\u003eReview\u0026nbsp;all information and procedures in the ISCP\u003c/li\u003e\u003cli\u003eReview the business processes that rely on the system to be exercised\u003c/li\u003e\u003cli\u003eReview and determine, with the exercise participants, when recovery procedures or other information in the ISCP do not meet the requirements of an effective ISCP\u003c/li\u003e\u003cli\u003eSubmit updated ISCP documentation and information to CFACTS\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eContingency Plan Coordinator (CPC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CPC assists the System/Business Owner with their CP Exercise efforts. Sometimes the CPC and ISSO roles overlap during the CP Exercise process. Your individual team led by your System/Business Owner will determine the appropriate makeup for your team. During an exercise, the CPC will:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOversee and coordinate all CP Exercises\u003c/li\u003e\u003cli\u003eOversee and coordinate the recovery-related training and awareness program for all\u003c/li\u003e\u003cli\u003epersonnel\u003c/li\u003e\u003cli\u003eCoordinate recovery team staffing with the System/Business Owner, CISOs office, and Emergency Preparedness and Response Operations (EPRO) Office\u003c/li\u003e\u003cli\u003eAssist ISSOs in event response until it is determined that contingency execution is not warranted\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCP Exercise Facilitator\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CP Exercise Facilitator is a single individual identified in the CP Exercise Plan. The Facilitator is typically the System/Business Owner, but this is not always the case. Sometimes the System/Business Owner may designate another team member to serve as Facilitator. The Facilitator is responsible for the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eObtaining approval for the CP Exercise Plan\u003c/li\u003e\u003cli\u003eEnsuring all personnel involved with the exercise are notified of the exercise and that they are available to participate for however long the exercise is scheduled for\u003c/li\u003e\u003cli\u003eProviding pre-exercise and post- exercise briefings as required\u003c/li\u003e\u003cli\u003eConducting the exercise in accordance with the exercise plan\u003c/li\u003e\u003cli\u003eDeveloping the AAR\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eTabletop Exercise Scenario Template\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe following template provides placeholder content for a Tabletop Exercise Scenario that you can copy and paste into a document. It is for planning your Tabletop Exercise and summarizing the outcomes. It is signed by the Data Gatherer. It is submitted to the Business Owner as part of the After Action Report (AAR).\u003c/p\u003e\u003cp\u003e\u003cem\u003eCopy and paste the information below into a document to begin planning your Tabletop Exercise.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003eExercise scenario format\u003c/h3\u003e\u003cp\u003eSystem:\u003c/p\u003e\u003cp\u003eDate:\u003c/p\u003e\u003cp\u003eType of exercise:\u003c/p\u003e\u003cp\u003ePerson(s) planning the exercise:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eExercise Facilitator(s)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFacilitator name:\u003c/p\u003e\u003cp\u003eFacilitator name:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eExercise Data Gatherer(s)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eData Gatherer name:\u003c/p\u003e\u003cp\u003eData Gatherer name:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eExercise participants\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eParticipant name and role:\u003c/p\u003e\u003cp\u003eParticipant name and role:\u003c/p\u003e\u003cp\u003eParticipant name and role:\u003c/p\u003e\u003cp\u003e(add more as needed)\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTimelines\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eActual exercise time:\u003c/p\u003e\u003cp\u003eExercise (simulated) time:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eExercise objectives\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eObjective 1:\u003c/p\u003e\u003cp\u003eObjective 2:\u003c/p\u003e\u003cp\u003eObjective 3:\u003c/p\u003e\u003cp\u003e(add more as needed)\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eExercise scenario\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIncident:\u003c/p\u003e\u003cp\u003eImpact to system(s):\u003c/p\u003e\u003cp\u003eImpact to operation(s):\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRequired supplies and documentation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eList supplies and documentation that will be needed for the exercise.\u003c/p\u003e\u003cul\u003e\u003cli\u003eItem\u003c/li\u003e\u003cli\u003eItem\u003c/li\u003e\u003cli\u003eItem\u003c/li\u003e\u003cli\u003eAdd more as needed\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAssumptions\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAssumption 1:\u003c/p\u003e\u003cp\u003eAssumption 2:\u003c/p\u003e\u003cp\u003eAssumption 3:\u003c/p\u003e\u003cp\u003e(add more as needed)\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eLessons Learned\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e(Use this space to summarize the lessons learned from conducting the Tabletop Exercise.)\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eObjective fulfillment\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cem\u003e(Use this space to summarize whether objectives were met, and to provide details.)\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eObjective 1 was / was not met. Specifically;\u003c/li\u003e\u003cli\u003eObjective 2 was / was not met. Specifically;\u003c/li\u003e\u003cli\u003eObjective 3 was / was not met. Specifically;\u003c/li\u003e\u003cli\u003e(add more as needed)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eEvaluation sheet\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eObjective 1: (re-state the objective here)\u003c/p\u003e\u003cp\u003eComments:\u003c/p\u003e\u003cp\u003eObjective 2: (re-state the objective here)\u003c/p\u003e\u003cp\u003eComments:\u003c/p\u003e\u003cp\u003eObjective 3: (re-state the objective here)\u003c/p\u003e\u003cp\u003eComments:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSignature\u003c/strong\u003e\u003c/h3\u003e\u003ch3\u003e\u0026nbsp;\u003c/h3\u003e\u003cp\u003e_____________________________________\u003c/p\u003e\u003cp\u003eData Gatherers name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e_____________________________________\u003c/p\u003e\u003cp\u003eData Gatherers signature and date\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAfter Action Report (AAR) Template\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe following template provides placeholder content that you can copy and paste into a document to create your \u003cstrong\u003eAfter Action Report (AAR)\u003c/strong\u003e. This is a comprehensive review of your completed CP Exercise that identifies areas of strength, areas for improvement, and lessons learned.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCopy and paste the information below into a document to begin your After Action Report. Then modify the details for your specific CP Exercise.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA Tabletop Exercise was conducted for the \u0026lt;System Name (system acronym)\u003cem\u003e\u0026gt;\u003c/em\u003e Information System Contingency Plan (CP) on \u0026lt;date\u0026gt;.\u0026nbsp;\u003c/p\u003e\u003ch3\u003eParticipants\u003c/h3\u003e\u003cp\u003eThe participants and their assigned roles are listed below.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eExercise Facilitator \u003c/strong\u003e(Facilitates the CP Exercise and develops the AAR)\u003c/p\u003e\u003cp\u003eName:\u003c/p\u003e\u003cp\u003eOrganization:\u003c/p\u003e\u003cp\u003ePhone:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCP Coordinator\u003c/strong\u003e (Ensures accurate damage assessment and system recovery)\u003c/p\u003e\u003cp\u003eName:\u003c/p\u003e\u003cp\u003eOrganization:\u003c/p\u003e\u003cp\u003ePhone:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eExercise Data Gatherer\u003c/strong\u003e (Determines whether recovery procedures meet the requirements of an effective CP)\u003c/p\u003e\u003cp\u003eName:\u003c/p\u003e\u003cp\u003eOrganization:\u003c/p\u003e\u003cp\u003ePhone:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecovery Management Team Member\u003c/strong\u003e (Ensures accurate damage assessment and system recovery)\u003c/p\u003e\u003cp\u003eName:\u003c/p\u003e\u003cp\u003eOrganization:\u003c/p\u003e\u003cp\u003ePhone:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;System Name\u0026gt; Technical Lead\u003c/strong\u003e (Ensures system is recovered to trusted state and verifies all processing and data integrity)\u003c/p\u003e\u003cp\u003eName:\u003c/p\u003e\u003cp\u003eOrganization:\u003c/p\u003e\u003cp\u003ePhone:\u003c/p\u003e\u003ch3\u003eScenario\u003c/h3\u003e\u003cp\u003eThe CP tabletop exercise was conducted in accordance with the \u0026lt;System Name\u0026gt; CP Exercise Plan, dated \u0026lt;date\u0026gt;. The exercise plan was developed around the following scenario:\u003c/p\u003e\u003cp\u003e\u0026lt;Synopsis of the scenario\u0026gt;\u003c/p\u003e\u003cp\u003eThe exercise was developed to determine the following objectives:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDetermine weaknesses in the Contingency Plan\u003c/li\u003e\u003cli\u003eObjective 2\u003c/li\u003e\u003cli\u003eObjective 3\u003c/li\u003e\u003cli\u003e\u0026lt;Add additional objectives as necessary\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CP exercise evaluated the status of contingency planning for the system and provided a forum for identifying outdated contingency planning information and for providing updates as required.\u0026nbsp; The exercise plan and detailed results are contained in the Appendix to this report.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSummary of Exercise Results\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSignificant results from the exercise were:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;Result one\u0026gt;\u003c/li\u003e\u003cli\u003e\u0026lt;Result two\u0026gt;\u003c/li\u003e\u003cli\u003e\u0026lt;Result three\u0026gt;\u003c/li\u003e\u003cli\u003e\u0026lt;Add additional results as necessary\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eRecommendations\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe following recommendations are provided as a result of the exercise:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;Recommendation one\u0026gt;\u003c/li\u003e\u003cli\u003e\u0026lt;Recommendation two\u0026gt;\u003c/li\u003e\u003cli\u003e\u0026lt;Recommendation three\u0026gt;\u003c/li\u003e\u003cli\u003e\u0026lt;Add additional recommendations as necessary\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eSignature\u003c/h3\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e_____________________________________\u003c/p\u003e\u003cp\u003eFacilitators name and date\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e_____________________________________\u003c/p\u003e\u003cp\u003eApproved by and date\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e_____________________________________\u003c/p\u003e\u003cp\u003eSystem/Business Owners name and date\u003c/p\u003e\u003cp\u003e\u0026lt;System Acronym\u0026gt; System/Business Owner, \u0026lt;title\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003eFollowing this report, insert Appendix material as necessary (such as the exercise plan and any supporting documentation.)\u003c/em\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:T888b,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eContingency Planning at CMS\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eContingency planning at the Center for Medicare and Medicaid Services (CMS) is essential for protecting the organization from potential risks and ensuring the continuity of its operations. An \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook\"\u003eInformation System Contingency Plan (ISCP)\u003c/a\u003e is the cornerstone document of contingency planning for information systems, and every CMS FISMA system must have one in place. The ISCP provides a framework for responding to and mitigating the effects of unexpected events, such as natural disasters, data breaches, and public health crises.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISCPs outline risk management strategies, such as crisis management protocols, data backup and recovery procedures, business continuity plans, and roles and responsibilities. The plans generally include one or more of the following approaches to restore disrupted services:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRestoring information systems using alternate equipment in case of an equipment failure\u003c/li\u003e\u003cli\u003eAlternate data processing means\u0026nbsp;\u003c/li\u003e\u003cli\u003eAlternate location(s) in case of a natural disaster\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eContingency planning also involves establishing clear communication channels between CMS and its stakeholders, such as healthcare providers, patients, and the general public. By being prepared for potential risks, CMS can ensure that its operations remain uninterrupted and that its stakeholders are kept informed of any changes. CMS utilizes guidance provided by the \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNational Institute of Standards and Technology (NIST) SP 800-53\u003c/a\u003e and the Federal Information Systems Management Act (FISMA) to inform its internal contingency planning process.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eISCP Testing, Training and Exercise (TT\u0026amp;E)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSystem/Business Owners are required to schedule and perform \u003cstrong\u003eTesting, Training, and Exercise (TT\u0026amp;E)\u003c/strong\u003e for their ISCPs annually. They must also oversee the development and completion of corrective action plans for vulnerabilities noted during the testing. Exercising an ISCP ensures that in the event of a system failure, the system team is prepared to take the steps necessary to protect security and privacy.\u0026nbsp;\u003c/p\u003e\u003cp\u003eTo make sure that CMS FISMA systems can recover from outages or issues, it's important that everyone knows what they need to do, has been trained on how to fix problems, and that those solutions are tested to make sure they actually work. Therefore, every System/Business Owner and Information System Security Officer (ISSO)\u0026nbsp;will implement a robust TT\u0026amp;E program for contingency planning. Your systems impact level will determine the specific requirements of your TT\u0026amp;E program. As you develop and complete your TT\u0026amp;E, you will also need to update your ISCP as new information becomes available and changes to your system occur.\u0026nbsp;\u003c/p\u003e\u003cp\u003eA successful TT\u0026amp;E program should include several types of events to ensure the availability of a wide range of methods for validating various planning elements in the context of cyber incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTests\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTests are evaluation tools that use quantifiable metrics to ensure that a FISMA system or system component is functioning properly. A test is conducted in as close to an operational environment as possible; if feasible, an actual test of the components or systems used to conduct daily operations for the organization should be used. The scope of testing can range from individual system components or systems to comprehensive tests of all systems and components that support the ISCP. Tests often focus on recovery and backup operations; however, testing varies depending on the goal of the test and its relation to a specific plan.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTraining\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTraining allows personnel to understand their roles and responsibilities within a systems ISCP. Training opportunities teach staff skills such as decision making and offer information about best practices. It prepares the them for participation in exercises, tests, and actual emergency situations related to the ISCP. Training is typically split between a presentation on roles and responsibilities, and activities that allow personnel to demonstrate their understanding of the subject matter.\u003c/p\u003e\u003cp\u003eAll training should be coordinated by and centrally documented with the ISSO. Training must include, but will not be limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency response best practices\u003c/li\u003e\u003cli\u003eDisaster declaration criteria and declaration authorities\u003c/li\u003e\u003cli\u003eFunctional recovery prioritizations and Recovery Time Objectives (RTOs)\u0026nbsp; of interdependent systems\u003c/li\u003e\u003cli\u003eValidation of the approved recovery strategies and strategy implementation\u003c/li\u003e\u003cli\u003eVerification of ISCP implementation procedures\u003c/li\u003e\u003cli\u003eValidation of recovery personnel assignments, roles and responsibilities\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISCP Coordinators must develop a training program for all personnel assigned to recovery responsibilities within the ISCP. Training must be provided within 90 days of assignment to recovery responsibilities with refresher training conducted at least annually thereafter.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eExercises\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAn exercise is a simulation of an emergency designed to validate the viability of one or more aspects of an ISCP. In an exercise, personnel with roles and responsibilities within the ISCP meet to validate the content of the plan through discussion of their roles and their responses to emergency situations, execution of responses in a simulated operational environment, or other means of validating responses that does not involve using the actual operational environment. Exercises are scenario-driven, such as a power failure in one of the organizations data centers or a fire causing certain systems to be damaged, with additional situations often being presented during the course of an exercise.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe purpose of exercising an ISCP is to identify and fix deficiencies in the system itself and the overall planning process. ISCPs are not exercised to test the technical competence of personnel with recovery responsibilities. Exercises do serve as training for personnel who will be called upon to execute the ISCP in the event of a system outage. Exercises should include the following areas:\u003c/p\u003e\u003cul\u003e\u003cli\u003eNotification and escalation procedures\u003c/li\u003e\u003cli\u003eSystem recovery on an alternate platform from backup media\u003c/li\u003e\u003cli\u003eInternal and external connectivity\u003c/li\u003e\u003cli\u003eActual operational functional support from the recovered system\u003c/li\u003e\u003cli\u003eSystem restoration\u003c/li\u003e\u003cli\u003eSmooth resumption of normal operations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAt CMS, there are two main types of exercises used to validate ISCPs:\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eTabletop Exercises\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eTabletop exercises are discussion-based exercises where personnel meet in a classroom setting or in breakout groups to discuss their roles during an emergency and their responses to a particular emergency situation. A Facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe primary goals of a successful Tabletop Exercise are:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eValidation of \u003cstrong\u003eRecovery Time Objectives (RTOs)\u003c/strong\u003e and functional \u003cstrong\u003eMaximum Tolerable Downtimes (MTDs)\u003c/strong\u003e\u003c/li\u003e\u003cli\u003eValidation of response and recovery procedures\u003c/li\u003e\u003cli\u003eGuidelines and procedures for coordinated, timely, and effective response and recovery\u003c/li\u003e\u003cli\u003eCall tree information verification\u003c/li\u003e\u003cli\u003eDiscovery of any weaknesses in the ISCP\u003c/li\u003e\u003cli\u003eVerification of recovery procedures\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eFunctional Exercises\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eFunctional exercises allow personnel to validate their operational readiness for emergencies by performing their duties in a simulated operational environment. Functional exercises are designed to exercise the roles and responsibilities of specific team members, procedures, and assets involved in one or more functional aspects of a plan (e.g., communications, emergency notifications, IT equipment setup). Functional exercises vary in complexity and scope, from validating specific aspects of a plan to full-scale exercises that address all plan elements. Functional exercises allow staff to execute their roles and responsibilities as they would in an actual emergency situation, but in a simulated manner.\u003c/p\u003e\u003cp\u003eA successful Functional Exercise achieves the following goals:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ability to continue functional processing in backup mode\u003c/li\u003e\u003cli\u003eApplication/system interdependencies and data flow verification\u003c/li\u003e\u003cli\u003eCompatibility of data backups with the primary and backup systems\u003c/li\u003e\u003cli\u003eData storage and recovery processes\u003c/li\u003e\u003cli\u003eThe ability to extend the system to users at alternate processing and telework sites\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSelecting the correct exercise for your system\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe type of exercise selected should reflect the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFIPS 199 level\u003c/a\u003e of the system.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eLow-impact \u003c/strong\u003esystems can be tested with a Tabletop Exercise\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eModerate-impact \u003c/strong\u003esystems should undergo a Functional Exercise\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eHigh-impact \u003c/strong\u003esystems must utilize a full-scale Functional Exercise (also known as a \u003cstrong\u003eTechnical Exercise\u003c/strong\u003e)\u0026nbsp; with system failover to the alternate site if required\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eNote:\u003c/strong\u003e Actively exercising the system ISCP as part of a larger, coordinated technical exercise of the hosting system satisfies the annual requirement.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eDeveloping your ISCP Exercise Plan\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eDeveloping a realistic and efficient ISCP Exercise is critical to the success of your systems ISCP in the event of an outage. Because ISCP Exercises occur only once or twice a year, its important that a \u003cstrong\u003eISCP Exercise Plan\u003c/strong\u003e is created and reviewed prior to each exercise. This ensures that all information is accurate and relevant, and that all roles on the team remain accurate. The ISCP Exercise Plan is approved by the System/Business Owner prior to the event. All exercise plans must include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAn identified Exercise Facilitator for central management during the exercise\u003c/li\u003e\u003cli\u003eObservers/Monitors for objective exercise evaluation\u003c/li\u003e\u003cli\u003eExercise participants\u003c/li\u003e\u003cli\u003eExercise objectives\u003c/li\u003e\u003cli\u003eExercise metrics to determine how well objectives were met\u003c/li\u003e\u003cli\u003eRequired materials\u003c/li\u003e\u003cli\u003eExercise timeline\u003c/li\u003e\u003cli\u003eAny assumptions\u003c/li\u003e\u003cli\u003eExercise scenario to include scripts and injects\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eISCP Exercise Plan preparation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBefore drafting your ISCP Exercise Plan, its important that each member of the system team has done their part to ensure that the following items have been reviewed for accuracy and completeness.\u0026nbsp;\u003c/p\u003e\u003cp\u003eBefore drafting your systems ISCP Exercise, the \u003cstrong\u003eSystem/Business Owner \u003c/strong\u003emust have developed and approved:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaximum Tolerable Downtime (MTD) of the function(s) that is/are supported by the system\u003c/li\u003e\u003cli\u003eRecovery Time Objective (RTO) of the system\u003c/li\u003e\u003cli\u003eRecovery Point Objective (RPO) of the associated data\u003c/li\u003e\u003cli\u003eWork Recovery Time (WRT) of the associated functional processes\u003c/li\u003e\u003cli\u003eAn \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook\"\u003eup-to-date ISCP\u003c/a\u003e for the system\u003c/li\u003e\u003cli\u003eThe type of exercise (Tabletop or Functional) in accordance with guidance from CMS and NIST\u003c/li\u003e\u003cli\u003eAll relevant personnel with recovery responsibilities have been trained\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe systems ISSO will work with the System/Business Owner to complete the tasks above. Additionally, \u003cstrong\u003eall system team members\u003c/strong\u003e must have completed the following tasks before any ISCP Exercise occurs:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview the \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCFACTS\u003c/a\u003e CP control descriptions to ensure the plan as exercised is consistent with existing control requirements and implementation descriptions; if there have been changes to control requirements, you may need to update your approved recovery strategies\u003c/li\u003e\u003cli\u003eReview the documented information system and business risks for any changes to the business process MTD, threats, vulnerabilities, or likelihood of occurrence for existing threats\u003c/li\u003e\u003cli\u003eDetermine and plan for the necessary logistics and supplies, such as booking conference rooms, setting up Zoom calls, sourcing a white board and markers, or providing note sheets for Data Gatherers\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eDrafting your ISCP Exercise Plan\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eSet objectives\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eObjectives are brief statements that have measurable outcomes. Measurable outcomes refer to specific and observable results that can be measured using data. They provide a way to track progress and determine the success of a particular activity or project.\u003c/p\u003e\u003cp\u003eMeasurable outcomes are typically expressed in terms of specific goals, targets, or objectives. For example, a measurable outcome for your ISCP Exercise could be to have all system staff trained on new procedures within 90 days. This outcome can be easily measured by tracking successful completion of training within the set time period. Objectives should also track:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMaximum Tolerable Downtime (MTD) - \u003c/strong\u003eAll ISCP Exercises must ensure all functional MTDs can be met and if not, either adjust the MTD(s) or upgrade the recovery procedures to reduce the amount of time permitted for the RTO.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecovery Time Objective (RTO) -\u003c/strong\u003e In order to ensure functional recovery, critical systems must be recovered quickly enough to allow for system operations, data loading and validation, and backlog processing. If the system cannot be recovered quickly enough to meet the functional MTD(s) then the recovery strategy must be upgraded to reduce the time required for the RTO.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecovery Point Objective (RPO)\u003c/strong\u003e If data recovery and validation are insufficient to support the functional MTD(s) then the data backup strategy must be upgraded to support a more current (shorter) RPO.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWork Recovery Time (WRT) \u003c/strong\u003e In order to ensure the functional MTD(s) can be met, the time it takes to validate recovered data, update all data to current day and time and clear any transaction backlogs must be addressed If an exercise determines that the functional MTD cannot be met after the system is recovered within its RTO, and the data is recovered within its RPO, then all recovery strategies may need to be upgraded.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eValidation of response and recovery procedures \u003c/strong\u003e WRT must be validated to ensure that the RTO and the processes necessary to achieve a normal state of functionality to include transactions are properly validated and do not exceed the MTD.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVerification of call tree information \u003c/strong\u003eValid names and contact information are needed. Corrections to this list should also be made to the plan document.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIdentification of inaccuracies or errors in the ISCP \u003c/strong\u003e Any errors must be identified and corrected.\u003c/p\u003e\u003cp\u003eMeasurable outcomes are important because they help to focus efforts, set clear expectations, and evaluate progress. By defining specific, measurable outcomes, your team can determine whether they are on track to achieving the goals identified in the ISCP Exercise Plan and make adjustments as needed to ensure success.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eDetermine time frame\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eEach ISCP Exercise requires two time-frames: the \u003cstrong\u003eactual time \u003c/strong\u003ethat is set aside for the exercise (normally 1 to 4 hours of active time spread across a number of days) and the \u003cstrong\u003eelapsed time\u003c/strong\u003e, which is the total number of days required to complete the CP Exercise in total. The elapsed time must be of sufficient length to encompass the system RTO, data RPO and the MTD of the function that relies on the system being tested.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIdentify personnel \u0026amp; assign roles\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eBased on the objectives and time frame, determine the personnel who are required to attend your ISCP Exercise. The System/Business Owner should also identify the following individuals with recovery roles in the ISCP:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFacilitator \u003c/strong\u003eThe exercise Facilitator is the System/Business Owner or designee. The Facilitator is responsible for:\u003c/p\u003e\u003cul\u003e\u003cli\u003eObtaining approval for the ISCP Exercise Plan\u003c/li\u003e\u003cli\u003eEnsuring all personnel involved with the exercise are notified\u003c/li\u003e\u003cli\u003eProviding pre-exercise and post-exercise briefings as required\u003c/li\u003e\u003cli\u003eConducting the exercise in accordance with the exercise plan\u003c/li\u003e\u003cli\u003eDeveloping the AAR\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eData Gatherers \u003c/strong\u003e The Data Gatherers should be the ISSO, CPC or their designee(s), and other functional experts as appropriate.\u0026nbsp; They are responsible for:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReviewing and being familiar with all information and procedures in the ISCP\u003c/li\u003e\u003cli\u003eReviewing and being familiar with the business processes that rely on the system to be exercised\u003c/li\u003e\u003cli\u003eReviewing and being able to determine, with the participants, when recovery procedures or other information in the ISCP do not meet the requirements of an effective ISCP\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eParticipants \u003c/strong\u003eParticipants are personnel who have recovery responsibilities that are relevant to the scope of the exercise as determined by the Facilitator and approved by the System/Business Owner.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNote: \u003c/strong\u003eIf the exercise is a \u003cstrong\u003eTechnical Exercise\u003c/strong\u003e, the System/Business Owner, ISSO, and CPC will also coordinate with appropriate Information Technology (IT) infrastructure personnel for technical recovery expertise.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eDetermine assumptions and limitations\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAssumptions refer to the beliefs or predictions that the ISCP is based on. For example, an ISCP for a data breach may assume that the organization's data encryption measures are effective or that the attacker's motive is to steal sensitive information. These assumptions help shape the response plan and determine the actions to be taken.\u003c/p\u003e\u003cp\u003eLimitations refer to the factors that may prevent the contingency plan from being fully effective. For example, a contingency plan for a power outage may be limited by the availability of backup generators or the capacity of the electrical grid. It is important to understand these limitations in order to develop a realistic and effective plan.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eDevelop injects\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eInjects are hypothetical scenarios that are introduced into the ISCP Exercise in order to test the plan's effectiveness and identify any potential weaknesses. Injects offer different scenarios that could happen, and the ISCP Exercise participants are responsible for figuring out how to handle those scenarios. By introducing different injects, the team can see how well the plan works and make adjustments if necessary.\u003c/p\u003e\u003cp\u003eFor example, let's say your team is exercising your ISCP for a breach event. You might introduce an inject scenario where the breach is more severe than initially expected, or where backup systems fail. By practicing how they would respond to these scenarios, the team can better prepare for a real emergency. NIST has created the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf\"\u003eMaster Scenario Events List (MSEL)\u003c/a\u003e, an outline of the simulated events and key event descriptions that participants will be asked to respond to during an exercise. Your team can reference the MSEL when drafting the ISCP Exercise Plan.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSet a date\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eEstablish a day-and-time to start your ISCP Exercise. Be sure that all team members with recovery responsibilities are available to participate for the entire duration of the ISCP Exercise. Obtain final approval from the System/Business Owner and the ISSO/CPC.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eConducting your ISCP Exercise\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eOnce your ISCP Exercise Plan has been completed and approved, your team is ready to conduct your ISCP Exercise. A successful ISCP Exercise will have active participation from all team members and identify areas for improvement and result in actions that are taken to improve the ISCP.\u0026nbsp;\u003c/p\u003e\u003cp\u003e1. Ensure all personnel who have been identified in the ISCP Exercise Plan are present. For any absentees, ensure a viable replacement is present.\u003c/p\u003e\u003cp\u003e2. Make sure that all personnel have the required information. The Facilitator should have their own copy of the ISCP, the developed ISCP Exercise scenario, prepared injects, and evaluation sheets. Participants should come to the exercise with their own copy of the ISCP. If they do not, this should be recorded as a deficiency/finding.\u003c/p\u003e\u003cp\u003e3. The Facilitator will kick off the Exercise by presenting the senior participant with the initial inject.\u003c/p\u003e\u003cp\u003e4. The team will follow the documented ISCP step by step.\u003c/p\u003e\u003cp\u003e5. As the participants respond to the first inject the Facilitator leads the discussion focusing on the recovery procedures in the ISCP. They will continue this process with each subsequent inject until normal operations are restored to the system within the Exercise and the ISCP Exercise is complete.\u003c/p\u003e\u003cp\u003e6. Upon conclusion, the Facilitator should have a quick discussion with the Data Gatherers to determine when their notes are due. The team should then immediately begin the process of compiling documentation of the exercise using the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook#tabletop-exercise-scenario-template\"\u003eTabletop Exercise Scenario Template\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook#after-action-report-aar-template\"\u003eAfter Action Report (AAR) Template\u003c/a\u003e, as well as other documentation required to address any ISCP deficiencies.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePost-Exercise activities\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThere are a number of activities that must be completed immediately following your ISCP Exercise. The most important of these activities is the \u003cstrong\u003eAfter Action Report (AAR)\u003c/strong\u003e. The AAR is a comprehensive review of your completed ISCP Exercise that identifies areas of strength, areas for improvement, and lessons learned. It provides a basis for ongoing refinement of the contingency plan. This helps to ensure that the plan is always up-to-date and effective.\u003c/p\u003e\u003cp\u003eTeams, led by the System/Business Owner, must complete the following steps after the ISCP Exercise is finished:\u003c/p\u003e\u003cp\u003e1. Conduct an initial out-brief with all persons identified in the scenario and record any lessons learned in the format provided in \u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook#tabletop-exercise-scenario-template\"\u003eTabletop Exercise Scenario Template\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook#after-action-report-aar-template\"\u003eAfter Action Report (AAR) Template\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e2. Collect all logs and exercise-related documentation from all personnel who participated.\u003c/p\u003e\u003cp\u003e3. Review all narrative comments.\u003c/p\u003e\u003cp\u003e4. In the event of a discrepancy between two participants (or data gatherers) giving different results for the same objective, discuss the results with them and, if possible, come to agreement.\u003c/p\u003e\u003cp\u003e5. When all results conflicts have been resolved, develop the AAR with significant results.\u003c/p\u003e\u003cp\u003e6. Include in the AAR any recommendations for improvements to any area of the systems recovery plan or overall recovery capability.\u0026nbsp;\u003c/p\u003e\u003cp\u003e7. Attach the completed Exercise Scenario to the AAR.\u003c/p\u003e\u003cp\u003e8. Submit the AAR to the Business Owner for review and approval.\u003c/p\u003e\u003cp\u003e9. Update the ISCP with the exercise results, lessons learned, and any comments provided by the Business Owner.\u003c/p\u003e\u003cp\u003e10. Update ISCP training materials to reflect necessary changes to the ISCP as a result of the exercise and lessons learned.\u003c/p\u003e\u003cp\u003e11. The System/Business Owner and ISSO create a Plan of Action \u0026amp; Milestones (POA\u0026amp;M) for any weakness or deficiency in the ISCP that cannot be addressed in a timely manner, e.g. prior to the next ISCP testing date. This will identify the vulnerability and plan out the corrective actions necessary to reduce the weakness to an acceptable level.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eISCP Exercise roles and responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe following system team members are involved in the ISCP Exercise process:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem/Business Owner\u003c/li\u003e\u003cli\u003eInformation System Security Officer (ISSO)\u003c/li\u003e\u003cli\u003eCMS Contingency Plan Coordinator (CPC)\u003c/li\u003e\u003cli\u003eISCP Exercise Facilitator\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIt is critical that each member of the system team understands their role in the execution of the ISCP, as well as their responsibilities related to ISCP Exercises.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem/Business Owners\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll System/Business Owners are the leaders of the Contingency Planning process. As a result, they are responsible for the following when exercising an ISCP:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop, distribute, and maintain ISCPs\u0026nbsp;\u003c/li\u003e\u003cli\u003eEnsure each plan under their purview is exercised at least annually\u003c/li\u003e\u003cli\u003eEnsure a technical test for each system is conducted at least every other year\u003c/li\u003e\u003cli\u003eReview and correct plan deficiencies discovered during an exercise or outage in a timely manner\u003c/li\u003e\u003cli\u003eEnsure the annual ISCP Exercise includes an analysis of the identified recovery strategies to ensure recovery strategies take full advantage of all possible cost savings and efficiencies\u003c/li\u003e\u003cli\u003eObtain appropriate resourcing to include funding and staffing, for recovery planning requirements\u003c/li\u003e\u003cli\u003eEnsure all personnel with recovery responsibilities are trained to consider recovery preparedness part of their normal duties\u003c/li\u003e\u003cli\u003eDetermine and manage information system and data backup storage and alternate processing facility agreements\u003c/li\u003e\u003cli\u003eEnsure a copy of the most current ISCP is maintained at the alternate processing location\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eISSOs serve as the partner to the System/Business Owner throughout the ISCP process. During the ISCP Exercise, the ISSO is responsible for:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAssist the System/Business Owner with training for staff related to the ISCP Exercise\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssist the System/Business Owner in correcting deficiencies and issues discovered during the ISCP Exercise process\u0026nbsp;\u003c/li\u003e\u003cli\u003eReview\u0026nbsp;all information and procedures in the ISCP\u003c/li\u003e\u003cli\u003eReview the business processes that rely on the system to be exercised\u003c/li\u003e\u003cli\u003eReview and determine, with the exercise participants, when recovery procedures or other information in the ISCP do not meet the requirements of an effective ISCP\u003c/li\u003e\u003cli\u003eSubmit updated ISCP documentation and information to CFACTS\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eContingency Plan Coordinator (CPC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CPC assists the System/Business Owner with their CP Exercise efforts. Sometimes the CPC and ISSO roles overlap during the CP Exercise process. Your individual team led by your System/Business Owner will determine the appropriate makeup for your team. During an exercise, the CPC will:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOversee and coordinate all CP Exercises\u003c/li\u003e\u003cli\u003eOversee and coordinate the recovery-related training and awareness program for all\u003c/li\u003e\u003cli\u003epersonnel\u003c/li\u003e\u003cli\u003eCoordinate recovery team staffing with the System/Business Owner, CISOs office, and Emergency Preparedness and Response Operations (EPRO) Office\u003c/li\u003e\u003cli\u003eAssist ISSOs in event response until it is determined that contingency execution is not warranted\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCP Exercise Facilitator\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CP Exercise Facilitator is a single individual identified in the CP Exercise Plan. The Facilitator is typically the System/Business Owner, but this is not always the case. Sometimes the System/Business Owner may designate another team member to serve as Facilitator. The Facilitator is responsible for the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eObtaining approval for the CP Exercise Plan\u003c/li\u003e\u003cli\u003eEnsuring all personnel involved with the exercise are notified of the exercise and that they are available to participate for however long the exercise is scheduled for\u003c/li\u003e\u003cli\u003eProviding pre-exercise and post- exercise briefings as required\u003c/li\u003e\u003cli\u003eConducting the exercise in accordance with the exercise plan\u003c/li\u003e\u003cli\u003eDeveloping the AAR\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eTabletop Exercise Scenario Template\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe following template provides placeholder content for a Tabletop Exercise Scenario that you can copy and paste into a document. It is for planning your Tabletop Exercise and summarizing the outcomes. It is signed by the Data Gatherer. It is submitted to the Business Owner as part of the After Action Report (AAR).\u003c/p\u003e\u003cp\u003e\u003cem\u003eCopy and paste the information below into a document to begin planning your Tabletop Exercise.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003eExercise scenario format\u003c/h3\u003e\u003cp\u003eSystem:\u003c/p\u003e\u003cp\u003eDate:\u003c/p\u003e\u003cp\u003eType of exercise:\u003c/p\u003e\u003cp\u003ePerson(s) planning the exercise:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eExercise Facilitator(s)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFacilitator name:\u003c/p\u003e\u003cp\u003eFacilitator name:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eExercise Data Gatherer(s)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eData Gatherer name:\u003c/p\u003e\u003cp\u003eData Gatherer name:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eExercise participants\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eParticipant name and role:\u003c/p\u003e\u003cp\u003eParticipant name and role:\u003c/p\u003e\u003cp\u003eParticipant name and role:\u003c/p\u003e\u003cp\u003e(add more as needed)\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTimelines\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eActual exercise time:\u003c/p\u003e\u003cp\u003eExercise (simulated) time:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eExercise objectives\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eObjective 1:\u003c/p\u003e\u003cp\u003eObjective 2:\u003c/p\u003e\u003cp\u003eObjective 3:\u003c/p\u003e\u003cp\u003e(add more as needed)\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eExercise scenario\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIncident:\u003c/p\u003e\u003cp\u003eImpact to system(s):\u003c/p\u003e\u003cp\u003eImpact to operation(s):\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRequired supplies and documentation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eList supplies and documentation that will be needed for the exercise.\u003c/p\u003e\u003cul\u003e\u003cli\u003eItem\u003c/li\u003e\u003cli\u003eItem\u003c/li\u003e\u003cli\u003eItem\u003c/li\u003e\u003cli\u003eAdd more as needed\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAssumptions\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAssumption 1:\u003c/p\u003e\u003cp\u003eAssumption 2:\u003c/p\u003e\u003cp\u003eAssumption 3:\u003c/p\u003e\u003cp\u003e(add more as needed)\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eLessons Learned\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e(Use this space to summarize the lessons learned from conducting the Tabletop Exercise.)\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eObjective fulfillment\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cem\u003e(Use this space to summarize whether objectives were met, and to provide details.)\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eObjective 1 was / was not met. Specifically;\u003c/li\u003e\u003cli\u003eObjective 2 was / was not met. Specifically;\u003c/li\u003e\u003cli\u003eObjective 3 was / was not met. Specifically;\u003c/li\u003e\u003cli\u003e(add more as needed)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eEvaluation sheet\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eObjective 1: (re-state the objective here)\u003c/p\u003e\u003cp\u003eComments:\u003c/p\u003e\u003cp\u003eObjective 2: (re-state the objective here)\u003c/p\u003e\u003cp\u003eComments:\u003c/p\u003e\u003cp\u003eObjective 3: (re-state the objective here)\u003c/p\u003e\u003cp\u003eComments:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSignature\u003c/strong\u003e\u003c/h3\u003e\u003ch3\u003e\u0026nbsp;\u003c/h3\u003e\u003cp\u003e_____________________________________\u003c/p\u003e\u003cp\u003eData Gatherers name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e_____________________________________\u003c/p\u003e\u003cp\u003eData Gatherers signature and date\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAfter Action Report (AAR) Template\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe following template provides placeholder content that you can copy and paste into a document to create your \u003cstrong\u003eAfter Action Report (AAR)\u003c/strong\u003e. This is a comprehensive review of your completed CP Exercise that identifies areas of strength, areas for improvement, and lessons learned.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCopy and paste the information below into a document to begin your After Action Report. Then modify the details for your specific CP Exercise.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA Tabletop Exercise was conducted for the \u0026lt;System Name (system acronym)\u003cem\u003e\u0026gt;\u003c/em\u003e Information System Contingency Plan (CP) on \u0026lt;date\u0026gt;.\u0026nbsp;\u003c/p\u003e\u003ch3\u003eParticipants\u003c/h3\u003e\u003cp\u003eThe participants and their assigned roles are listed below.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eExercise Facilitator \u003c/strong\u003e(Facilitates the CP Exercise and develops the AAR)\u003c/p\u003e\u003cp\u003eName:\u003c/p\u003e\u003cp\u003eOrganization:\u003c/p\u003e\u003cp\u003ePhone:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCP Coordinator\u003c/strong\u003e (Ensures accurate damage assessment and system recovery)\u003c/p\u003e\u003cp\u003eName:\u003c/p\u003e\u003cp\u003eOrganization:\u003c/p\u003e\u003cp\u003ePhone:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eExercise Data Gatherer\u003c/strong\u003e (Determines whether recovery procedures meet the requirements of an effective CP)\u003c/p\u003e\u003cp\u003eName:\u003c/p\u003e\u003cp\u003eOrganization:\u003c/p\u003e\u003cp\u003ePhone:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecovery Management Team Member\u003c/strong\u003e (Ensures accurate damage assessment and system recovery)\u003c/p\u003e\u003cp\u003eName:\u003c/p\u003e\u003cp\u003eOrganization:\u003c/p\u003e\u003cp\u003ePhone:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;System Name\u0026gt; Technical Lead\u003c/strong\u003e (Ensures system is recovered to trusted state and verifies all processing and data integrity)\u003c/p\u003e\u003cp\u003eName:\u003c/p\u003e\u003cp\u003eOrganization:\u003c/p\u003e\u003cp\u003ePhone:\u003c/p\u003e\u003ch3\u003eScenario\u003c/h3\u003e\u003cp\u003eThe CP tabletop exercise was conducted in accordance with the \u0026lt;System Name\u0026gt; CP Exercise Plan, dated \u0026lt;date\u0026gt;. The exercise plan was developed around the following scenario:\u003c/p\u003e\u003cp\u003e\u0026lt;Synopsis of the scenario\u0026gt;\u003c/p\u003e\u003cp\u003eThe exercise was developed to determine the following objectives:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDetermine weaknesses in the Contingency Plan\u003c/li\u003e\u003cli\u003eObjective 2\u003c/li\u003e\u003cli\u003eObjective 3\u003c/li\u003e\u003cli\u003e\u0026lt;Add additional objectives as necessary\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CP exercise evaluated the status of contingency planning for the system and provided a forum for identifying outdated contingency planning information and for providing updates as required.\u0026nbsp; The exercise plan and detailed results are contained in the Appendix to this report.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSummary of Exercise Results\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSignificant results from the exercise were:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;Result one\u0026gt;\u003c/li\u003e\u003cli\u003e\u0026lt;Result two\u0026gt;\u003c/li\u003e\u003cli\u003e\u0026lt;Result three\u0026gt;\u003c/li\u003e\u003cli\u003e\u0026lt;Add additional results as necessary\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eRecommendations\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe following recommendations are provided as a result of the exercise:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;Recommendation one\u0026gt;\u003c/li\u003e\u003cli\u003e\u0026lt;Recommendation two\u0026gt;\u003c/li\u003e\u003cli\u003e\u0026lt;Recommendation three\u0026gt;\u003c/li\u003e\u003cli\u003e\u0026lt;Add additional recommendations as necessary\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eSignature\u003c/h3\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e_____________________________________\u003c/p\u003e\u003cp\u003eFacilitators name and date\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e_____________________________________\u003c/p\u003e\u003cp\u003eApproved by and date\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e_____________________________________\u003c/p\u003e\u003cp\u003eSystem/Business Owners name and date\u003c/p\u003e\u003cp\u003e\u0026lt;System Acronym\u0026gt; System/Business Owner, \u0026lt;title\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003eFollowing this report, insert Appendix material as necessary (such as the exercise plan and any supporting documentation.)\u003c/em\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}\n1b:{\"self\":\"$1c\"}\n1f:[\"menu_ui\",\"scheduler\"]\n1e:{\"module\":\"$1f\"}\n22:[]\n21:{\"available_menus\":\"$22\",\"parent\":\"\"}\n23:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n20:{\"menu_ui\":\"$21\",\"scheduler\":\"$23\"}\n1d:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$1e\",\"third_party_settings\":\"$20\",\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1a:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":\"$1b\",\"attributes\":\"$1d\"}\n26:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}\n25:{\"self\":\"$26\"}\n27:{\"display_name\":\"mburgess\"}\n24:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":\"$25\",\"attributes\":\"$27\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"meg - retired\"}\n28:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}\n2d:{\"self\":\"$2e\"}\n30:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n2f:{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":tr"])</script><script>self.__next_f.push([1,"ue,\"path\":\"$30\"}\n34:{\"drupal_internal__target_id\":\"resource_type\"}\n33:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$34\"}\n36:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"}\n37:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}\n35:{\"related\":\"$36\",\"self\":\"$37\"}\n32:{\"data\":\"$33\",\"links\":\"$35\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n38:{\"data\":null,\"links\":\"$39\"}\n42:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n41:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$42\"}\n40:{\"help\":\"$41\"}\n3f:{\"links\":\"$40\"}\n3e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$3f\"}\n3d:[\"$3e\"]\n44:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"}\n45:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}\n43:{\"related\":\"$44\",\"self\":\"$45\"}\n3c:{\"data\":\"$3d\",\"links\":\"$43\"}\n31:{\"vid\":\"$32\",\"revision_user\":\"$38\",\"parent\":\"$3c\"}\n2c:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":\"$2d\",\"attributes\":\"$2f\",\"relationships\":\"$31\"}\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n47:{\"self\":\"$48\"}\n4a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n49:{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"rev"])</script><script>self.__next_f.push([1,"ision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4a\"}\n4e:{\"drupal_internal__target_id\":\"roles\"}\n4d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$4e\"}\n50:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n51:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n4f:{\"related\":\"$50\",\"self\":\"$51\"}\n4c:{\"data\":\"$4d\",\"links\":\"$4f\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n52:{\"data\":null,\"links\":\"$53\"}\n5c:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5b:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5c\"}\n5a:{\"help\":\"$5b\"}\n59:{\"links\":\"$5a\"}\n58:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$59\"}\n57:[\"$58\"]\n5e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n5f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n5d:{\"related\":\"$5e\",\"self\":\"$5f\"}\n56:{\"data\":\"$57\",\"links\":\"$5d\"}\n4b:{\"vid\":\"$4c\",\"revision_user\":\"$52\",\"parent\":\"$56\"}\n46:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$47\",\"attributes\":\"$49\",\"relationships\":\"$4b\"}\n62:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n61"])</script><script>self.__next_f.push([1,":{\"self\":\"$62\"}\n64:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n63:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$64\"}\n68:{\"drupal_internal__target_id\":\"roles\"}\n67:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$68\"}\n6a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n6b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n69:{\"related\":\"$6a\",\"self\":\"$6b\"}\n66:{\"data\":\"$67\",\"links\":\"$69\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6c:{\"data\":null,\"links\":\"$6d\"}\n76:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n75:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$76\"}\n74:{\"help\":\"$75\"}\n73:{\"links\":\"$74\"}\n72:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$73\"}\n71:[\"$72\"]\n78:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n79:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n77:{\"related\":\"$78\",\"self\":\"$79\"}\n70:{\"data\":\"$71\",\"links\":\"$77\"}\n65:{\"vid\":\"$66\",\"revision_user\":\"$6c\",\"parent\":\"$70\"}\n60:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$61\",\"attribute"])</script><script>self.__next_f.push([1,"s\":\"$63\",\"relationships\":\"$65\"}\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n7b:{\"self\":\"$7c\"}\n7e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7d:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$7e\"}\n82:{\"drupal_internal__target_id\":\"roles\"}\n81:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$82\"}\n84:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n85:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n83:{\"related\":\"$84\",\"self\":\"$85\"}\n80:{\"data\":\"$81\",\"links\":\"$83\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n86:{\"data\":null,\"links\":\"$87\"}\n90:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n8f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$90\"}\n8e:{\"help\":\"$8f\"}\n8d:{\"links\":\"$8e\"}\n8c:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$8d\"}\n8b:[\"$8c\"]\n92:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n93:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n91:{\"related\":\"$92\",\"self\":\"$93\"}\n8a:{\"data\":\"$8b\",\"links\":\"$91\"}\n7f:{\"vid\":\"$"])</script><script>self.__next_f.push([1,"80\",\"revision_user\":\"$86\",\"parent\":\"$8a\"}\n7a:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$7b\",\"attributes\":\"$7d\",\"relationships\":\"$7f\"}\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}\n95:{\"self\":\"$96\"}\n98:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n97:{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$98\"}\n9c:{\"drupal_internal__target_id\":\"topics\"}\n9b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$9c\"}\n9e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"}\n9f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}\n9d:{\"related\":\"$9e\",\"self\":\"$9f\"}\n9a:{\"data\":\"$9b\",\"links\":\"$9d\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\na0:{\"data\":null,\"links\":\"$a1\"}\naa:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\na9:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$aa\"}\na8:{\"help\":\"$a9\"}\na7:{\"links\":\"$a8\"}\na6:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$a7\"}\na5:[\"$a6\"]\nac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"}\nad:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c"])</script><script>self.__next_f.push([1,"7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}\nab:{\"related\":\"$ac\",\"self\":\"$ad\"}\na4:{\"data\":\"$a5\",\"links\":\"$ab\"}\n99:{\"vid\":\"$9a\",\"revision_user\":\"$a0\",\"parent\":\"$a4\"}\n94:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":\"$95\",\"attributes\":\"$97\",\"relationships\":\"$99\"}\nb0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}\naf:{\"self\":\"$b0\"}\nb2:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb1:{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b2\"}\nb6:{\"drupal_internal__target_id\":\"topics\"}\nb5:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$b6\"}\nb8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"}\nb9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}\nb7:{\"related\":\"$b8\",\"self\":\"$b9\"}\nb4:{\"data\":\"$b5\",\"links\":\"$b7\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"}\nbd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}\nbb:{\"related\":\"$bc\",\"self\":\"$bd\"}\nba:{\"data\":null,\"links\":\"$bb\"}\nc4:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc3:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c4\"}\nc2:{\"help\":\"$c3\"}\nc1:{\"links\":\"$c2\"}\nc0:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$c1\"}\nbf:[\"$c0\"]\nc6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_te"])</script><script>self.__next_f.push([1,"rm/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"}\nc7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}\nc5:{\"related\":\"$c6\",\"self\":\"$c7\"}\nbe:{\"data\":\"$bf\",\"links\":\"$c5\"}\nb3:{\"vid\":\"$b4\",\"revision_user\":\"$ba\",\"parent\":\"$be\"}\nae:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":\"$af\",\"attributes\":\"$b1\",\"relationships\":\"$b3\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--library\",\"id\":\"88686085-9850-4ee7-9141-6221bbb79c09\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/88686085-9850-4ee7-9141-6221bbb79c09?resourceVersion=id%3A5862\"}},\"attributes\":{\"drupal_internal__nid\":841,\"drupal_internal__vid\":5862,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-12T19:50:56+00:00\",\"status\":true,\"title\":\"CMS Information System Contingency Plan (ISCP) Exercise Handbook\",\"created\":\"2023-04-12T13:39:38+00:00\",\"changed\":\"2024-08-12T19:50:56+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-contingency-plan-exercise-handbook\",\"pid\":811,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\",\"summary\":\"\"},\"field_contact_email\":\"ISPG_Policy_Mailbox@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2023-04-03\",\"field_related_resources\":[{\"uri\":\"https://csrc.nist.gov/pubs/sp/800/34/r1/upd1/final\",\"title\":\"Contingency Planning Guide for Federal Information Systems\",\"options\":[],\"url\":\"https://csrc.nist.gov/pubs/sp/800/34/r1/upd1/final\"},{\"uri\":\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf\",\"title\":\"NIST Master Scenario Events List (MSEL)\",\"options\":[],\"url\":\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf\"},{\"uri\":\"entity:node/1207\",\"title\":\"Information System Contingency Plan (CP)\",\"options\":[],\"url\":\"/policy-guidance/cms-information-system-contingency-plan-iscp-handbook\"}],\"field_short_description\":{\"value\":\"Information and resources for teams to help them complete their annual Information System Contingency Plan (ISCP) exercise\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eInformation and resources for teams to help them complete their annual Information System Contingency Plan (ISCP) exercise\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/88686085-9850-4ee7-9141-6221bbb79c09/node_type?resourceVersion=id%3A5862\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/88686085-9850-4ee7-9141-6221bbb79c09/relationships/node_type?resourceVersion=id%3A5862\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/88686085-9850-4ee7-9141-6221bbb79c09/revision_uid?resourceVersion=id%3A5862\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/88686085-9850-4ee7-9141-6221bbb79c09/relationships/revision_uid?resourceVersion=id%3A5862\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/88686085-9850-4ee7-9141-6221bbb79c09/uid?resourceVersion=id%3A5862\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/88686085-9850-4ee7-9141-6221bbb79c09/relationships/uid?resourceVersion=id%3A5862\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/88686085-9850-4ee7-9141-6221bbb79c09/field_resource_type?resourceVersion=id%3A5862\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/88686085-9850-4ee7-9141-6221bbb79c09/relationships/field_resource_type?resourceVersion=id%3A5862\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/88686085-9850-4ee7-9141-6221bbb79c09/field_roles?resourceVersion=id%3A5862\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/88686085-9850-4ee7-9141-6221bbb79c09/relationships/field_roles?resourceVersion=id%3A5862\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/88686085-9850-4ee7-9141-6221bbb79c09/field_topics?resourceVersion=id%3A5862\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/88686085-9850-4ee7-9141-6221bbb79c09/relationships/field_topics?resourceVersion=id%3A5862\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}},\"attributes\":{\"display_name\":\"mburgess\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}},\"attributes\":{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}},\"attributes\":{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}},\"attributes\":{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}}}}}],\"includedMap\":{\"ab4b0312-f678-40b9-ae06-79025f52ff43\":\"$1a\",\"e352e203-fe9c-47ba-af75-2c7f8302fca8\":\"$24\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$28\",\"e3394b9a-cbff-4bad-b68e-c6fad326132e\":\"$2c\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$46\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$60\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$7a\",\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\":\"$94\",\"65ef6410-4066-4db4-be03-c8eb26b63305\":\"$ae\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"CMS Information System Contingency Plan (ISCP) Exercise Handbook | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Information and resources for teams to help them complete their annual Information System Contingency Plan (ISCP) exercise\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"CMS Information System Contingency Plan (ISCP) Exercise Handbook | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Information and resources for teams to help them complete their annual Information System Contingency Plan (ISCP) exercise\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"CMS Information System Contingency Plan (ISCP) Exercise Handbook | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Information and resources for teams to help them complete their annual Information System Contingency Plan (ISCP) exercise\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink