publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/policy-guidance/cms-key-management-handbook
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
302 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>CMS Key Management Handbook | CMS Information Security &amp; Privacy Group</title><meta name="description" content="Guidance on the management lifecycle of cryptographic keys: data used to lock or unlock functions, including authentication, authorization, and encryption "/><link rel="canonical" href="https://security.cms.gov/policy-guidance/cms-key-management-handbook"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="CMS Key Management Handbook | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="Guidance on the management lifecycle of cryptographic keys: data used to lock or unlock functions, including authentication, authorization, and encryption "/><meta property="og:url" content="https://security.cms.gov/policy-guidance/cms-key-management-handbook"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/policy-guidance/cms-key-management-handbook/opengraph-image.jpg?a856d5522b751df7"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="CMS Key Management Handbook | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="Guidance on the management lifecycle of cryptographic keys: data used to lock or unlock functions, including authentication, authorization, and encryption "/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/policy-guidance/cms-key-management-handbook/opengraph-image.jpg?a856d5522b751df7"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-library undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">CMS Key Management Handbook </h1><p class="hero__description">Guidance on the management lifecycle of cryptographic keys: data used to lock or unlock functions, including authentication, authorization, and encryption </p><p class="font-sans-2xs line-height-sans-5 margin-bottom-0">Last reviewed<!-- -->: <!-- -->10/14/2022</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8"><section class="resource-collection radius-md padding-y-2 padding-x-3 bg-base-lightest"><h1 class="resource-collection__header h3 margin-top-0 margin-bottom-2">Related Resources</h1><div class="grid-row grid-gap-4"><div class="tablet:grid-col-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final">NIST SP 800-57 Part 1 Rev. 5: Recommendations for Key Management<svg class="usa-icon" aria-hidden="true" role="img" data-testid="library-resources-external"><use href="/assets/img/sprite.svg#launch"></use></svg></a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2">CMS Information Systems Security and Privacy Policy (IS2P2)</a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Policies">CMS Chief Information Officer (CIO) Policies <svg class="usa-icon" aria-hidden="true" role="img" data-testid="library-resources-external"><use href="/assets/img/sprite.svg#launch"></use></svg></a></div></div></section><section><div class="text-block text-block--theme-library"><h2>Background</h2><p>This handbook aligns with the <a href="https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final">National Institute of Standards and Technology (NIST) Special Publication (SP) 800-57</a> series, the <a href="https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2">CMS IS2P2</a>, and the <a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS)</a>.</p><p><a href="https://security.cms.gov/learn/federal-information-systems-management-act-fisma">FISMA</a> further emphasizes the importance of continuously monitoring information system security by requiring agencies to conduct assessments of security controls at a risk-defined frequency. The CMS ARS states that CMS information systems must define, develop, disseminate, review, and update its Risk Assessment documentation at least once every three years or whenever a significant change has occurred. This includes a formal, documented system security/privacy package that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and formal, documented processes and procedures to facilitate the implementation of the policy and associated controls.</p><h2>Policy</h2><p>Policy delineates the security management structure, clearly assigns security responsibilities, and lays the foundation necessary to reliably measure progress, compliance, and direction to all CMS employees, contractors, and any individual who receives authorization to access CMS information technology (IT) systems or systems maintained on behalf of CMS to assure the confidentiality, integrity, and availability of CMS information and information systems.</p><h3>Information Systems Security and Privacy Policy (IS2P2)</h3><p>The <a href="https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2">CMS IS2P2</a> defines the framework and policy under which CMS protects and controls access to CMS information and information systems in compliance with the Department of Human and Health Services (HHS) policy, federal law, and regulations. This policy requires all CMS stakeholders to implement adequate information security and privacy safeguards to protect all CMS's sensitive information.</p><p>The policies contained within the CMS IS2P2 assist in satisfying the requirements for controls that require CMS to create a policy and associated procedures related to information systems.</p><p>The dynamic nature of information security and privacy disciplines and the constant need for assessing risk across the CMS environment can result in gaps in policy, outside of the routine policy review cycle. The CMS Policy Framework includes the option to issue a <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Policies">CIO Directive</a> to address these types of gaps in CMS policy by providing guidance to CMS stakeholders while a policy is being developed, updated, cleared, and approved.</p><h3>Chief Information Officer (CIO) Directives</h3><p>The CMS Chief Information Officer (CIO), the CMS Chief Information Security Officer (CISO), and the CMS Senior Official for Privacy (SOP) jointly develop and maintain the CMS IS2P2. The CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate.</p><h2>Standards</h2><p>Standards define both functional and assurance requirements within the CMS security and privacy environment. CMS policy is executed with the requirements prescribed in standards with the objective of enabling consistency across the CMS environment. The CMS environment includes users, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks. These components are responsible for meeting and complying with the security and privacy baseline defined in policy and further prescribed in standards. The parameters and thresholds for policy implementation are built into the CMS standards, and provide a foundation for the procedural guidance provided by the Program Guide series.</p><h3>Secrets Management</h3><p>A secret is a digital authentication credential. Secrets are individually named sets of sensitive information, and address a broad spectrum of secure data. Secrets need to be protected against unauthorized disclosure, and all keys need to be protected against modification, tempering, deletion and disclosure. There are different types of secrets, including:</p><ul><li>User passwords</li><li>Root passwords</li><li>Application and database passwords</li><li>Auto-generated encryption keys</li><li>Private encryption keys</li><li>Application Programming Interface (API) keys</li><li>Application keys</li><li>Secure Shell (SSH) keys</li><li>IAM secret keys</li><li>Programmatic access keys (project / client IDs)</li><li>Authorization tokens</li><li>Bearer tokens</li><li>Certificates</li><li>Private certificates (e.g. Transport Layer Security (TLS), Secure Sockets Layer (SSL))</li><li>RSA and other one-time password devices</li><li>Account tags</li><li>Passphrases</li><li>Any other application tokens that are deemed confidential</li></ul><p>Secrets management refers to the tools and methods for managing digital authentication credentials (secrets), including passwords, keys, APIs, and tokens for use in applications, services, privileged accounts and other sensitive parts of the IT ecosystem.</p><p>Passwords and keys are some of the most broadly used and important tools your organization has for authenticating applications and users and providing them with access to sensitive systems, services, and information. Because secrets have to be transmitted securely, secrets management must account for and mitigate the risks to these secrets, both in transit and at rest.</p><p><em><strong>Note </strong>Root access keys should be protected at all costs and deleted if possible. A bad actor may shut down servers, delete data, create and destroy users, or any other API capability with the root users key. For this reason, CMS highly recommends that root access key should not be in use or should be disabled if already in use. CMS also recommends keeping the root users credentials safe and private. Do not share them with other employees or contractors. It is also advisable to activate Multi Factor Authentication (MFA) for the root account to protect it even if the password leaks. Also, access and secret access keys should only be developed at a user level, and never at a root level.</em></p><p>The security objectives (Confidentiality, Integrity and Availability) should always be protected in regards to secrets management. The <a href="https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf">Federal Information Processing Standards (FIPS) Publication 199</a> defines three levels of potential impact on organizations or individuals (low, moderate, high) should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability) and has additional examples on the impact of loss of one or more of the security objectives.</p><h2>Key Management</h2><p>Key management refers to managing cryptographic keys within a cryptosystem. The term “cryptosystem” is shorthand for “cryptographic system” and refers to a computer system that employs cryptography, a method of protecting information and communications through the use of codes so that only those for whom the information is intended can read and process it.</p><p>Cryptosystems deal with generating, exchanging, storing, using and replacing keys as needed at the user level.</p><p>The security of the cryptosystem is dependent upon successful key management. Proper management ensures a key stays safe throughout its lifecycle, from generation and use to storing and deletion.</p><h3>Cryptographic Keys</h3><p>Cryptography is used to secure communications over networks, to protect information stored in databases, and for many other critical applications. Cryptographic keys play an important part in the operation of cryptography.</p><p>With effective cryptographic key management, data that is encrypted can still be protected even in the event of a breach, since encrypted data cannot be decrypted without the right keys. Proper usage of encryption and key management will assist an organizations efforts to protect their data. <a href="https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final">NIST SP 800-57 <em>Recommendations for Key Management (Part 1, Revision 5) </em></a>provides an updated guideline for general cryptographic key management.</p><p>At CMS, mechanisms are employed to:</p><ul><li>Prohibit the use of encryption keys that are not recoverable by authorized personnel</li><li>Require senior management approval to authorize recovery of keys by someone other than the key owner</li><li>Comply with approved cryptography standards mentioned in transit and at rest, as defined in the HHS Standard for Encryption of Computing Devices and Information, and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</li></ul><p>At CMS, cryptographic protection applies to both portable storage devices (e.g., USB memory sticks, CDs, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers). This applies to all digital assets like application software, Data Stores (Such as databases and file systems), Cloud Service, and Software As a Service.</p><p>When cryptographic mechanisms are needed, CMS information systems use encryption products that have been validated under the Cryptographic Module Validation Program to confirm compliance with <a href="https://csrc.nist.gov/pubs/fips/140-2/upd2/final#:~:text=This%20Federal%20Information%20Processing%20Standard,of%20potential%20applications%20and%20environments.">Federal Information Processing Standards (FIPS) 140-2</a> in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</p><h3>Key Management Concepts</h3><h4>Key Management Phases</h4><table><tbody><tr><td><strong>Pre-Operational Phase</strong></td><td><strong>Operational Phase</strong></td><td><strong>Post-Operational Phase</strong></td><td><strong>Destroyed Phase</strong></td></tr></tbody></table><p>According to <a href="https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final">NIST SP 800-57 <em>Recommendation for Key Management: Part 1 - General</em></a><em> </em>in Section 8, there are four phases of key management:</p><ol><li><strong>Pre-operational phase</strong>: The keying material is not yet available for normal cryptographic operations. Keys may not yet be generated or are in the pre-activation state. System or enterprise attributes are established during this phase as well.</li><li><strong>Operational phase</strong>: The keying material is available and in normal use. Keys are in the active or suspended state. Keys in the active state may be designated as protect only, process only, or both protect and process; keys in the suspended state can be used for processing only.</li><li><strong>Post-operational phase</strong>: The keying material is no longer in normal use, but access to the keying material is possible, and the keying material may be used for processing protected information. Keys are in the deactivated or compromised states. Keys in the post-operational phase may be in an archive.</li><li><strong>Destroyed phase: </strong>Keys are no longer available. Records of their existence may or may not have been deleted. Keys are in the destroyed state. Although the keys themselves may have been destroyed, the keys metadata (e.g., key name, type, cryptoperiod, and usage period) may be retained. A cryptoperiod is the time span during which a specific key is authorized for use by legitimate entities or the keys for a given system will remain in effect.</li></ol><h4>Key Establishment</h4><p>Key establishment is the process that results in the sharing of a key between two or more entities. This process could be by a manual distribution, by using automated key-transport or key agreement mechanisms, or by key derivation using an already-shared key between or among those entities. Key establishment processes include the creation of a key. Key establishment techniques and issues are discussed in Section 5.3 of <a href="https://csrc.nist.gov/pubs/sp/800/175/b/r1/final">NIST SP 800-175B <em>Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms</em>.</a></p><h4>Key Management Functions</h4><p>Roles and responsibilities need to be defined for the CMS management of at least the following functions:</p><ul><li>The generation or acquisition of key information (i.e., keying material and the associated metadata)</li><li>The secure distribution of private keys, secret keys and the associated metadata</li><li>The establishment of cryptoperiods</li><li>Key and/or certificate inventory management, including procedures for the routine supersession of keys and certificates at the end of a cryptoperiod or validity period</li><li>Procedures for the emergency revocation of compromised keys and the establishment (e.g., distribution) of replacement keys and/or certificates</li><li>Accounting for and the storage and recovery of the operational and backed-up copies of key information</li><li>The storage and recovery of archived key information</li><li>Procedures for checking the integrity of stored key information before using it&nbsp;</li><li>The destruction of private or secret keys that are no longer required</li></ul><h4>Cryptographic Key Management Systems (CKMS)</h4><p>The term cryptographic key management system (CKMS) refers to the framework and services that provide for the generation, establishment, control, accounting, and destruction of cryptographic keys and associated management information.</p><p>It includes all elements (hardware, software, other equipment, and documentation); facilities; personnel; procedures; standards; and information products that form the system that establishes, manages, and supports cryptographic products and services for end entities.</p><p>A CKMS may handle symmetric keys, asymmetric keys or both. Key management policies, practice statements, and specifications should identify common CKMS elements and suggest functions of and relationships among the organizational elements responsible for the management and use of cryptographic keys.</p><p><a href="https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-152.pdf">NIST SP 800-152</a> contains requirements for the design, implementation, and procurement of a CKMS for the CMS organization. A key management system can be designed to provide services for a single individual (e.g., in a personal data-storage system), an organization (e.g., in a secure Virtual Private Network (VPN) for intraoffice communications), or a large complex of organizations (e.g., in secure communications for the U.S. Government).</p><h3>Key Management Planning</h3><p>According to <a href="https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/final">NIST SP.800-57 Part 2 Revision 1</a>, CMS organizations are required by statutory and administrative rules and guidelines to protect the confidentiality and integrity of their sensitive information and processes. Federal agencies are required to determine a <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf">FIPS 200</a> impact level (i.e., Low, Moderate or High) based on the security categories defined in <a href="https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf">FIPS 199</a>. The security categories are based on the potential impact on an organization if certain events occur that jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals.</p><p>CMS encourages Application Development Organizations (ADOs) to utilize software solutions (both on premises and in the Cloud) that help with the creation, identification, management, retrieval, rotation, and removal of keys - especially when these products help ADOs to better comply with CMS key management policy and its requirements.</p><p>CMS organizations also need to define their security objectives for storing and/or communicating their sensitive information. These objectives may include the following:</p><ul><li>Providing confidentiality for stored and/or transmitted data,</li><li>Source authentication for received data,</li><li>Integrity protection for stored/transmitted data,</li><li>Entity authentication, etc.</li></ul><p>The development of new cryptographic systems, including CKMS, should ideally be conducted following the processes described in <a href="https://csrc.nist.gov/pubs/sp/800/160/v2/r1/ipd#:~:text=Draft%20NIST%20Special%20Publication%20(SP,systems%20from%20the%20inside%20out">NIST SP 800-160 <em>Developing Cyber-Resilient Systems: A Systems Security Engineering Approach</em></a>. However, in many cases, systems that rely on cryptographic protection are already being used. Where such systems are being augmented or otherwise modified, security/privacy planning is still required, but the NIST SP 800-160 processes will need to be abridged or otherwise adapted because of legacy constraints. CMS organizations must still select <a href="https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final">NIST SP 800-53</a>, based on <a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">ARS 5.0</a> Control Catalog, security/privacy controls based on system design, operational characteristics, and FIPS 199 impact levels.</p><p>Key management planning should involve the following steps:</p><ol><li>An appropriate key management architecture is selected based on the available cryptographic mechanisms and objectives. Section 2.3 of <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt2r1.pdf">NIST SP 800-57 Part. 2 Revision 1</a> provides examples of architectures to be considered.</li><li>A Key Management Specification is developed for each cryptographic product to be used in the system. When developing a Key Management Specification for a cryptographic product, the unique key management products and services needed from the CKMS to support the operation of the cryptographic product must be defined. The specification of cryptographic mechanisms, including key management functions, should consider the CMS organizations resource limitations and procedural environment. If a Key Management Plan already exists for a CMS organization, the Key Management Specification needs to be in conformance with the CKMS Security Policy. The CKMS Practice Statement should support both the CKMS Security Policy and the Key Management Specification.</li><li>Based on the Key Management Plan, a CKMS Security Policy (CKMS SP) is developed that documents the decisions made in developing the Key Management Plan. A CKMS SP is a set of rules that are established to describe the goals, responsibilities, and overall requirements for the management of cryptographic keying material throughout the entire key lifecycle.</li><li>A CKMS may be operated by the organization owning the information to be protected, or may be operated by another organization (e.g., under contract). The organization operating the CKMS develops a CKMS Practice Statement (CKMS PS). A CKMS PS specifies how key management procedures and techniques are used to enforce the CKMS SP.</li></ol><h3>Key Strength</h3><p>CMS organizations should consider the following best practices:</p><ul><li>Establish what the application's minimum computational resistance to attack should be. Understanding the minimum computational resistance to attack should take into consideration the sophistication of your adversaries, how long data needs to be protected, where data is stored and if it is exposed. Identifying the computational resistance to attack will inform engineers as to the minimum length of the cryptographic key required to protect data over the life of that data. Consult <a href="https://csrc.nist.gov/pubs/sp/800/131/a/r2/final">NIST SP 800-131a <em>Transitioning the Use of Cryptographic Algorithms and Key Lengths</em></a><em> </em>for additional guidance on determining the appropriate key lengths for the algorithm of choice.</li><li>When encrypting keys for storage or distribution, always encrypt a cryptographic key with another key of equal or greater cryptographic strength.</li><li>Choose a key length that meets or exceeds the comparative strength of other algorithms in use within your system. Refer to <a href="https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final">NIST SP 800-57</a> Table 2.</li><li>Formulate a strategy for the overall organization's cryptographic strategy to guide developers working on different applications and ensure that each application's cryptographic capability meets minimum requirements and best practices.</li><li>Review <a href="https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final">NIST SP 800-57 <em>Recommendation for Key Management </em></a>for recommended guidelines on key strength for specific algorithm implementations.</li></ul><h3>Public Key Infrastructure</h3><p>Public key infrastructure (PKI), as stated in <a href="https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-32.pdf">NIST Special Publication 800-32: <em>Introduction to Public Key Technology and the Federal PKI Infrastructure</em></a>, is the combination of software, encryption technologies, and services that enables enterprises to <a href="https://playbooks.idmanagement.gov/fpki/">protect the security of their communications and business transactions on networks</a>. PKI integrates digital certificates, public key cryptography, and <strong>certification authorities (CA)</strong> into a complete enterprise-wide network security architecture.</p><p>All public key certificates used at CMS are issued in accordance with Federal PKI policy and validated to the Federal PKI trust anchor when being used for user signing, encrypting purposes, authentication, and authorization.</p><p>The CA is responsible for issuing a public key certificate for each identity, confirming that the identity has the appropriate credentials. <em><strong>Note - </strong>certification authority (CA) is similar to a notary. The CA confirms the identities of parties sending and receiving electronic payments or other communications.</em></p><p>At CMS, various Certificate Authority requests are available and processed through the Infrastructure and User Services Group - Division of Operations Management (IUSG-DOM).</p><p>There are two ways to submit a CA request for a certificate:</p><ul><li>Requestor submits a request through the CMS Connect System.</li></ul><p><em><strong>Note: </strong>Only users with a CMS USER ID who have access to or VPN to the CMS Network will be able to login to the Agency Solution for Customer Support (ASCS). If you do not have a CMS USER ID, see option #2 below to submit an email request.</em></p><ul><li>Requestor sends certificate request email to the <strong>CMS - DOMSSLCert </strong>mailbox at <a href="mailto:DOMSSLCert@cms.hhs.gov">DOMSSLCert@cms.hhs.gov</a></li></ul><p>For inquiries on the type of certificate to request, contact the CMS - DOMSSLCert mailbox at <a href="mailto:DOMSSLCert@cms.hhs.gov">DOMSSLCert@cms.hhs.gov</a> for assistance.</p><h3>Key Usage</h3><p>Per NIST SP 800-57 Part 1 Revision 5: <em>Recommendation for Key Management</em>, a single key should be used for only one purpose (e.g., encryption, integrity authentication, key wrapping, random bit generation, or digital signatures).</p><p>There are several reasons for this:</p><ul><li>The use of the same key for two different cryptographic processes may weaken the security provided by one or both of the processes.</li><li>Limiting the use of a key limits the damage that could be done if the key is compromised.</li><li>Some uses of keys interfere with each other. For example, the length of time the key may be required for each use and purpose. Retention requirements of the data may differ for different data types.</li></ul><p>This recommendation permits the use of a private key-transport or key-agreement key to generate a digital signature for the following special case: When requesting the (initial) certificate for a static key-establishment key that was generated as specified in <a href="https://csrc.nist.gov/pubs/fips/186-5/final">FIPS 186-5</a>, the corresponding private key may be used to sign the certificate request.</p><h3>Key Management Lifecycle Best Practices</h3><h4>Generation</h4><p>Cryptographic keys should be generated within cryptographic modules with at least a <a href="https://csrc.nist.gov/pubs/fips/140-2/upd2/final">FIPS 140-2</a> compliance. For explanatory purposes, consider the cryptographic module in which a key is generated to be the key-generating module.</p><p>Any random value required by the key-generating module should be generated within that module; that is, the Random Bit Generator that generates the random value should be implemented within cryptographic modules with at least a FIPS 140-2 compliance that generates the key.</p><p>Hardware cryptographic modules are preferred over software cryptographic modules for protection.</p><h4>Use/Distribution</h4><p>The generated keys should be transported (when necessary) using secure channels and should be used by their associated cryptographic algorithm within at least a FIPS 140-2 compliant cryptographic module. For additional detail for the recommendations in this section refer to <a href="https://csrc.nist.gov/pubs/sp/800/133/r2/final">NIST Special Publication 800-133</a>.</p><p>Keys or secrets should be shared out of band and should never be sent with or alongside the data the secrets or keys they are protecting. Also, secrets shared out-of-band should be protected and not stored somewhere that can be easily compromised (like on a piece of paper on a users desk). Out of band sharing of keys should be deleted or destroyed immediately after use.</p><p>ADOs should also consider using a Diffie-Hellman algorithm like Secure-Remote Procedure Call (S-RPC) for the sharing of keys when out of band sharing is not a viable option. <em><strong>Note</strong> - The DiffieHellman (DH) Algorithm is <strong>a key-exchange protocol </strong>that enables two parties communicating over public channel to establish a mutual secret without it being transmitted over the Internet. DH enables the two to use a public key to encrypt and decrypt their conversation or data using symmetric cryptography.</em></p><p>Examples of how keys can be shared included:</p><ul><li>Use a Key or Secrets Management System</li><li>Use a shared key store or password manager vault</li><li>Use of client-side encrypted pastebin or similar service</li><li>Use of a restricted document</li><li>Sending encrypted data via email (CMS adheres to the encryption requirements in the <a href="https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/policies-guides-encryption.pdf">HHS Standard for Encryption of Computing Devices and Information</a>)</li><li>Using a third-party, CMS approved storage service</li></ul><p>ADOs should document the method being used for the business or system owner. ADOs are also encouraged to use TLS Version 1.2 or 1.3 encryption standards for Data-in-transit.</p><h4>Storage</h4><ul><li>ADOs should document in a Key Management Plan where secrets are being stored, and that documentation should be made available to the business or system owner, and updated as needed but no less than annually. The documentation should be written per system, define types of secrets used, list all secret alias names, creation date, recommended rotation date, level of sensitivity/classification, recommended end of use, business owner, and secret manager. The secrets should be encrypted and stored separately using a KMS solution or service.</li><li>CMS strongly encourages ADOs to use “split knowledge” or “M of N” for very sensitive key storage so that one individual does not have sole access to a key</li><li>Developers must understand where cryptographic keys are stored within the application and understand what memory devices the keys are stored on.</li><li>Keys must be protected on both volatile and persistent memory, ideally processed within secure cryptographic modules.</li><li>Keys should never be stored in plaintext format.</li><li>Ensure all keys are stored in a cryptographic vault, such as a hardware security module (HSM), or isolated cryptographic service or secret management services.</li><li>If you are planning on storing keys in offline devices/databases, then encrypt the keys using Key Encryption Keys (KEKs) prior to the export of the key material. KEK length (and algorithm) should be equivalent to or greater in strength than the keys being protected.</li><li>Ensure that keys have integrity protections applied while in storage (consider dual purpose algorithms that support encryption and Message Authentication Code (MAC)).</li><li>Ensure that standard application-level code never reads or uses cryptographic keys in any way and use key management libraries.</li><li>Ensure that keys and cryptographic operation is done inside a secure cryptographic vault.</li><li>All work should be done in the cryptographic vault (such as key access, encryption, decryption, signing, etc.).</li></ul><h4>Escrow and Backup</h4><p>Data that has been encrypted with lost cryptographic keys will never be recovered. Therefore, it is essential that the application incorporate a secure key backup capability, especially for applications that support data-at-rest encryption for long-term data stores.</p><p>When backing up keys, ensure that the database that is used to store the keys is encrypted using at least a FIPS 140-2 validated module. It is sometimes useful to escrow key material for use in investigations and for re-provisioning of key material to users in the event that the key is lost or corrupted.</p><p>Never escrow keys used for performing digital signatures, but consider the need to escrow keys that support encryption. Oftentimes, escrow can be performed by the Certificate Authority (CA) or key management system that provisions certificates and keys, however in some instances separate APIs must be implemented to allow the system to perform the escrow for the application.</p><h4>Accountability and Audit</h4><p>Accountability involves the identification of those that have access to, or control of, cryptographic keys throughout their lifecycles. Accountability can be an effective tool to help prevent key compromises and to reduce the impact of compromises once they are detected.</p><p>At a minimum, the key management system should account for all individuals who are able to view plaintext cryptographic keys.</p><p>In addition, more sophisticated key-management systems may account for all individuals authorized to access or control any cryptographic keys, whether in plaintext or ciphertext form.</p><p>Accountability provides three significant advantages:</p><ul><li>It aids in the determination of when the compromise could have occurred and what individuals could have been involved.</li><li>It tends to protect against compromise, because individuals with access to the key know that their access to the key is known.</li><li>It is very useful in recovering from a detected key compromise to know where the key was used and what data or other keys were protected by the compromised key.</li></ul><p>Certain principles have been found to be useful in enforcing the accountability of cryptographic keys. These principles might not apply to all systems or all types of keys.</p><p>Some of the principles that apply to long-term keys controlled by humans include:</p><ul><li>Uniquely identifying keys.</li><li>Identifying the key user.</li><li>Identifying the dates and times of key use, along with the data that is protected.</li><li>Identifying other keys that are protected by a symmetric or private key. Two types of audit should be performed on key management systems:</li><li>The security/privacy plan and the procedures that are developed to support the plan should be periodically audited to ensure that they continue to support the Key Management Policy in <a href="https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/final">NIST SP 800-57</a>.</li><li>The protective mechanisms employed should be periodically reassessed with respect to the level of security that they provide and are expected to provide in the future, and that the mechanisms correctly and effectively support the appropriate policies.</li></ul><p>New technology developments and attacks should be taken into consideration. On a more frequent basis, the actions of the humans that use, operate, and maintain the system should be reviewed to verify that the humans continue to follow established security/privacy procedures.</p><p>Strong cryptographic systems can be compromised by lax and inappropriate human actions. Highly unusual events should be noted and reviewed as possible indicators of attempted attacks on the system.</p><p>Accountability and Audit ensures the security objectives (Confidentiality, Integrity and Availability) are maintained. Effective integrity can be maintained if ADOs incorporate logging and provide for audit trails so we can track who used keys or secrets, for what purpose, etc.</p><p>Integrity of the keys supports non-repudiation.</p><h4>Key Rotation</h4><p>Key rotation provides several benefits, which are not limited to:</p><ul><li>In the event that a key is compromised, regular rotation limits the number of actual messages/systems vulnerable to compromise. If key version is suspected to be compromised, disable it and revoke access to it as soon as possible.</li><li>Regular key rotation ensures CMS systems are resilient to manual rotation, whether due to a security breach or the need to migrate application to a stronger cryptographic algorithm.</li><li>Limiting the number of messages encrypted with the same key version helps prevent attacks enabled by cryptanalysis. Cryptanalysis is the study of ciphertext, ciphers and cryptosystems with the aim of understanding how they work and finding and improving techniques for defeating or weakening them.</li></ul><p>For symmetric encryption, CMS organizations should configure automation key rotation by setting a key rotation period and starting time when key is created.</p><p>For asymmetric encryption, CMS organizations should always manually rotate keys, because the new public key must be distributed before the key pair can be used.</p><p><strong>Recommended minimum frequency of key rotation </strong> Annually.</p><p><em>Note </em>- The rotation schedule can be based on either the key's age or the number or volume of messages encrypted with a key version. <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf">NIST SP 800-57 Recommendation for Key Management </a>describes cryptoperiods as a factor in determining an appropriate period for rotation.</p><p>If responsible personnel have indications that keys have been compromised, they should manually rotate the keys and re-encrypt data that was encrypted by the compromised keys as soon as possible. To re-encrypt data, download the old data, decrypt it with the old key, encrypt the old data using the new key, and then re-upload the re-encrypted data.</p><p>CMS recommends Online Certificate Status Protocol (OCSP) over Certificate Lifecycle Management (CLM) because there can be latencies in the system where CLM may not have the most up to date revocations.</p><h4>Key Revocation</h4><p>According to <a href="https://csrc.nist.gov/pubs/sp/800/57/pt2/final">NIST SP 800-57 Part 2 <em>Recommendation for Key Management: Part 2 Best Practices for Key Management Organizations</em></a>, symmetric keys are often revoked by the use of Compromised Key Lists (CKLs). Certificate Revocation Lists (CRLs) are commonly used to revoke public key certificates, thus revoking the private key corresponding to the public key in the certificate. Regardless of whether symmetric or asymmetric keys are used, a means of revoking keys is recommended.</p><p>This CMS guide will use the term revoked key notification (RKN) to refer to a mechanism to revoke keys. An RKN may include the revocation reason and an indication of when the revocation was requested. The inclusion of the revocation reason can be useful in risk decisions regarding the information that was received or stored using those keys.</p><p>A key may also be suspended from use for a variety of reasons, such as an unknown status of the key or due to the key owner being temporarily unavailable (e.g., the key owner is on extended leave). In the case of a certificate suspension, the intent is to suspend the use of the public key included in the certificate (e.g., to not verify digital signatures or establish keys while the use of the certificate is suspended). This may be communicated to relying parties as an “on hold” revocation reason code in a CRL and in an OCSP response. The certificate may later be revoked (e.g., a compromise of the private key corresponding to the public key in the certificate was confirmed) or the certificate may be reactivated (e.g., the key has not been compromised or the owner returned to work).</p><h4>Compromise of Keys</h4><p>Key compromise occurs when the protective mechanisms for the key fail (e.g., the confidentiality, integrity, or association of the key to its owner fail;) and the key can no longer be trusted to provide the required security. It is the responsibility of an owner of a private or secret key to protect the confidentiality of that key. Reporting a possible key compromise is the responsibility of anyone suspecting that a key has been compromised (e.g., the keys owner or an entity that observes that the data protected by that key has been compromised).</p><p>When a key is compromised, all use of the key to apply cryptographic protection to information (e.g., compute a digital signature or encrypt information) should cease, and the compromised key should be revoked.</p><h4>Guidelines to Minimize the Likelihood of a Key Compromise</h4><ul><li>Periodically rotate keys per the recommendation in this guide;</li><li>Limiting the amount of time that a secret symmetric or asymmetric private key is in plaintext form;</li><li>Preventing humans from viewing plaintext secret symmetric and asymmetric private keys;</li><li>Restricting plaintext secret and private keys to physically protected “containers.” This includes key generators, key-transport devices, key loaders, cryptographic modules, hardware security modules (HSMs), and key-storage devices;</li><li>Using integrity checks to ensure that the integrity of a key or its association with other data has not been compromised. For example, keys may be wrapped (i.e., encrypted and integrity protected) in such a manner that unauthorized modifications to the wrapped key or to the keys metadata will be detected;<ul><li>Providing a cryptographic integrity check on the key (e.g., using a MAC or a digital signature);</li></ul></li><li>Employing key confirmation to help ensure that the proper key was, in fact, established;</li><li>Using trusted timestamps for signed data;</li><li>Destroying keys as soon as they are no longer needed; and</li><li>Creating a compromise-recovery plan, especially in the case of the compromise of a CA key.</li><li>Data (key) dispersion - Data dispersion is recommended either through Redundant Array of Independent Disks (RAID) or use of erasure coding (bit splitting) in the Cloud. Data dispersion also addresses potential legal complications (for Cloud applications) that could arise should a server be confiscated by law enforcement. <strong>Note -</strong><em> RAID (redundant array of independent disks) is a way of storing the same data in different places on multiple hard disks or solid-state drives (SSDs) to protect data in the case of a drive failure.</em></li><li>SSMS (Secret Sharing Made Short) is another standard protocol that is encouraged for key management within Cloud application. <strong>Note -</strong> <em>SSMS uses a three-phase process: encryption of information; use of information dispersal algorithm (IDA), which is designed to efficiently split the data using erasure coding into fragments; and splitting the encryption key itself using the secret-sharing algorithm.</em></li></ul><p>A compromise-recovery plan is essential for restoring cryptographic security services in the event of a key compromise. A compromise-recovery plan should be documented and easily accessible. The plan may be included in a Key-Management Practices Statement39. If not, the Key-Management Practices Statement should reference the compromise-recovery plan.</p><p>According to <a href="https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final">NIST SP 800-57 Part 1 Rev. 5</a>, a compromise-recovery plan should contain:</p><ul><li>An identification of the personnel to notify and what the notification should contain (e.g., the scope of the compromise whether specific keys were compromised or the certificate generation process was compromised);</li><li>An identification of the personnel to perform the recovery actions;</li><li>The method for obtaining a new key (i.e., re-keying);</li><li>An inventory of all cryptographic keys (e.g., the location of all keys and certificates in a system);</li><li>The education of all appropriate personnel on the compromise-recovery procedures;</li><li>An identification of all personnel needed to support the compromise-recovery procedures;</li><li>Policies requiring that key-revocation checking be performed (to minimize the effect of a compromise);</li><li>The monitoring of the re-keying operations (to ensure that all required operations are performed for all affected keys); and</li><li>Any other compromise-recovery procedures.</li></ul><p>Other compromise-recovery procedures may include:</p><ul><li>A physical inspection of the equipment;</li><li>An identification of all information that may be compromised as a result of the incident;</li><li>An identification of all signatures that may be invalid due to the compromise of a signing key; and</li><li>The distribution of new keying material, if required.</li></ul><h4>Key Archive and Key Recovery Functions</h4><p>A key archive is a repository containing keys and their associated information (i.e., key information) for recovery beyond the cryptoperiod of the keys. Not all keys need to be archived. A CMS organizations security/privacy plan should discuss key archiving.</p><p>Access to key archive should be limited to authorized personnel/entities.</p><p>If a key must be recoverable (e.g., after the end of its cryptoperiod), either the key should be archived, or the system should be designed to allow reconstruction (e.g., re-derivation) of the key from archived information. Retrieving the key from archive storage or by reconstruction is commonly known as key recovery. The archive should be maintained by a trusted party (e.g., the CMS organization associated with the key or a trusted third party).</p><p><strong>Note -</strong> <em>A cryptoperiod is the time span during which a specific key is authorized for use by legitimate entities or the keys or a given system will remain in effect.</em></p><p>NIST Special Publication <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf">800-57 Part 1, Revision 5 <em>Recommendation for Key Management: Part 1 General</em></a><em> </em>further addresses the appropriateness of archiving keys and other cryptographically related information.</p><h3>Trust Store</h3><p>A trust store is a repository that contains cryptographic artifacts like certificates and private keys that are used for cryptographic protocols such as TLS. Because the compromise of a cryptographic key compromises all of the information and processes protected by that key, it is essential that client nodes be able to trust that keys and/or key components come from a trusted source, and that their confidentiality (if required) and integrity have been protected both in storage and in transit.</p></div></section></div></div></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"cms-key-management-handbook\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"policy-guidance\",\"cms-key-management-handbook\"],\"initialTree\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"cms-key-management-handbook\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"cms-key-management-handbook\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[3055,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"907\",\"static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js\"],\"default\"]\n18:Tb185,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eBackground\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis handbook aligns with the \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final\"\u003eNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-57\u003c/a\u003e series, the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"\u003eCMS IS2P2\u003c/a\u003e, and the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/federal-information-systems-management-act-fisma\"\u003eFISMA\u003c/a\u003e further emphasizes the importance of continuously monitoring information system security by requiring agencies to conduct assessments of security controls at a risk-defined frequency. The CMS ARS states that CMS information systems must define, develop, disseminate, review, and update its Risk Assessment documentation at least once every three years or whenever a significant change has occurred. This includes a formal, documented system security/privacy package that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and formal, documented processes and procedures to facilitate the implementation of the policy and associated controls.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePolicy\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePolicy delineates the security management structure, clearly assigns security responsibilities, and lays the foundation necessary to reliably measure progress, compliance, and direction to all CMS employees, contractors, and any individual who receives authorization to access CMS information technology (IT) systems or systems maintained on behalf of CMS to assure the confidentiality, integrity, and availability of CMS information and information systems.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eInformation Systems Security and Privacy Policy (IS2P2)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"\u003eCMS IS2P2\u003c/a\u003e defines the framework and policy under which CMS protects and controls access to CMS information and information systems in compliance with the Department of Human and Health Services (HHS) policy, federal law, and regulations. This policy requires all CMS stakeholders to implement adequate information security and privacy safeguards to protect all CMS's sensitive information.\u003c/p\u003e\u003cp\u003eThe policies contained within the CMS IS2P2 assist in satisfying the requirements for controls that require CMS to create a policy and associated procedures related to information systems.\u003c/p\u003e\u003cp\u003eThe dynamic nature of information security and privacy disciplines and the constant need for assessing risk across the CMS environment can result in gaps in policy, outside of the routine policy review cycle. The CMS Policy Framework includes the option to issue a \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Policies\"\u003eCIO Directive\u003c/a\u003e to address these types of gaps in CMS policy by providing guidance to CMS stakeholders while a policy is being developed, updated, cleared, and approved.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eChief Information Officer (CIO) Directives\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS Chief Information Officer (CIO), the CMS Chief Information Security Officer (CISO), and the CMS Senior Official for Privacy (SOP) jointly develop and maintain the CMS IS2P2. The CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eStandards\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eStandards define both functional and assurance requirements within the CMS security and privacy environment. CMS policy is executed with the requirements prescribed in standards with the objective of enabling consistency across the CMS environment. The CMS environment includes users, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks. These components are responsible for meeting and complying with the security and privacy baseline defined in policy and further prescribed in standards. The parameters and thresholds for policy implementation are built into the CMS standards, and provide a foundation for the procedural guidance provided by the Program Guide series.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecrets Management\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA secret is a digital authentication credential. Secrets are individually named sets of sensitive information, and address a broad spectrum of secure data. Secrets need to be protected against unauthorized disclosure, and all keys need to be protected against modification, tempering, deletion and disclosure. There are different types of secrets, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUser passwords\u003c/li\u003e\u003cli\u003eRoot passwords\u003c/li\u003e\u003cli\u003eApplication and database passwords\u003c/li\u003e\u003cli\u003eAuto-generated encryption keys\u003c/li\u003e\u003cli\u003ePrivate encryption keys\u003c/li\u003e\u003cli\u003eApplication Programming Interface (API) keys\u003c/li\u003e\u003cli\u003eApplication keys\u003c/li\u003e\u003cli\u003eSecure Shell (SSH) keys\u003c/li\u003e\u003cli\u003eIAM secret keys\u003c/li\u003e\u003cli\u003eProgrammatic access keys (project / client IDs)\u003c/li\u003e\u003cli\u003eAuthorization tokens\u003c/li\u003e\u003cli\u003eBearer tokens\u003c/li\u003e\u003cli\u003eCertificates\u003c/li\u003e\u003cli\u003ePrivate certificates (e.g. Transport Layer Security (TLS), Secure Sockets Layer (SSL))\u003c/li\u003e\u003cli\u003eRSA and other one-time password devices\u003c/li\u003e\u003cli\u003eAccount tags\u003c/li\u003e\u003cli\u003ePassphrases\u003c/li\u003e\u003cli\u003eAny other application tokens that are deemed confidential\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSecrets management refers to the tools and methods for managing digital authentication credentials (secrets), including passwords, keys, APIs, and tokens for use in applications, services, privileged accounts and other sensitive parts of the IT ecosystem.\u003c/p\u003e\u003cp\u003ePasswords and keys are some of the most broadly used and important tools your organization has for authenticating applications and users and providing them with access to sensitive systems, services, and information. Because secrets have to be transmitted securely, secrets management must account for and mitigate the risks to these secrets, both in transit and at rest.\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote \u003c/strong\u003eRoot access keys should be protected at all costs and deleted if possible. A bad actor may shut down servers, delete data, create and destroy users, or any other API capability with the root users key. For this reason, CMS highly recommends that root access key should not be in use or should be disabled if already in use. CMS also recommends keeping the root users credentials safe and private. Do not share them with other employees or contractors. It is also advisable to activate Multi Factor Authentication (MFA) for the root account to protect it even if the password leaks. Also, access and secret access keys should only be developed at a user level, and never at a root level.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThe security objectives (Confidentiality, Integrity and Availability) should always be protected in regards to secrets management. The \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFederal Information Processing Standards (FIPS) Publication 199\u003c/a\u003e defines three levels of potential impact on organizations or individuals (low, moderate, high) should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability) and has additional examples on the impact of loss of one or more of the security objectives.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eKey Management\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eKey management refers to managing cryptographic keys within a cryptosystem. The term “cryptosystem” is shorthand for “cryptographic system” and refers to a computer system that employs cryptography, a method of protecting information and communications through the use of codes so that only those for whom the information is intended can read and process it.\u003c/p\u003e\u003cp\u003eCryptosystems deal with generating, exchanging, storing, using and replacing keys as needed at the user level.\u003c/p\u003e\u003cp\u003eThe security of the cryptosystem is dependent upon successful key management. Proper management ensures a key stays safe throughout its lifecycle, from generation and use to storing and deletion.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCryptographic Keys\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCryptography is used to secure communications over networks, to protect information stored in databases, and for many other critical applications. Cryptographic keys play an important part in the operation of cryptography.\u003c/p\u003e\u003cp\u003eWith effective cryptographic key management, data that is encrypted can still be protected even in the event of a breach, since encrypted data cannot be decrypted without the right keys. Proper usage of encryption and key management will assist an organizations efforts to protect their data. \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final\"\u003eNIST SP 800-57 \u003cem\u003eRecommendations for Key Management (Part 1, Revision 5) \u003c/em\u003e\u003c/a\u003eprovides an updated guideline for general cryptographic key management.\u003c/p\u003e\u003cp\u003eAt CMS, mechanisms are employed to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProhibit the use of encryption keys that are not recoverable by authorized personnel\u003c/li\u003e\u003cli\u003eRequire senior management approval to authorize recovery of keys by someone other than the key owner\u003c/li\u003e\u003cli\u003eComply with approved cryptography standards mentioned in transit and at rest, as defined in the HHS Standard for Encryption of Computing Devices and Information, and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAt CMS, cryptographic protection applies to both portable storage devices (e.g., USB memory sticks, CDs, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers). This applies to all digital assets like application software, Data Stores (Such as databases and file systems), Cloud Service, and Software As a Service.\u003c/p\u003e\u003cp\u003eWhen cryptographic mechanisms are needed, CMS information systems use encryption products that have been validated under the Cryptographic Module Validation Program to confirm compliance with \u003ca href=\"https://csrc.nist.gov/pubs/fips/140-2/upd2/final#:~:text=This%20Federal%20Information%20Processing%20Standard,of%20potential%20applications%20and%20environments.\"\u003eFederal Information Processing Standards (FIPS) 140-2\u003c/a\u003e in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKey Management Concepts\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eKey Management Phases\u003c/strong\u003e\u003c/h4\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePre-Operational Phase\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eOperational Phase\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003ePost-Operational Phase\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDestroyed Phase\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAccording to \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final\"\u003eNIST SP 800-57 \u003cem\u003eRecommendation for Key Management: Part 1 - General\u003c/em\u003e\u003c/a\u003e\u003cem\u003e \u003c/em\u003ein Section 8, there are four phases of key management:\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003ePre-operational phase\u003c/strong\u003e: The keying material is not yet available for normal cryptographic operations. Keys may not yet be generated or are in the pre-activation state. System or enterprise attributes are established during this phase as well.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eOperational phase\u003c/strong\u003e: The keying material is available and in normal use. Keys are in the active or suspended state. Keys in the active state may be designated as protect only, process only, or both protect and process; keys in the suspended state can be used for processing only.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePost-operational phase\u003c/strong\u003e: The keying material is no longer in normal use, but access to the keying material is possible, and the keying material may be used for processing protected information. Keys are in the deactivated or compromised states. Keys in the post-operational phase may be in an archive.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eDestroyed phase: \u003c/strong\u003eKeys are no longer available. Records of their existence may or may not have been deleted. Keys are in the destroyed state. Although the keys themselves may have been destroyed, the keys metadata (e.g., key name, type, cryptoperiod, and usage period) may be retained. A cryptoperiod is the time span during which a specific key is authorized for use by legitimate entities or the keys for a given system will remain in effect.\u003c/li\u003e\u003c/ol\u003e\u003ch4\u003e\u003cstrong\u003eKey Establishment\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eKey establishment is the process that results in the sharing of a key between two or more entities. This process could be by a manual distribution, by using automated key-transport or key agreement mechanisms, or by key derivation using an already-shared key between or among those entities. Key establishment processes include the creation of a key. Key establishment techniques and issues are discussed in Section 5.3 of \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/175/b/r1/final\"\u003eNIST SP 800-175B \u003cem\u003eGuideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms\u003c/em\u003e.\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eKey Management Functions\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eRoles and responsibilities need to be defined for the CMS management of at least the following functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe generation or acquisition of key information (i.e., keying material and the associated metadata)\u003c/li\u003e\u003cli\u003eThe secure distribution of private keys, secret keys and the associated metadata\u003c/li\u003e\u003cli\u003eThe establishment of cryptoperiods\u003c/li\u003e\u003cli\u003eKey and/or certificate inventory management, including procedures for the routine supersession of keys and certificates at the end of a cryptoperiod or validity period\u003c/li\u003e\u003cli\u003eProcedures for the emergency revocation of compromised keys and the establishment (e.g., distribution) of replacement keys and/or certificates\u003c/li\u003e\u003cli\u003eAccounting for and the storage and recovery of the operational and backed-up copies of key information\u003c/li\u003e\u003cli\u003eThe storage and recovery of archived key information\u003c/li\u003e\u003cli\u003eProcedures for checking the integrity of stored key information before using it\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe destruction of private or secret keys that are no longer required\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCryptographic Key Management Systems (CKMS)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe term cryptographic key management system (CKMS) refers to the framework and services that provide for the generation, establishment, control, accounting, and destruction of cryptographic keys and associated management information.\u003c/p\u003e\u003cp\u003eIt includes all elements (hardware, software, other equipment, and documentation); facilities; personnel; procedures; standards; and information products that form the system that establishes, manages, and supports cryptographic products and services for end entities.\u003c/p\u003e\u003cp\u003eA CKMS may handle symmetric keys, asymmetric keys or both. Key management policies, practice statements, and specifications should identify common CKMS elements and suggest functions of and relationships among the organizational elements responsible for the management and use of cryptographic keys.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-152.pdf\"\u003eNIST SP 800-152\u003c/a\u003e contains requirements for the design, implementation, and procurement of a CKMS for the CMS organization. A key management system can be designed to provide services for a single individual (e.g., in a personal data-storage system), an organization (e.g., in a secure Virtual Private Network (VPN) for intraoffice communications), or a large complex of organizations (e.g., in secure communications for the U.S. Government).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKey Management Planning\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAccording to \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/final\"\u003eNIST SP.800-57 Part 2 Revision 1\u003c/a\u003e, CMS organizations are required by statutory and administrative rules and guidelines to protect the confidentiality and integrity of their sensitive information and processes. Federal agencies are required to determine a \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf\"\u003eFIPS 200\u003c/a\u003e impact level (i.e., Low, Moderate or High) based on the security categories defined in \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFIPS 199\u003c/a\u003e. The security categories are based on the potential impact on an organization if certain events occur that jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals.\u003c/p\u003e\u003cp\u003eCMS encourages Application Development Organizations (ADOs) to utilize software solutions (both on premises and in the Cloud) that help with the creation, identification, management, retrieval, rotation, and removal of keys - especially when these products help ADOs to better comply with CMS key management policy and its requirements.\u003c/p\u003e\u003cp\u003eCMS organizations also need to define their security objectives for storing and/or communicating their sensitive information. These objectives may include the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProviding confidentiality for stored and/or transmitted data,\u003c/li\u003e\u003cli\u003eSource authentication for received data,\u003c/li\u003e\u003cli\u003eIntegrity protection for stored/transmitted data,\u003c/li\u003e\u003cli\u003eEntity authentication, etc.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe development of new cryptographic systems, including CKMS, should ideally be conducted following the processes described in \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/160/v2/r1/ipd#:~:text=Draft%20NIST%20Special%20Publication%20(SP,systems%20from%20the%20inside%20out\"\u003eNIST SP 800-160 \u003cem\u003eDeveloping Cyber-Resilient Systems: A Systems Security Engineering Approach\u003c/em\u003e\u003c/a\u003e. However, in many cases, systems that rely on cryptographic protection are already being used. Where such systems are being augmented or otherwise modified, security/privacy planning is still required, but the NIST SP 800-160 processes will need to be abridged or otherwise adapted because of legacy constraints. CMS organizations must still select \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST SP 800-53\u003c/a\u003e, based on \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eARS 5.0\u003c/a\u003e Control Catalog, security/privacy controls based on system design, operational characteristics, and FIPS 199 impact levels.\u003c/p\u003e\u003cp\u003eKey management planning should involve the following steps:\u003c/p\u003e\u003col\u003e\u003cli\u003eAn appropriate key management architecture is selected based on the available cryptographic mechanisms and objectives. Section 2.3 of \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt2r1.pdf\"\u003eNIST SP 800-57 Part. 2 Revision 1\u003c/a\u003e provides examples of architectures to be considered.\u003c/li\u003e\u003cli\u003eA Key Management Specification is developed for each cryptographic product to be used in the system. When developing a Key Management Specification for a cryptographic product, the unique key management products and services needed from the CKMS to support the operation of the cryptographic product must be defined. The specification of cryptographic mechanisms, including key management functions, should consider the CMS organizations resource limitations and procedural environment. If a Key Management Plan already exists for a CMS organization, the Key Management Specification needs to be in conformance with the CKMS Security Policy. The CKMS Practice Statement should support both the CKMS Security Policy and the Key Management Specification.\u003c/li\u003e\u003cli\u003eBased on the Key Management Plan, a CKMS Security Policy (CKMS SP) is developed that documents the decisions made in developing the Key Management Plan. A CKMS SP is a set of rules that are established to describe the goals, responsibilities, and overall requirements for the management of cryptographic keying material throughout the entire key lifecycle.\u003c/li\u003e\u003cli\u003eA CKMS may be operated by the organization owning the information to be protected, or may be operated by another organization (e.g., under contract). The organization operating the CKMS develops a CKMS Practice Statement (CKMS PS). A CKMS PS specifies how key management procedures and techniques are used to enforce the CKMS SP.\u003c/li\u003e\u003c/ol\u003e\u003ch3\u003e\u003cstrong\u003eKey Strength\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS organizations should consider the following best practices:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEstablish what the application's minimum computational resistance to attack should be. Understanding the minimum computational resistance to attack should take into consideration the sophistication of your adversaries, how long data needs to be protected, where data is stored and if it is exposed. Identifying the computational resistance to attack will inform engineers as to the minimum length of the cryptographic key required to protect data over the life of that data. Consult \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/131/a/r2/final\"\u003eNIST SP 800-131a \u003cem\u003eTransitioning the Use of Cryptographic Algorithms and Key Lengths\u003c/em\u003e\u003c/a\u003e\u003cem\u003e \u003c/em\u003efor additional guidance on determining the appropriate key lengths for the algorithm of choice.\u003c/li\u003e\u003cli\u003eWhen encrypting keys for storage or distribution, always encrypt a cryptographic key with another key of equal or greater cryptographic strength.\u003c/li\u003e\u003cli\u003eChoose a key length that meets or exceeds the comparative strength of other algorithms in use within your system. Refer to \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final\"\u003eNIST SP 800-57\u003c/a\u003e Table 2.\u003c/li\u003e\u003cli\u003eFormulate a strategy for the overall organization's cryptographic strategy to guide developers working on different applications and ensure that each application's cryptographic capability meets minimum requirements and best practices.\u003c/li\u003e\u003cli\u003eReview \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final\"\u003eNIST SP 800-57 \u003cem\u003eRecommendation for Key Management \u003c/em\u003e\u003c/a\u003efor recommended guidelines on key strength for specific algorithm implementations.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003ePublic Key Infrastructure\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePublic key infrastructure (PKI), as stated in \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-32.pdf\"\u003eNIST Special Publication 800-32: \u003cem\u003eIntroduction to Public Key Technology and the Federal PKI Infrastructure\u003c/em\u003e\u003c/a\u003e, is the combination of software, encryption technologies, and services that enables enterprises to \u003ca href=\"https://playbooks.idmanagement.gov/fpki/\"\u003eprotect the security of their communications and business transactions on networks\u003c/a\u003e. PKI integrates digital certificates, public key cryptography, and \u003cstrong\u003ecertification authorities (CA)\u003c/strong\u003e into a complete enterprise-wide network security architecture.\u003c/p\u003e\u003cp\u003eAll public key certificates used at CMS are issued in accordance with Federal PKI policy and validated to the Federal PKI trust anchor when being used for user signing, encrypting purposes, authentication, and authorization.\u003c/p\u003e\u003cp\u003eThe CA is responsible for issuing a public key certificate for each identity, confirming that the identity has the appropriate credentials. \u003cem\u003e\u003cstrong\u003eNote - \u003c/strong\u003ecertification authority (CA) is similar to a notary. The CA confirms the identities of parties sending and receiving electronic payments or other communications.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eAt CMS, various Certificate Authority requests are available and processed through the Infrastructure and User Services Group - Division of Operations Management (IUSG-DOM).\u003c/p\u003e\u003cp\u003eThere are two ways to submit a CA request for a certificate:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRequestor submits a request through the CMS Connect System.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eOnly users with a CMS USER ID who have access to or VPN to the CMS Network will be able to login to the Agency Solution for Customer Support (ASCS). If you do not have a CMS USER ID, see option #2 below to submit an email request.\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eRequestor sends certificate request email to the \u003cstrong\u003eCMS - DOMSSLCert \u003c/strong\u003emailbox at \u003ca href=\"mailto:DOMSSLCert@cms.hhs.gov\"\u003eDOMSSLCert@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor inquiries on the type of certificate to request, contact the CMS - DOMSSLCert mailbox at \u003ca href=\"mailto:DOMSSLCert@cms.hhs.gov\"\u003eDOMSSLCert@cms.hhs.gov\u003c/a\u003e for assistance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKey Usage\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePer NIST SP 800-57 Part 1 Revision 5: \u003cem\u003eRecommendation for Key Management\u003c/em\u003e, a single key should be used for only one purpose (e.g., encryption, integrity authentication, key wrapping, random bit generation, or digital signatures).\u003c/p\u003e\u003cp\u003eThere are several reasons for this:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe use of the same key for two different cryptographic processes may weaken the security provided by one or both of the processes.\u003c/li\u003e\u003cli\u003eLimiting the use of a key limits the damage that could be done if the key is compromised.\u003c/li\u003e\u003cli\u003eSome uses of keys interfere with each other. For example, the length of time the key may be required for each use and purpose. Retention requirements of the data may differ for different data types.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis recommendation permits the use of a private key-transport or key-agreement key to generate a digital signature for the following special case: When requesting the (initial) certificate for a static key-establishment key that was generated as specified in \u003ca href=\"https://csrc.nist.gov/pubs/fips/186-5/final\"\u003eFIPS 186-5\u003c/a\u003e, the corresponding private key may be used to sign the certificate request.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKey Management Lifecycle Best Practices\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eGeneration\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCryptographic keys should be generated within cryptographic modules with at least a \u003ca href=\"https://csrc.nist.gov/pubs/fips/140-2/upd2/final\"\u003eFIPS 140-2\u003c/a\u003e compliance. For explanatory purposes, consider the cryptographic module in which a key is generated to be the key-generating module.\u003c/p\u003e\u003cp\u003eAny random value required by the key-generating module should be generated within that module; that is, the Random Bit Generator that generates the random value should be implemented within cryptographic modules with at least a FIPS 140-2 compliance that generates the key.\u003c/p\u003e\u003cp\u003eHardware cryptographic modules are preferred over software cryptographic modules for protection.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eUse/Distribution\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe generated keys should be transported (when necessary) using secure channels and should be used by their associated cryptographic algorithm within at least a FIPS 140-2 compliant cryptographic module. For additional detail for the recommendations in this section refer to \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/133/r2/final\"\u003eNIST Special Publication 800-133\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eKeys or secrets should be shared out of band and should never be sent with or alongside the data the secrets or keys they are protecting. Also, secrets shared out-of-band should be protected and not stored somewhere that can be easily compromised (like on a piece of paper on a users desk). Out of band sharing of keys should be deleted or destroyed immediately after use.\u003c/p\u003e\u003cp\u003eADOs should also consider using a Diffie-Hellman algorithm like Secure-Remote Procedure Call (S-RPC) for the sharing of keys when out of band sharing is not a viable option. \u003cem\u003e\u003cstrong\u003eNote\u003c/strong\u003e - The DiffieHellman (DH) Algorithm is \u003cstrong\u003ea key-exchange protocol \u003c/strong\u003ethat enables two parties communicating over public channel to establish a mutual secret without it being transmitted over the Internet. DH enables the two to use a public key to encrypt and decrypt their conversation or data using symmetric cryptography.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eExamples of how keys can be shared included:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUse a Key or Secrets Management System\u003c/li\u003e\u003cli\u003eUse a shared key store or password manager vault\u003c/li\u003e\u003cli\u003eUse of client-side encrypted pastebin or similar service\u003c/li\u003e\u003cli\u003eUse of a restricted document\u003c/li\u003e\u003cli\u003eSending encrypted data via email (CMS adheres to the encryption requirements in the \u003ca href=\"https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/policies-guides-encryption.pdf\"\u003eHHS Standard for Encryption of Computing Devices and Information\u003c/a\u003e)\u003c/li\u003e\u003cli\u003eUsing a third-party, CMS approved storage service\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eADOs should document the method being used for the business or system owner. ADOs are also encouraged to use TLS Version 1.2 or 1.3 encryption standards for Data-in-transit.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eStorage\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eADOs should document in a Key Management Plan where secrets are being stored, and that documentation should be made available to the business or system owner, and updated as needed but no less than annually. The documentation should be written per system, define types of secrets used, list all secret alias names, creation date, recommended rotation date, level of sensitivity/classification, recommended end of use, business owner, and secret manager. The secrets should be encrypted and stored separately using a KMS solution or service.\u003c/li\u003e\u003cli\u003eCMS strongly encourages ADOs to use “split knowledge” or “M of N” for very sensitive key storage so that one individual does not have sole access to a key\u003c/li\u003e\u003cli\u003eDevelopers must understand where cryptographic keys are stored within the application and understand what memory devices the keys are stored on.\u003c/li\u003e\u003cli\u003eKeys must be protected on both volatile and persistent memory, ideally processed within secure cryptographic modules.\u003c/li\u003e\u003cli\u003eKeys should never be stored in plaintext format.\u003c/li\u003e\u003cli\u003eEnsure all keys are stored in a cryptographic vault, such as a hardware security module (HSM), or isolated cryptographic service or secret management services.\u003c/li\u003e\u003cli\u003eIf you are planning on storing keys in offline devices/databases, then encrypt the keys using Key Encryption Keys (KEKs) prior to the export of the key material. KEK length (and algorithm) should be equivalent to or greater in strength than the keys being protected.\u003c/li\u003e\u003cli\u003eEnsure that keys have integrity protections applied while in storage (consider dual purpose algorithms that support encryption and Message Authentication Code (MAC)).\u003c/li\u003e\u003cli\u003eEnsure that standard application-level code never reads or uses cryptographic keys in any way and use key management libraries.\u003c/li\u003e\u003cli\u003eEnsure that keys and cryptographic operation is done inside a secure cryptographic vault.\u003c/li\u003e\u003cli\u003eAll work should be done in the cryptographic vault (such as key access, encryption, decryption, signing, etc.).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eEscrow and Backup\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eData that has been encrypted with lost cryptographic keys will never be recovered. Therefore, it is essential that the application incorporate a secure key backup capability, especially for applications that support data-at-rest encryption for long-term data stores.\u003c/p\u003e\u003cp\u003eWhen backing up keys, ensure that the database that is used to store the keys is encrypted using at least a FIPS 140-2 validated module. It is sometimes useful to escrow key material for use in investigations and for re-provisioning of key material to users in the event that the key is lost or corrupted.\u003c/p\u003e\u003cp\u003eNever escrow keys used for performing digital signatures, but consider the need to escrow keys that support encryption. Oftentimes, escrow can be performed by the Certificate Authority (CA) or key management system that provisions certificates and keys, however in some instances separate APIs must be implemented to allow the system to perform the escrow for the application.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAccountability and Audit\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAccountability involves the identification of those that have access to, or control of, cryptographic keys throughout their lifecycles. Accountability can be an effective tool to help prevent key compromises and to reduce the impact of compromises once they are detected.\u003c/p\u003e\u003cp\u003eAt a minimum, the key management system should account for all individuals who are able to view plaintext cryptographic keys.\u003c/p\u003e\u003cp\u003eIn addition, more sophisticated key-management systems may account for all individuals authorized to access or control any cryptographic keys, whether in plaintext or ciphertext form.\u003c/p\u003e\u003cp\u003eAccountability provides three significant advantages:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIt aids in the determination of when the compromise could have occurred and what individuals could have been involved.\u003c/li\u003e\u003cli\u003eIt tends to protect against compromise, because individuals with access to the key know that their access to the key is known.\u003c/li\u003e\u003cli\u003eIt is very useful in recovering from a detected key compromise to know where the key was used and what data or other keys were protected by the compromised key.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCertain principles have been found to be useful in enforcing the accountability of cryptographic keys. These principles might not apply to all systems or all types of keys.\u003c/p\u003e\u003cp\u003eSome of the principles that apply to long-term keys controlled by humans include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUniquely identifying keys.\u003c/li\u003e\u003cli\u003eIdentifying the key user.\u003c/li\u003e\u003cli\u003eIdentifying the dates and times of key use, along with the data that is protected.\u003c/li\u003e\u003cli\u003eIdentifying other keys that are protected by a symmetric or private key. Two types of audit should be performed on key management systems:\u003c/li\u003e\u003cli\u003eThe security/privacy plan and the procedures that are developed to support the plan should be periodically audited to ensure that they continue to support the Key Management Policy in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/final\"\u003eNIST SP 800-57\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eThe protective mechanisms employed should be periodically reassessed with respect to the level of security that they provide and are expected to provide in the future, and that the mechanisms correctly and effectively support the appropriate policies.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eNew technology developments and attacks should be taken into consideration. On a more frequent basis, the actions of the humans that use, operate, and maintain the system should be reviewed to verify that the humans continue to follow established security/privacy procedures.\u003c/p\u003e\u003cp\u003eStrong cryptographic systems can be compromised by lax and inappropriate human actions. Highly unusual events should be noted and reviewed as possible indicators of attempted attacks on the system.\u003c/p\u003e\u003cp\u003eAccountability and Audit ensures the security objectives (Confidentiality, Integrity and Availability) are maintained. Effective integrity can be maintained if ADOs incorporate logging and provide for audit trails so we can track who used keys or secrets, for what purpose, etc.\u003c/p\u003e\u003cp\u003eIntegrity of the keys supports non-repudiation.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eKey Rotation\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eKey rotation provides several benefits, which are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIn the event that a key is compromised, regular rotation limits the number of actual messages/systems vulnerable to compromise. If key version is suspected to be compromised, disable it and revoke access to it as soon as possible.\u003c/li\u003e\u003cli\u003eRegular key rotation ensures CMS systems are resilient to manual rotation, whether due to a security breach or the need to migrate application to a stronger cryptographic algorithm.\u003c/li\u003e\u003cli\u003eLimiting the number of messages encrypted with the same key version helps prevent attacks enabled by cryptanalysis. Cryptanalysis is the study of ciphertext, ciphers and cryptosystems with the aim of understanding how they work and finding and improving techniques for defeating or weakening them.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor symmetric encryption, CMS organizations should configure automation key rotation by setting a key rotation period and starting time when key is created.\u003c/p\u003e\u003cp\u003eFor asymmetric encryption, CMS organizations should always manually rotate keys, because the new public key must be distributed before the key pair can be used.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecommended minimum frequency of key rotation \u003c/strong\u003e Annually.\u003c/p\u003e\u003cp\u003e\u003cem\u003eNote \u003c/em\u003e- The rotation schedule can be based on either the key's age or the number or volume of messages encrypted with a key version. \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf\"\u003eNIST SP 800-57 Recommendation for Key Management \u003c/a\u003edescribes cryptoperiods as a factor in determining an appropriate period for rotation.\u003c/p\u003e\u003cp\u003eIf responsible personnel have indications that keys have been compromised, they should manually rotate the keys and re-encrypt data that was encrypted by the compromised keys as soon as possible. To re-encrypt data, download the old data, decrypt it with the old key, encrypt the old data using the new key, and then re-upload the re-encrypted data.\u003c/p\u003e\u003cp\u003eCMS recommends Online Certificate Status Protocol (OCSP) over Certificate Lifecycle Management (CLM) because there can be latencies in the system where CLM may not have the most up to date revocations.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eKey Revocation\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAccording to \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/57/pt2/final\"\u003eNIST SP 800-57 Part 2 \u003cem\u003eRecommendation for Key Management: Part 2 Best Practices for Key Management Organizations\u003c/em\u003e\u003c/a\u003e, symmetric keys are often revoked by the use of Compromised Key Lists (CKLs). Certificate Revocation Lists (CRLs) are commonly used to revoke public key certificates, thus revoking the private key corresponding to the public key in the certificate. Regardless of whether symmetric or asymmetric keys are used, a means of revoking keys is recommended.\u003c/p\u003e\u003cp\u003eThis CMS guide will use the term revoked key notification (RKN) to refer to a mechanism to revoke keys. An RKN may include the revocation reason and an indication of when the revocation was requested. The inclusion of the revocation reason can be useful in risk decisions regarding the information that was received or stored using those keys.\u003c/p\u003e\u003cp\u003eA key may also be suspended from use for a variety of reasons, such as an unknown status of the key or due to the key owner being temporarily unavailable (e.g., the key owner is on extended leave). In the case of a certificate suspension, the intent is to suspend the use of the public key included in the certificate (e.g., to not verify digital signatures or establish keys while the use of the certificate is suspended). This may be communicated to relying parties as an “on hold” revocation reason code in a CRL and in an OCSP response. The certificate may later be revoked (e.g., a compromise of the private key corresponding to the public key in the certificate was confirmed) or the certificate may be reactivated (e.g., the key has not been compromised or the owner returned to work).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCompromise of Keys\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eKey compromise occurs when the protective mechanisms for the key fail (e.g., the confidentiality, integrity, or association of the key to its owner fail;) and the key can no longer be trusted to provide the required security. It is the responsibility of an owner of a private or secret key to protect the confidentiality of that key. Reporting a possible key compromise is the responsibility of anyone suspecting that a key has been compromised (e.g., the keys owner or an entity that observes that the data protected by that key has been compromised).\u003c/p\u003e\u003cp\u003eWhen a key is compromised, all use of the key to apply cryptographic protection to information (e.g., compute a digital signature or encrypt information) should cease, and the compromised key should be revoked.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eGuidelines to Minimize the Likelihood of a Key Compromise\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003ePeriodically rotate keys per the recommendation in this guide;\u003c/li\u003e\u003cli\u003eLimiting the amount of time that a secret symmetric or asymmetric private key is in plaintext form;\u003c/li\u003e\u003cli\u003ePreventing humans from viewing plaintext secret symmetric and asymmetric private keys;\u003c/li\u003e\u003cli\u003eRestricting plaintext secret and private keys to physically protected “containers.” This includes key generators, key-transport devices, key loaders, cryptographic modules, hardware security modules (HSMs), and key-storage devices;\u003c/li\u003e\u003cli\u003eUsing integrity checks to ensure that the integrity of a key or its association with other data has not been compromised. For example, keys may be wrapped (i.e., encrypted and integrity protected) in such a manner that unauthorized modifications to the wrapped key or to the keys metadata will be detected;\u003cul\u003e\u003cli\u003eProviding a cryptographic integrity check on the key (e.g., using a MAC or a digital signature);\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEmploying key confirmation to help ensure that the proper key was, in fact, established;\u003c/li\u003e\u003cli\u003eUsing trusted timestamps for signed data;\u003c/li\u003e\u003cli\u003eDestroying keys as soon as they are no longer needed; and\u003c/li\u003e\u003cli\u003eCreating a compromise-recovery plan, especially in the case of the compromise of a CA key.\u003c/li\u003e\u003cli\u003eData (key) dispersion - Data dispersion is recommended either through Redundant Array of Independent Disks (RAID) or use of erasure coding (bit splitting) in the Cloud. Data dispersion also addresses potential legal complications (for Cloud applications) that could arise should a server be confiscated by law enforcement. \u003cstrong\u003eNote -\u003c/strong\u003e\u003cem\u003e RAID (redundant array of independent disks) is a way of storing the same data in different places on multiple hard disks or solid-state drives (SSDs) to protect data in the case of a drive failure.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eSSMS (Secret Sharing Made Short) is another standard protocol that is encouraged for key management within Cloud application. \u003cstrong\u003eNote -\u003c/strong\u003e \u003cem\u003eSSMS uses a three-phase process: encryption of information; use of information dispersal algorithm (IDA), which is designed to efficiently split the data using erasure coding into fragments; and splitting the encryption key itself using the secret-sharing algorithm.\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eA compromise-recovery plan is essential for restoring cryptographic security services in the event of a key compromise. A compromise-recovery plan should be documented and easily accessible. The plan may be included in a Key-Management Practices Statement39. If not, the Key-Management Practices Statement should reference the compromise-recovery plan.\u003c/p\u003e\u003cp\u003eAccording to \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final\"\u003eNIST SP 800-57 Part 1 Rev. 5\u003c/a\u003e, a compromise-recovery plan should contain:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAn identification of the personnel to notify and what the notification should contain (e.g., the scope of the compromise whether specific keys were compromised or the certificate generation process was compromised);\u003c/li\u003e\u003cli\u003eAn identification of the personnel to perform the recovery actions;\u003c/li\u003e\u003cli\u003eThe method for obtaining a new key (i.e., re-keying);\u003c/li\u003e\u003cli\u003eAn inventory of all cryptographic keys (e.g., the location of all keys and certificates in a system);\u003c/li\u003e\u003cli\u003eThe education of all appropriate personnel on the compromise-recovery procedures;\u003c/li\u003e\u003cli\u003eAn identification of all personnel needed to support the compromise-recovery procedures;\u003c/li\u003e\u003cli\u003ePolicies requiring that key-revocation checking be performed (to minimize the effect of a compromise);\u003c/li\u003e\u003cli\u003eThe monitoring of the re-keying operations (to ensure that all required operations are performed for all affected keys); and\u003c/li\u003e\u003cli\u003eAny other compromise-recovery procedures.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eOther compromise-recovery procedures may include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA physical inspection of the equipment;\u003c/li\u003e\u003cli\u003eAn identification of all information that may be compromised as a result of the incident;\u003c/li\u003e\u003cli\u003eAn identification of all signatures that may be invalid due to the compromise of a signing key; and\u003c/li\u003e\u003cli\u003eThe distribution of new keying material, if required.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eKey Archive and Key Recovery Functions\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eA key archive is a repository containing keys and their associated information (i.e., key information) for recovery beyond the cryptoperiod of the keys. Not all keys need to be archived. A CMS organizations security/privacy plan should discuss key archiving.\u003c/p\u003e\u003cp\u003eAccess to key archive should be limited to authorized personnel/entities.\u003c/p\u003e\u003cp\u003eIf a key must be recoverable (e.g., after the end of its cryptoperiod), either the key should be archived, or the system should be designed to allow reconstruction (e.g., re-derivation) of the key from archived information. Retrieving the key from archive storage or by reconstruction is commonly known as key recovery. The archive should be maintained by a trusted party (e.g., the CMS organization associated with the key or a trusted third party).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNote -\u003c/strong\u003e \u003cem\u003eA cryptoperiod is the time span during which a specific key is authorized for use by legitimate entities or the keys or a given system will remain in effect.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eNIST Special Publication \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf\"\u003e800-57 Part 1, Revision 5 \u003cem\u003eRecommendation for Key Management: Part 1 General\u003c/em\u003e\u003c/a\u003e\u003cem\u003e \u003c/em\u003efurther addresses the appropriateness of archiving keys and other cryptographically related information.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTrust Store\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA trust store is a repository that contains cryptographic artifacts like certificates and private keys that are used for cryptographic protocols such as TLS. Because the compromise of a cryptographic key compromises all of the information and processes protected by that key, it is essential that client nodes be able to trust that keys and/or key components come from a trusted source, and that their confidentiality (if required) and integrity have been protected both in storage and in transit.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:Tb185,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eBackground\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis handbook aligns with the \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final\"\u003eNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-57\u003c/a\u003e series, the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"\u003eCMS IS2P2\u003c/a\u003e, and the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/federal-information-systems-management-act-fisma\"\u003eFISMA\u003c/a\u003e further emphasizes the importance of continuously monitoring information system security by requiring agencies to conduct assessments of security controls at a risk-defined frequency. The CMS ARS states that CMS information systems must define, develop, disseminate, review, and update its Risk Assessment documentation at least once every three years or whenever a significant change has occurred. This includes a formal, documented system security/privacy package that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and formal, documented processes and procedures to facilitate the implementation of the policy and associated controls.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePolicy\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePolicy delineates the security management structure, clearly assigns security responsibilities, and lays the foundation necessary to reliably measure progress, compliance, and direction to all CMS employees, contractors, and any individual who receives authorization to access CMS information technology (IT) systems or systems maintained on behalf of CMS to assure the confidentiality, integrity, and availability of CMS information and information systems.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eInformation Systems Security and Privacy Policy (IS2P2)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"\u003eCMS IS2P2\u003c/a\u003e defines the framework and policy under which CMS protects and controls access to CMS information and information systems in compliance with the Department of Human and Health Services (HHS) policy, federal law, and regulations. This policy requires all CMS stakeholders to implement adequate information security and privacy safeguards to protect all CMS's sensitive information.\u003c/p\u003e\u003cp\u003eThe policies contained within the CMS IS2P2 assist in satisfying the requirements for controls that require CMS to create a policy and associated procedures related to information systems.\u003c/p\u003e\u003cp\u003eThe dynamic nature of information security and privacy disciplines and the constant need for assessing risk across the CMS environment can result in gaps in policy, outside of the routine policy review cycle. The CMS Policy Framework includes the option to issue a \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Policies\"\u003eCIO Directive\u003c/a\u003e to address these types of gaps in CMS policy by providing guidance to CMS stakeholders while a policy is being developed, updated, cleared, and approved.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eChief Information Officer (CIO) Directives\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS Chief Information Officer (CIO), the CMS Chief Information Security Officer (CISO), and the CMS Senior Official for Privacy (SOP) jointly develop and maintain the CMS IS2P2. The CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eStandards\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eStandards define both functional and assurance requirements within the CMS security and privacy environment. CMS policy is executed with the requirements prescribed in standards with the objective of enabling consistency across the CMS environment. The CMS environment includes users, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks. These components are responsible for meeting and complying with the security and privacy baseline defined in policy and further prescribed in standards. The parameters and thresholds for policy implementation are built into the CMS standards, and provide a foundation for the procedural guidance provided by the Program Guide series.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecrets Management\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA secret is a digital authentication credential. Secrets are individually named sets of sensitive information, and address a broad spectrum of secure data. Secrets need to be protected against unauthorized disclosure, and all keys need to be protected against modification, tempering, deletion and disclosure. There are different types of secrets, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUser passwords\u003c/li\u003e\u003cli\u003eRoot passwords\u003c/li\u003e\u003cli\u003eApplication and database passwords\u003c/li\u003e\u003cli\u003eAuto-generated encryption keys\u003c/li\u003e\u003cli\u003ePrivate encryption keys\u003c/li\u003e\u003cli\u003eApplication Programming Interface (API) keys\u003c/li\u003e\u003cli\u003eApplication keys\u003c/li\u003e\u003cli\u003eSecure Shell (SSH) keys\u003c/li\u003e\u003cli\u003eIAM secret keys\u003c/li\u003e\u003cli\u003eProgrammatic access keys (project / client IDs)\u003c/li\u003e\u003cli\u003eAuthorization tokens\u003c/li\u003e\u003cli\u003eBearer tokens\u003c/li\u003e\u003cli\u003eCertificates\u003c/li\u003e\u003cli\u003ePrivate certificates (e.g. Transport Layer Security (TLS), Secure Sockets Layer (SSL))\u003c/li\u003e\u003cli\u003eRSA and other one-time password devices\u003c/li\u003e\u003cli\u003eAccount tags\u003c/li\u003e\u003cli\u003ePassphrases\u003c/li\u003e\u003cli\u003eAny other application tokens that are deemed confidential\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSecrets management refers to the tools and methods for managing digital authentication credentials (secrets), including passwords, keys, APIs, and tokens for use in applications, services, privileged accounts and other sensitive parts of the IT ecosystem.\u003c/p\u003e\u003cp\u003ePasswords and keys are some of the most broadly used and important tools your organization has for authenticating applications and users and providing them with access to sensitive systems, services, and information. Because secrets have to be transmitted securely, secrets management must account for and mitigate the risks to these secrets, both in transit and at rest.\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote \u003c/strong\u003eRoot access keys should be protected at all costs and deleted if possible. A bad actor may shut down servers, delete data, create and destroy users, or any other API capability with the root users key. For this reason, CMS highly recommends that root access key should not be in use or should be disabled if already in use. CMS also recommends keeping the root users credentials safe and private. Do not share them with other employees or contractors. It is also advisable to activate Multi Factor Authentication (MFA) for the root account to protect it even if the password leaks. Also, access and secret access keys should only be developed at a user level, and never at a root level.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThe security objectives (Confidentiality, Integrity and Availability) should always be protected in regards to secrets management. The \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFederal Information Processing Standards (FIPS) Publication 199\u003c/a\u003e defines three levels of potential impact on organizations or individuals (low, moderate, high) should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability) and has additional examples on the impact of loss of one or more of the security objectives.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eKey Management\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eKey management refers to managing cryptographic keys within a cryptosystem. The term “cryptosystem” is shorthand for “cryptographic system” and refers to a computer system that employs cryptography, a method of protecting information and communications through the use of codes so that only those for whom the information is intended can read and process it.\u003c/p\u003e\u003cp\u003eCryptosystems deal with generating, exchanging, storing, using and replacing keys as needed at the user level.\u003c/p\u003e\u003cp\u003eThe security of the cryptosystem is dependent upon successful key management. Proper management ensures a key stays safe throughout its lifecycle, from generation and use to storing and deletion.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCryptographic Keys\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCryptography is used to secure communications over networks, to protect information stored in databases, and for many other critical applications. Cryptographic keys play an important part in the operation of cryptography.\u003c/p\u003e\u003cp\u003eWith effective cryptographic key management, data that is encrypted can still be protected even in the event of a breach, since encrypted data cannot be decrypted without the right keys. Proper usage of encryption and key management will assist an organizations efforts to protect their data. \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final\"\u003eNIST SP 800-57 \u003cem\u003eRecommendations for Key Management (Part 1, Revision 5) \u003c/em\u003e\u003c/a\u003eprovides an updated guideline for general cryptographic key management.\u003c/p\u003e\u003cp\u003eAt CMS, mechanisms are employed to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProhibit the use of encryption keys that are not recoverable by authorized personnel\u003c/li\u003e\u003cli\u003eRequire senior management approval to authorize recovery of keys by someone other than the key owner\u003c/li\u003e\u003cli\u003eComply with approved cryptography standards mentioned in transit and at rest, as defined in the HHS Standard for Encryption of Computing Devices and Information, and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAt CMS, cryptographic protection applies to both portable storage devices (e.g., USB memory sticks, CDs, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers). This applies to all digital assets like application software, Data Stores (Such as databases and file systems), Cloud Service, and Software As a Service.\u003c/p\u003e\u003cp\u003eWhen cryptographic mechanisms are needed, CMS information systems use encryption products that have been validated under the Cryptographic Module Validation Program to confirm compliance with \u003ca href=\"https://csrc.nist.gov/pubs/fips/140-2/upd2/final#:~:text=This%20Federal%20Information%20Processing%20Standard,of%20potential%20applications%20and%20environments.\"\u003eFederal Information Processing Standards (FIPS) 140-2\u003c/a\u003e in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKey Management Concepts\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eKey Management Phases\u003c/strong\u003e\u003c/h4\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePre-Operational Phase\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eOperational Phase\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003ePost-Operational Phase\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDestroyed Phase\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAccording to \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final\"\u003eNIST SP 800-57 \u003cem\u003eRecommendation for Key Management: Part 1 - General\u003c/em\u003e\u003c/a\u003e\u003cem\u003e \u003c/em\u003ein Section 8, there are four phases of key management:\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003ePre-operational phase\u003c/strong\u003e: The keying material is not yet available for normal cryptographic operations. Keys may not yet be generated or are in the pre-activation state. System or enterprise attributes are established during this phase as well.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eOperational phase\u003c/strong\u003e: The keying material is available and in normal use. Keys are in the active or suspended state. Keys in the active state may be designated as protect only, process only, or both protect and process; keys in the suspended state can be used for processing only.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePost-operational phase\u003c/strong\u003e: The keying material is no longer in normal use, but access to the keying material is possible, and the keying material may be used for processing protected information. Keys are in the deactivated or compromised states. Keys in the post-operational phase may be in an archive.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eDestroyed phase: \u003c/strong\u003eKeys are no longer available. Records of their existence may or may not have been deleted. Keys are in the destroyed state. Although the keys themselves may have been destroyed, the keys metadata (e.g., key name, type, cryptoperiod, and usage period) may be retained. A cryptoperiod is the time span during which a specific key is authorized for use by legitimate entities or the keys for a given system will remain in effect.\u003c/li\u003e\u003c/ol\u003e\u003ch4\u003e\u003cstrong\u003eKey Establishment\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eKey establishment is the process that results in the sharing of a key between two or more entities. This process could be by a manual distribution, by using automated key-transport or key agreement mechanisms, or by key derivation using an already-shared key between or among those entities. Key establishment processes include the creation of a key. Key establishment techniques and issues are discussed in Section 5.3 of \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/175/b/r1/final\"\u003eNIST SP 800-175B \u003cem\u003eGuideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms\u003c/em\u003e.\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eKey Management Functions\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eRoles and responsibilities need to be defined for the CMS management of at least the following functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe generation or acquisition of key information (i.e., keying material and the associated metadata)\u003c/li\u003e\u003cli\u003eThe secure distribution of private keys, secret keys and the associated metadata\u003c/li\u003e\u003cli\u003eThe establishment of cryptoperiods\u003c/li\u003e\u003cli\u003eKey and/or certificate inventory management, including procedures for the routine supersession of keys and certificates at the end of a cryptoperiod or validity period\u003c/li\u003e\u003cli\u003eProcedures for the emergency revocation of compromised keys and the establishment (e.g., distribution) of replacement keys and/or certificates\u003c/li\u003e\u003cli\u003eAccounting for and the storage and recovery of the operational and backed-up copies of key information\u003c/li\u003e\u003cli\u003eThe storage and recovery of archived key information\u003c/li\u003e\u003cli\u003eProcedures for checking the integrity of stored key information before using it\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe destruction of private or secret keys that are no longer required\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCryptographic Key Management Systems (CKMS)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe term cryptographic key management system (CKMS) refers to the framework and services that provide for the generation, establishment, control, accounting, and destruction of cryptographic keys and associated management information.\u003c/p\u003e\u003cp\u003eIt includes all elements (hardware, software, other equipment, and documentation); facilities; personnel; procedures; standards; and information products that form the system that establishes, manages, and supports cryptographic products and services for end entities.\u003c/p\u003e\u003cp\u003eA CKMS may handle symmetric keys, asymmetric keys or both. Key management policies, practice statements, and specifications should identify common CKMS elements and suggest functions of and relationships among the organizational elements responsible for the management and use of cryptographic keys.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-152.pdf\"\u003eNIST SP 800-152\u003c/a\u003e contains requirements for the design, implementation, and procurement of a CKMS for the CMS organization. A key management system can be designed to provide services for a single individual (e.g., in a personal data-storage system), an organization (e.g., in a secure Virtual Private Network (VPN) for intraoffice communications), or a large complex of organizations (e.g., in secure communications for the U.S. Government).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKey Management Planning\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAccording to \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/final\"\u003eNIST SP.800-57 Part 2 Revision 1\u003c/a\u003e, CMS organizations are required by statutory and administrative rules and guidelines to protect the confidentiality and integrity of their sensitive information and processes. Federal agencies are required to determine a \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf\"\u003eFIPS 200\u003c/a\u003e impact level (i.e., Low, Moderate or High) based on the security categories defined in \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFIPS 199\u003c/a\u003e. The security categories are based on the potential impact on an organization if certain events occur that jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals.\u003c/p\u003e\u003cp\u003eCMS encourages Application Development Organizations (ADOs) to utilize software solutions (both on premises and in the Cloud) that help with the creation, identification, management, retrieval, rotation, and removal of keys - especially when these products help ADOs to better comply with CMS key management policy and its requirements.\u003c/p\u003e\u003cp\u003eCMS organizations also need to define their security objectives for storing and/or communicating their sensitive information. These objectives may include the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProviding confidentiality for stored and/or transmitted data,\u003c/li\u003e\u003cli\u003eSource authentication for received data,\u003c/li\u003e\u003cli\u003eIntegrity protection for stored/transmitted data,\u003c/li\u003e\u003cli\u003eEntity authentication, etc.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe development of new cryptographic systems, including CKMS, should ideally be conducted following the processes described in \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/160/v2/r1/ipd#:~:text=Draft%20NIST%20Special%20Publication%20(SP,systems%20from%20the%20inside%20out\"\u003eNIST SP 800-160 \u003cem\u003eDeveloping Cyber-Resilient Systems: A Systems Security Engineering Approach\u003c/em\u003e\u003c/a\u003e. However, in many cases, systems that rely on cryptographic protection are already being used. Where such systems are being augmented or otherwise modified, security/privacy planning is still required, but the NIST SP 800-160 processes will need to be abridged or otherwise adapted because of legacy constraints. CMS organizations must still select \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST SP 800-53\u003c/a\u003e, based on \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eARS 5.0\u003c/a\u003e Control Catalog, security/privacy controls based on system design, operational characteristics, and FIPS 199 impact levels.\u003c/p\u003e\u003cp\u003eKey management planning should involve the following steps:\u003c/p\u003e\u003col\u003e\u003cli\u003eAn appropriate key management architecture is selected based on the available cryptographic mechanisms and objectives. Section 2.3 of \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt2r1.pdf\"\u003eNIST SP 800-57 Part. 2 Revision 1\u003c/a\u003e provides examples of architectures to be considered.\u003c/li\u003e\u003cli\u003eA Key Management Specification is developed for each cryptographic product to be used in the system. When developing a Key Management Specification for a cryptographic product, the unique key management products and services needed from the CKMS to support the operation of the cryptographic product must be defined. The specification of cryptographic mechanisms, including key management functions, should consider the CMS organizations resource limitations and procedural environment. If a Key Management Plan already exists for a CMS organization, the Key Management Specification needs to be in conformance with the CKMS Security Policy. The CKMS Practice Statement should support both the CKMS Security Policy and the Key Management Specification.\u003c/li\u003e\u003cli\u003eBased on the Key Management Plan, a CKMS Security Policy (CKMS SP) is developed that documents the decisions made in developing the Key Management Plan. A CKMS SP is a set of rules that are established to describe the goals, responsibilities, and overall requirements for the management of cryptographic keying material throughout the entire key lifecycle.\u003c/li\u003e\u003cli\u003eA CKMS may be operated by the organization owning the information to be protected, or may be operated by another organization (e.g., under contract). The organization operating the CKMS develops a CKMS Practice Statement (CKMS PS). A CKMS PS specifies how key management procedures and techniques are used to enforce the CKMS SP.\u003c/li\u003e\u003c/ol\u003e\u003ch3\u003e\u003cstrong\u003eKey Strength\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS organizations should consider the following best practices:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEstablish what the application's minimum computational resistance to attack should be. Understanding the minimum computational resistance to attack should take into consideration the sophistication of your adversaries, how long data needs to be protected, where data is stored and if it is exposed. Identifying the computational resistance to attack will inform engineers as to the minimum length of the cryptographic key required to protect data over the life of that data. Consult \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/131/a/r2/final\"\u003eNIST SP 800-131a \u003cem\u003eTransitioning the Use of Cryptographic Algorithms and Key Lengths\u003c/em\u003e\u003c/a\u003e\u003cem\u003e \u003c/em\u003efor additional guidance on determining the appropriate key lengths for the algorithm of choice.\u003c/li\u003e\u003cli\u003eWhen encrypting keys for storage or distribution, always encrypt a cryptographic key with another key of equal or greater cryptographic strength.\u003c/li\u003e\u003cli\u003eChoose a key length that meets or exceeds the comparative strength of other algorithms in use within your system. Refer to \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final\"\u003eNIST SP 800-57\u003c/a\u003e Table 2.\u003c/li\u003e\u003cli\u003eFormulate a strategy for the overall organization's cryptographic strategy to guide developers working on different applications and ensure that each application's cryptographic capability meets minimum requirements and best practices.\u003c/li\u003e\u003cli\u003eReview \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final\"\u003eNIST SP 800-57 \u003cem\u003eRecommendation for Key Management \u003c/em\u003e\u003c/a\u003efor recommended guidelines on key strength for specific algorithm implementations.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003ePublic Key Infrastructure\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePublic key infrastructure (PKI), as stated in \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-32.pdf\"\u003eNIST Special Publication 800-32: \u003cem\u003eIntroduction to Public Key Technology and the Federal PKI Infrastructure\u003c/em\u003e\u003c/a\u003e, is the combination of software, encryption technologies, and services that enables enterprises to \u003ca href=\"https://playbooks.idmanagement.gov/fpki/\"\u003eprotect the security of their communications and business transactions on networks\u003c/a\u003e. PKI integrates digital certificates, public key cryptography, and \u003cstrong\u003ecertification authorities (CA)\u003c/strong\u003e into a complete enterprise-wide network security architecture.\u003c/p\u003e\u003cp\u003eAll public key certificates used at CMS are issued in accordance with Federal PKI policy and validated to the Federal PKI trust anchor when being used for user signing, encrypting purposes, authentication, and authorization.\u003c/p\u003e\u003cp\u003eThe CA is responsible for issuing a public key certificate for each identity, confirming that the identity has the appropriate credentials. \u003cem\u003e\u003cstrong\u003eNote - \u003c/strong\u003ecertification authority (CA) is similar to a notary. The CA confirms the identities of parties sending and receiving electronic payments or other communications.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eAt CMS, various Certificate Authority requests are available and processed through the Infrastructure and User Services Group - Division of Operations Management (IUSG-DOM).\u003c/p\u003e\u003cp\u003eThere are two ways to submit a CA request for a certificate:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRequestor submits a request through the CMS Connect System.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eOnly users with a CMS USER ID who have access to or VPN to the CMS Network will be able to login to the Agency Solution for Customer Support (ASCS). If you do not have a CMS USER ID, see option #2 below to submit an email request.\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eRequestor sends certificate request email to the \u003cstrong\u003eCMS - DOMSSLCert \u003c/strong\u003emailbox at \u003ca href=\"mailto:DOMSSLCert@cms.hhs.gov\"\u003eDOMSSLCert@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor inquiries on the type of certificate to request, contact the CMS - DOMSSLCert mailbox at \u003ca href=\"mailto:DOMSSLCert@cms.hhs.gov\"\u003eDOMSSLCert@cms.hhs.gov\u003c/a\u003e for assistance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKey Usage\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePer NIST SP 800-57 Part 1 Revision 5: \u003cem\u003eRecommendation for Key Management\u003c/em\u003e, a single key should be used for only one purpose (e.g., encryption, integrity authentication, key wrapping, random bit generation, or digital signatures).\u003c/p\u003e\u003cp\u003eThere are several reasons for this:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe use of the same key for two different cryptographic processes may weaken the security provided by one or both of the processes.\u003c/li\u003e\u003cli\u003eLimiting the use of a key limits the damage that could be done if the key is compromised.\u003c/li\u003e\u003cli\u003eSome uses of keys interfere with each other. For example, the length of time the key may be required for each use and purpose. Retention requirements of the data may differ for different data types.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis recommendation permits the use of a private key-transport or key-agreement key to generate a digital signature for the following special case: When requesting the (initial) certificate for a static key-establishment key that was generated as specified in \u003ca href=\"https://csrc.nist.gov/pubs/fips/186-5/final\"\u003eFIPS 186-5\u003c/a\u003e, the corresponding private key may be used to sign the certificate request.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKey Management Lifecycle Best Practices\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eGeneration\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCryptographic keys should be generated within cryptographic modules with at least a \u003ca href=\"https://csrc.nist.gov/pubs/fips/140-2/upd2/final\"\u003eFIPS 140-2\u003c/a\u003e compliance. For explanatory purposes, consider the cryptographic module in which a key is generated to be the key-generating module.\u003c/p\u003e\u003cp\u003eAny random value required by the key-generating module should be generated within that module; that is, the Random Bit Generator that generates the random value should be implemented within cryptographic modules with at least a FIPS 140-2 compliance that generates the key.\u003c/p\u003e\u003cp\u003eHardware cryptographic modules are preferred over software cryptographic modules for protection.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eUse/Distribution\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe generated keys should be transported (when necessary) using secure channels and should be used by their associated cryptographic algorithm within at least a FIPS 140-2 compliant cryptographic module. For additional detail for the recommendations in this section refer to \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/133/r2/final\"\u003eNIST Special Publication 800-133\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eKeys or secrets should be shared out of band and should never be sent with or alongside the data the secrets or keys they are protecting. Also, secrets shared out-of-band should be protected and not stored somewhere that can be easily compromised (like on a piece of paper on a users desk). Out of band sharing of keys should be deleted or destroyed immediately after use.\u003c/p\u003e\u003cp\u003eADOs should also consider using a Diffie-Hellman algorithm like Secure-Remote Procedure Call (S-RPC) for the sharing of keys when out of band sharing is not a viable option. \u003cem\u003e\u003cstrong\u003eNote\u003c/strong\u003e - The DiffieHellman (DH) Algorithm is \u003cstrong\u003ea key-exchange protocol \u003c/strong\u003ethat enables two parties communicating over public channel to establish a mutual secret without it being transmitted over the Internet. DH enables the two to use a public key to encrypt and decrypt their conversation or data using symmetric cryptography.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eExamples of how keys can be shared included:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUse a Key or Secrets Management System\u003c/li\u003e\u003cli\u003eUse a shared key store or password manager vault\u003c/li\u003e\u003cli\u003eUse of client-side encrypted pastebin or similar service\u003c/li\u003e\u003cli\u003eUse of a restricted document\u003c/li\u003e\u003cli\u003eSending encrypted data via email (CMS adheres to the encryption requirements in the \u003ca href=\"https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/policies-guides-encryption.pdf\"\u003eHHS Standard for Encryption of Computing Devices and Information\u003c/a\u003e)\u003c/li\u003e\u003cli\u003eUsing a third-party, CMS approved storage service\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eADOs should document the method being used for the business or system owner. ADOs are also encouraged to use TLS Version 1.2 or 1.3 encryption standards for Data-in-transit.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eStorage\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eADOs should document in a Key Management Plan where secrets are being stored, and that documentation should be made available to the business or system owner, and updated as needed but no less than annually. The documentation should be written per system, define types of secrets used, list all secret alias names, creation date, recommended rotation date, level of sensitivity/classification, recommended end of use, business owner, and secret manager. The secrets should be encrypted and stored separately using a KMS solution or service.\u003c/li\u003e\u003cli\u003eCMS strongly encourages ADOs to use “split knowledge” or “M of N” for very sensitive key storage so that one individual does not have sole access to a key\u003c/li\u003e\u003cli\u003eDevelopers must understand where cryptographic keys are stored within the application and understand what memory devices the keys are stored on.\u003c/li\u003e\u003cli\u003eKeys must be protected on both volatile and persistent memory, ideally processed within secure cryptographic modules.\u003c/li\u003e\u003cli\u003eKeys should never be stored in plaintext format.\u003c/li\u003e\u003cli\u003eEnsure all keys are stored in a cryptographic vault, such as a hardware security module (HSM), or isolated cryptographic service or secret management services.\u003c/li\u003e\u003cli\u003eIf you are planning on storing keys in offline devices/databases, then encrypt the keys using Key Encryption Keys (KEKs) prior to the export of the key material. KEK length (and algorithm) should be equivalent to or greater in strength than the keys being protected.\u003c/li\u003e\u003cli\u003eEnsure that keys have integrity protections applied while in storage (consider dual purpose algorithms that support encryption and Message Authentication Code (MAC)).\u003c/li\u003e\u003cli\u003eEnsure that standard application-level code never reads or uses cryptographic keys in any way and use key management libraries.\u003c/li\u003e\u003cli\u003eEnsure that keys and cryptographic operation is done inside a secure cryptographic vault.\u003c/li\u003e\u003cli\u003eAll work should be done in the cryptographic vault (such as key access, encryption, decryption, signing, etc.).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eEscrow and Backup\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eData that has been encrypted with lost cryptographic keys will never be recovered. Therefore, it is essential that the application incorporate a secure key backup capability, especially for applications that support data-at-rest encryption for long-term data stores.\u003c/p\u003e\u003cp\u003eWhen backing up keys, ensure that the database that is used to store the keys is encrypted using at least a FIPS 140-2 validated module. It is sometimes useful to escrow key material for use in investigations and for re-provisioning of key material to users in the event that the key is lost or corrupted.\u003c/p\u003e\u003cp\u003eNever escrow keys used for performing digital signatures, but consider the need to escrow keys that support encryption. Oftentimes, escrow can be performed by the Certificate Authority (CA) or key management system that provisions certificates and keys, however in some instances separate APIs must be implemented to allow the system to perform the escrow for the application.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAccountability and Audit\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAccountability involves the identification of those that have access to, or control of, cryptographic keys throughout their lifecycles. Accountability can be an effective tool to help prevent key compromises and to reduce the impact of compromises once they are detected.\u003c/p\u003e\u003cp\u003eAt a minimum, the key management system should account for all individuals who are able to view plaintext cryptographic keys.\u003c/p\u003e\u003cp\u003eIn addition, more sophisticated key-management systems may account for all individuals authorized to access or control any cryptographic keys, whether in plaintext or ciphertext form.\u003c/p\u003e\u003cp\u003eAccountability provides three significant advantages:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIt aids in the determination of when the compromise could have occurred and what individuals could have been involved.\u003c/li\u003e\u003cli\u003eIt tends to protect against compromise, because individuals with access to the key know that their access to the key is known.\u003c/li\u003e\u003cli\u003eIt is very useful in recovering from a detected key compromise to know where the key was used and what data or other keys were protected by the compromised key.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCertain principles have been found to be useful in enforcing the accountability of cryptographic keys. These principles might not apply to all systems or all types of keys.\u003c/p\u003e\u003cp\u003eSome of the principles that apply to long-term keys controlled by humans include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUniquely identifying keys.\u003c/li\u003e\u003cli\u003eIdentifying the key user.\u003c/li\u003e\u003cli\u003eIdentifying the dates and times of key use, along with the data that is protected.\u003c/li\u003e\u003cli\u003eIdentifying other keys that are protected by a symmetric or private key. Two types of audit should be performed on key management systems:\u003c/li\u003e\u003cli\u003eThe security/privacy plan and the procedures that are developed to support the plan should be periodically audited to ensure that they continue to support the Key Management Policy in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/final\"\u003eNIST SP 800-57\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eThe protective mechanisms employed should be periodically reassessed with respect to the level of security that they provide and are expected to provide in the future, and that the mechanisms correctly and effectively support the appropriate policies.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eNew technology developments and attacks should be taken into consideration. On a more frequent basis, the actions of the humans that use, operate, and maintain the system should be reviewed to verify that the humans continue to follow established security/privacy procedures.\u003c/p\u003e\u003cp\u003eStrong cryptographic systems can be compromised by lax and inappropriate human actions. Highly unusual events should be noted and reviewed as possible indicators of attempted attacks on the system.\u003c/p\u003e\u003cp\u003eAccountability and Audit ensures the security objectives (Confidentiality, Integrity and Availability) are maintained. Effective integrity can be maintained if ADOs incorporate logging and provide for audit trails so we can track who used keys or secrets, for what purpose, etc.\u003c/p\u003e\u003cp\u003eIntegrity of the keys supports non-repudiation.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eKey Rotation\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eKey rotation provides several benefits, which are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIn the event that a key is compromised, regular rotation limits the number of actual messages/systems vulnerable to compromise. If key version is suspected to be compromised, disable it and revoke access to it as soon as possible.\u003c/li\u003e\u003cli\u003eRegular key rotation ensures CMS systems are resilient to manual rotation, whether due to a security breach or the need to migrate application to a stronger cryptographic algorithm.\u003c/li\u003e\u003cli\u003eLimiting the number of messages encrypted with the same key version helps prevent attacks enabled by cryptanalysis. Cryptanalysis is the study of ciphertext, ciphers and cryptosystems with the aim of understanding how they work and finding and improving techniques for defeating or weakening them.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor symmetric encryption, CMS organizations should configure automation key rotation by setting a key rotation period and starting time when key is created.\u003c/p\u003e\u003cp\u003eFor asymmetric encryption, CMS organizations should always manually rotate keys, because the new public key must be distributed before the key pair can be used.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecommended minimum frequency of key rotation \u003c/strong\u003e Annually.\u003c/p\u003e\u003cp\u003e\u003cem\u003eNote \u003c/em\u003e- The rotation schedule can be based on either the key's age or the number or volume of messages encrypted with a key version. \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf\"\u003eNIST SP 800-57 Recommendation for Key Management \u003c/a\u003edescribes cryptoperiods as a factor in determining an appropriate period for rotation.\u003c/p\u003e\u003cp\u003eIf responsible personnel have indications that keys have been compromised, they should manually rotate the keys and re-encrypt data that was encrypted by the compromised keys as soon as possible. To re-encrypt data, download the old data, decrypt it with the old key, encrypt the old data using the new key, and then re-upload the re-encrypted data.\u003c/p\u003e\u003cp\u003eCMS recommends Online Certificate Status Protocol (OCSP) over Certificate Lifecycle Management (CLM) because there can be latencies in the system where CLM may not have the most up to date revocations.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eKey Revocation\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAccording to \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/57/pt2/final\"\u003eNIST SP 800-57 Part 2 \u003cem\u003eRecommendation for Key Management: Part 2 Best Practices for Key Management Organizations\u003c/em\u003e\u003c/a\u003e, symmetric keys are often revoked by the use of Compromised Key Lists (CKLs). Certificate Revocation Lists (CRLs) are commonly used to revoke public key certificates, thus revoking the private key corresponding to the public key in the certificate. Regardless of whether symmetric or asymmetric keys are used, a means of revoking keys is recommended.\u003c/p\u003e\u003cp\u003eThis CMS guide will use the term revoked key notification (RKN) to refer to a mechanism to revoke keys. An RKN may include the revocation reason and an indication of when the revocation was requested. The inclusion of the revocation reason can be useful in risk decisions regarding the information that was received or stored using those keys.\u003c/p\u003e\u003cp\u003eA key may also be suspended from use for a variety of reasons, such as an unknown status of the key or due to the key owner being temporarily unavailable (e.g., the key owner is on extended leave). In the case of a certificate suspension, the intent is to suspend the use of the public key included in the certificate (e.g., to not verify digital signatures or establish keys while the use of the certificate is suspended). This may be communicated to relying parties as an “on hold” revocation reason code in a CRL and in an OCSP response. The certificate may later be revoked (e.g., a compromise of the private key corresponding to the public key in the certificate was confirmed) or the certificate may be reactivated (e.g., the key has not been compromised or the owner returned to work).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCompromise of Keys\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eKey compromise occurs when the protective mechanisms for the key fail (e.g., the confidentiality, integrity, or association of the key to its owner fail;) and the key can no longer be trusted to provide the required security. It is the responsibility of an owner of a private or secret key to protect the confidentiality of that key. Reporting a possible key compromise is the responsibility of anyone suspecting that a key has been compromised (e.g., the keys owner or an entity that observes that the data protected by that key has been compromised).\u003c/p\u003e\u003cp\u003eWhen a key is compromised, all use of the key to apply cryptographic protection to information (e.g., compute a digital signature or encrypt information) should cease, and the compromised key should be revoked.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eGuidelines to Minimize the Likelihood of a Key Compromise\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003ePeriodically rotate keys per the recommendation in this guide;\u003c/li\u003e\u003cli\u003eLimiting the amount of time that a secret symmetric or asymmetric private key is in plaintext form;\u003c/li\u003e\u003cli\u003ePreventing humans from viewing plaintext secret symmetric and asymmetric private keys;\u003c/li\u003e\u003cli\u003eRestricting plaintext secret and private keys to physically protected “containers.” This includes key generators, key-transport devices, key loaders, cryptographic modules, hardware security modules (HSMs), and key-storage devices;\u003c/li\u003e\u003cli\u003eUsing integrity checks to ensure that the integrity of a key or its association with other data has not been compromised. For example, keys may be wrapped (i.e., encrypted and integrity protected) in such a manner that unauthorized modifications to the wrapped key or to the keys metadata will be detected;\u003cul\u003e\u003cli\u003eProviding a cryptographic integrity check on the key (e.g., using a MAC or a digital signature);\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEmploying key confirmation to help ensure that the proper key was, in fact, established;\u003c/li\u003e\u003cli\u003eUsing trusted timestamps for signed data;\u003c/li\u003e\u003cli\u003eDestroying keys as soon as they are no longer needed; and\u003c/li\u003e\u003cli\u003eCreating a compromise-recovery plan, especially in the case of the compromise of a CA key.\u003c/li\u003e\u003cli\u003eData (key) dispersion - Data dispersion is recommended either through Redundant Array of Independent Disks (RAID) or use of erasure coding (bit splitting) in the Cloud. Data dispersion also addresses potential legal complications (for Cloud applications) that could arise should a server be confiscated by law enforcement. \u003cstrong\u003eNote -\u003c/strong\u003e\u003cem\u003e RAID (redundant array of independent disks) is a way of storing the same data in different places on multiple hard disks or solid-state drives (SSDs) to protect data in the case of a drive failure.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eSSMS (Secret Sharing Made Short) is another standard protocol that is encouraged for key management within Cloud application. \u003cstrong\u003eNote -\u003c/strong\u003e \u003cem\u003eSSMS uses a three-phase process: encryption of information; use of information dispersal algorithm (IDA), which is designed to efficiently split the data using erasure coding into fragments; and splitting the encryption key itself using the secret-sharing algorithm.\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eA compromise-recovery plan is essential for restoring cryptographic security services in the event of a key compromise. A compromise-recovery plan should be documented and easily accessible. The plan may be included in a Key-Management Practices Statement39. If not, the Key-Management Practices Statement should reference the compromise-recovery plan.\u003c/p\u003e\u003cp\u003eAccording to \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final\"\u003eNIST SP 800-57 Part 1 Rev. 5\u003c/a\u003e, a compromise-recovery plan should contain:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAn identification of the personnel to notify and what the notification should contain (e.g., the scope of the compromise whether specific keys were compromised or the certificate generation process was compromised);\u003c/li\u003e\u003cli\u003eAn identification of the personnel to perform the recovery actions;\u003c/li\u003e\u003cli\u003eThe method for obtaining a new key (i.e., re-keying);\u003c/li\u003e\u003cli\u003eAn inventory of all cryptographic keys (e.g., the location of all keys and certificates in a system);\u003c/li\u003e\u003cli\u003eThe education of all appropriate personnel on the compromise-recovery procedures;\u003c/li\u003e\u003cli\u003eAn identification of all personnel needed to support the compromise-recovery procedures;\u003c/li\u003e\u003cli\u003ePolicies requiring that key-revocation checking be performed (to minimize the effect of a compromise);\u003c/li\u003e\u003cli\u003eThe monitoring of the re-keying operations (to ensure that all required operations are performed for all affected keys); and\u003c/li\u003e\u003cli\u003eAny other compromise-recovery procedures.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eOther compromise-recovery procedures may include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA physical inspection of the equipment;\u003c/li\u003e\u003cli\u003eAn identification of all information that may be compromised as a result of the incident;\u003c/li\u003e\u003cli\u003eAn identification of all signatures that may be invalid due to the compromise of a signing key; and\u003c/li\u003e\u003cli\u003eThe distribution of new keying material, if required.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eKey Archive and Key Recovery Functions\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eA key archive is a repository containing keys and their associated information (i.e., key information) for recovery beyond the cryptoperiod of the keys. Not all keys need to be archived. A CMS organizations security/privacy plan should discuss key archiving.\u003c/p\u003e\u003cp\u003eAccess to key archive should be limited to authorized personnel/entities.\u003c/p\u003e\u003cp\u003eIf a key must be recoverable (e.g., after the end of its cryptoperiod), either the key should be archived, or the system should be designed to allow reconstruction (e.g., re-derivation) of the key from archived information. Retrieving the key from archive storage or by reconstruction is commonly known as key recovery. The archive should be maintained by a trusted party (e.g., the CMS organization associated with the key or a trusted third party).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNote -\u003c/strong\u003e \u003cem\u003eA cryptoperiod is the time span during which a specific key is authorized for use by legitimate entities or the keys or a given system will remain in effect.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eNIST Special Publication \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf\"\u003e800-57 Part 1, Revision 5 \u003cem\u003eRecommendation for Key Management: Part 1 General\u003c/em\u003e\u003c/a\u003e\u003cem\u003e \u003c/em\u003efurther addresses the appropriateness of archiving keys and other cryptographically related information.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTrust Store\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA trust store is a repository that contains cryptographic artifacts like certificates and private keys that are used for cryptographic protocols such as TLS. Because the compromise of a cryptographic key compromises all of the information and processes protected by that key, it is essential that client nodes be able to trust that keys and/or key components come from a trusted source, and that their confidentiality (if required) and integrity have been protected both in storage and in transit.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}\n1b:{\"self\":\"$1c\"}\n1f:[\"menu_ui\",\"scheduler\"]\n1e:{\"module\":\"$1f\"}\n22:[]\n21:{\"available_menus\":\"$22\",\"parent\":\"\"}\n23:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n20:{\"menu_ui\":\"$21\",\"scheduler\":\"$23\"}\n1d:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$1e\",\"third_party_settings\":\"$20\",\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1a:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":\"$1b\",\"attributes\":\"$1d\"}\n26:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}\n25:{\"self\":\"$26\"}\n27:{\"display_name\":\"jcallan - retired\"}\n24:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":\"$25\",\"attributes\":\"$27\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"meg - retired\"}\n28:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}\n2d:{\"self\":\"$2e\"}\n30:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n2f:{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_aff"])</script><script>self.__next_f.push([1,"ected\":true,\"path\":\"$30\"}\n34:{\"drupal_internal__target_id\":\"resource_type\"}\n33:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$34\"}\n36:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"}\n37:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}\n35:{\"related\":\"$36\",\"self\":\"$37\"}\n32:{\"data\":\"$33\",\"links\":\"$35\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n38:{\"data\":null,\"links\":\"$39\"}\n42:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n41:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$42\"}\n40:{\"help\":\"$41\"}\n3f:{\"links\":\"$40\"}\n3e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$3f\"}\n3d:[\"$3e\"]\n44:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"}\n45:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}\n43:{\"related\":\"$44\",\"self\":\"$45\"}\n3c:{\"data\":\"$3d\",\"links\":\"$43\"}\n31:{\"vid\":\"$32\",\"revision_user\":\"$38\",\"parent\":\"$3c\"}\n2c:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":\"$2d\",\"attributes\":\"$2f\",\"relationships\":\"$31\"}\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n47:{\"self\":\"$48\"}\n4a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n49:{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":"])</script><script>self.__next_f.push([1,"\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4a\"}\n4e:{\"drupal_internal__target_id\":\"roles\"}\n4d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$4e\"}\n50:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n51:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n4f:{\"related\":\"$50\",\"self\":\"$51\"}\n4c:{\"data\":\"$4d\",\"links\":\"$4f\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n52:{\"data\":null,\"links\":\"$53\"}\n5c:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5b:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5c\"}\n5a:{\"help\":\"$5b\"}\n59:{\"links\":\"$5a\"}\n58:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$59\"}\n57:[\"$58\"]\n5e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n5f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n5d:{\"related\":\"$5e\",\"self\":\"$5f\"}\n56:{\"data\":\"$57\",\"links\":\"$5d\"}\n4b:{\"vid\":\"$4c\",\"revision_user\":\"$52\",\"parent\":\"$56\"}\n46:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$47\",\"attributes\":\"$49\",\"relationships\":\"$4b\"}\n62:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26?resourceVersion=id%"])</script><script>self.__next_f.push([1,"3A81\"}\n61:{\"self\":\"$62\"}\n64:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n63:{\"drupal_internal__tid\":81,\"drupal_internal__revision_id\":81,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:09:11+00:00\",\"status\":true,\"name\":\"Data Guardian\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:09:11+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$64\"}\n68:{\"drupal_internal__target_id\":\"roles\"}\n67:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$68\"}\n6a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/vid?resourceVersion=id%3A81\"}\n6b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/vid?resourceVersion=id%3A81\"}\n69:{\"related\":\"$6a\",\"self\":\"$6b\"}\n66:{\"data\":\"$67\",\"links\":\"$69\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/revision_user?resourceVersion=id%3A81\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/revision_user?resourceVersion=id%3A81\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6c:{\"data\":null,\"links\":\"$6d\"}\n76:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n75:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$76\"}\n74:{\"help\":\"$75\"}\n73:{\"links\":\"$74\"}\n72:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$73\"}\n71:[\"$72\"]\n78:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/parent?resourceVersion=id%3A81\"}\n79:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/parent?resourceVersion=id%3A81\"}\n77:{\"related\":\"$78\",\"self\":\"$79\"}\n70:{\"data\":\"$71\",\"links\":\"$77\"}\n65:{\"vid\":\"$66\",\"revision_user\":\"$6c\",\"parent\":\"$70\"}\n60:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"links\":\"$61\",\"attributes\":\"$63\",\"relationsh"])</script><script>self.__next_f.push([1,"ips\":\"$65\"}\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n7b:{\"self\":\"$7c\"}\n7e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7d:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$7e\"}\n82:{\"drupal_internal__target_id\":\"roles\"}\n81:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$82\"}\n84:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n85:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n83:{\"related\":\"$84\",\"self\":\"$85\"}\n80:{\"data\":\"$81\",\"links\":\"$83\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n86:{\"data\":null,\"links\":\"$87\"}\n90:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n8f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$90\"}\n8e:{\"help\":\"$8f\"}\n8d:{\"links\":\"$8e\"}\n8c:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$8d\"}\n8b:[\"$8c\"]\n92:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n93:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n91:{\"related\":\"$92\",\"self\":\"$93\"}\n8a:{\"data\":\"$8b\",\"links\":\"$91\"}\n7f:{\"vid\":\"$8"])</script><script>self.__next_f.push([1,"0\",\"revision_user\":\"$86\",\"parent\":\"$8a\"}\n7a:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$7b\",\"attributes\":\"$7d\",\"relationships\":\"$7f\"}\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n95:{\"self\":\"$96\"}\n98:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n97:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$98\"}\n9c:{\"drupal_internal__target_id\":\"roles\"}\n9b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$9c\"}\n9e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n9f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n9d:{\"related\":\"$9e\",\"self\":\"$9f\"}\n9a:{\"data\":\"$9b\",\"links\":\"$9d\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\na0:{\"data\":null,\"links\":\"$a1\"}\naa:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\na9:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$aa\"}\na8:{\"help\":\"$a9\"}\na7:{\"links\":\"$a8\"}\na6:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$a7\"}\na5:[\"$a6\"]\nac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\nad:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-"])</script><script>self.__next_f.push([1,"af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\nab:{\"related\":\"$ac\",\"self\":\"$ad\"}\na4:{\"data\":\"$a5\",\"links\":\"$ab\"}\n99:{\"vid\":\"$9a\",\"revision_user\":\"$a0\",\"parent\":\"$a4\"}\n94:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$95\",\"attributes\":\"$97\",\"relationships\":\"$99\"}\nb0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\naf:{\"self\":\"$b0\"}\nb2:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb1:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b2\"}\nb6:{\"drupal_internal__target_id\":\"roles\"}\nb5:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$b6\"}\nb8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\nb9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\nb7:{\"related\":\"$b8\",\"self\":\"$b9\"}\nb4:{\"data\":\"$b5\",\"links\":\"$b7\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\nbd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\nbb:{\"related\":\"$bc\",\"self\":\"$bd\"}\nba:{\"data\":null,\"links\":\"$bb\"}\nc4:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc3:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c4\"}\nc2:{\"help\":\"$c3\"}\nc1:{\"links\":\"$c2\"}\nc0:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$c1\"}\nbf:[\"$c0\"]\nc6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f"])</script><script>self.__next_f.push([1,"0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\nc7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\nc5:{\"related\":\"$c6\",\"self\":\"$c7\"}\nbe:{\"data\":\"$bf\",\"links\":\"$c5\"}\nb3:{\"vid\":\"$b4\",\"revision_user\":\"$ba\",\"parent\":\"$be\"}\nae:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$af\",\"attributes\":\"$b1\",\"relationships\":\"$b3\"}\nca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}\nc9:{\"self\":\"$ca\"}\ncc:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\ncb:{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$cc\"}\nd0:{\"drupal_internal__target_id\":\"topics\"}\ncf:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$d0\"}\nd2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"}\nd3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}\nd1:{\"related\":\"$d2\",\"self\":\"$d3\"}\nce:{\"data\":\"$cf\",\"links\":\"$d1\"}\nd6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"}\nd7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}\nd5:{\"related\":\"$d6\",\"self\":\"$d7\"}\nd4:{\"data\":null,\"links\":\"$d5\"}\nde:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\ndd:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$de\"}\ndc:{\"help\":\"$dd\"}\ndb:{\"links\":\"$dc\"}\nda:{\"type\":\"ta"])</script><script>self.__next_f.push([1,"xonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$db\"}\nd9:[\"$da\"]\ne0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"}\ne1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}\ndf:{\"related\":\"$e0\",\"self\":\"$e1\"}\nd8:{\"data\":\"$d9\",\"links\":\"$df\"}\ncd:{\"vid\":\"$ce\",\"revision_user\":\"$d4\",\"parent\":\"$d8\"}\nc8:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":\"$c9\",\"attributes\":\"$cb\",\"relationships\":\"$cd\"}\ne4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}\ne3:{\"self\":\"$e4\"}\ne6:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\ne5:{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$e6\"}\nea:{\"drupal_internal__target_id\":\"topics\"}\ne9:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$ea\"}\nec:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"}\ned:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}\neb:{\"related\":\"$ec\",\"self\":\"$ed\"}\ne8:{\"data\":\"$e9\",\"links\":\"$eb\"}\nf0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"}\nf1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}\nef:{\"related\":\"$f0\",\"self\":\"$f1\"}\nee:{\"data\":null,\"links\":\"$ef\"}\nf8:{\"about\":\"Usage and meaning of the 'virtual' resource ide"])</script><script>self.__next_f.push([1,"ntifier.\"}\nf7:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$f8\"}\nf6:{\"help\":\"$f7\"}\nf5:{\"links\":\"$f6\"}\nf4:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$f5\"}\nf3:[\"$f4\"]\nfa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"}\nfb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}\nf9:{\"related\":\"$fa\",\"self\":\"$fb\"}\nf2:{\"data\":\"$f3\",\"links\":\"$f9\"}\ne7:{\"vid\":\"$e8\",\"revision_user\":\"$ee\",\"parent\":\"$f2\"}\ne2:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":\"$e3\",\"attributes\":\"$e5\",\"relationships\":\"$e7\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--library\",\"id\":\"596fc706-aa93-4b33-84a6-e648cf6c563d\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/596fc706-aa93-4b33-84a6-e648cf6c563d?resourceVersion=id%3A5777\"}},\"attributes\":{\"drupal_internal__nid\":1141,\"drupal_internal__vid\":5777,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T16:04:17+00:00\",\"status\":true,\"title\":\"CMS Key Management Handbook \",\"created\":\"2023-08-23T13:26:44+00:00\",\"changed\":\"2024-08-05T16:04:17+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-key-management-handbook\",\"pid\":993,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2022-10-14\",\"field_related_resources\":[{\"uri\":\"https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final\",\"title\":\"NIST SP 800-57 Part 1 Rev. 5: Recommendations for Key Management\",\"options\":[],\"url\":\"https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final\"},{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2)\",\"options\":[],\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"},{\"uri\":\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Policies\",\"title\":\"CMS Chief Information Officer (CIO) Policies \",\"options\":[],\"url\":\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Policies\"}],\"field_short_description\":{\"value\":\"Guidance on the management lifecycle of cryptographic keys: data used to lock or unlock functions, including authentication, authorization, and encryption \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eGuidance on the management lifecycle of cryptographic keys: data used to lock or unlock functions, including authentication, authorization, and encryption\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/596fc706-aa93-4b33-84a6-e648cf6c563d/node_type?resourceVersion=id%3A5777\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/596fc706-aa93-4b33-84a6-e648cf6c563d/relationships/node_type?resourceVersion=id%3A5777\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/596fc706-aa93-4b33-84a6-e648cf6c563d/revision_uid?resourceVersion=id%3A5777\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/596fc706-aa93-4b33-84a6-e648cf6c563d/relationships/revision_uid?resourceVersion=id%3A5777\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/596fc706-aa93-4b33-84a6-e648cf6c563d/uid?resourceVersion=id%3A5777\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/596fc706-aa93-4b33-84a6-e648cf6c563d/relationships/uid?resourceVersion=id%3A5777\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/596fc706-aa93-4b33-84a6-e648cf6c563d/field_resource_type?resourceVersion=id%3A5777\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/596fc706-aa93-4b33-84a6-e648cf6c563d/relationships/field_resource_type?resourceVersion=id%3A5777\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/596fc706-aa93-4b33-84a6-e648cf6c563d/field_roles?resourceVersion=id%3A5777\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/596fc706-aa93-4b33-84a6-e648cf6c563d/relationships/field_roles?resourceVersion=id%3A5777\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/596fc706-aa93-4b33-84a6-e648cf6c563d/field_topics?resourceVersion=id%3A5777\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/596fc706-aa93-4b33-84a6-e648cf6c563d/relationships/field_topics?resourceVersion=id%3A5777\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}},\"attributes\":{\"display_name\":\"jcallan - retired\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}},\"attributes\":{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26?resourceVersion=id%3A81\"}},\"attributes\":{\"drupal_internal__tid\":81,\"drupal_internal__revision_id\":81,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:09:11+00:00\",\"status\":true,\"name\":\"Data Guardian\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:09:11+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/vid?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/vid?resourceVersion=id%3A81\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/revision_user?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/revision_user?resourceVersion=id%3A81\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/parent?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/parent?resourceVersion=id%3A81\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}},\"attributes\":{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}},\"attributes\":{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}}}}}],\"includedMap\":{\"ab4b0312-f678-40b9-ae06-79025f52ff43\":\"$1a\",\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\":\"$24\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$28\",\"e3394b9a-cbff-4bad-b68e-c6fad326132e\":\"$2c\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$46\",\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\":\"$60\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$7a\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$94\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$ae\",\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\":\"$c8\",\"65ef6410-4066-4db4-be03-c8eb26b63305\":\"$e2\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"CMS Key Management Handbook | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Guidance on the management lifecycle of cryptographic keys: data used to lock or unlock functions, including authentication, authorization, and encryption \"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/policy-guidance/cms-key-management-handbook\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"CMS Key Management Handbook | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Guidance on the management lifecycle of cryptographic keys: data used to lock or unlock functions, including authentication, authorization, and encryption \"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/policy-guidance/cms-key-management-handbook\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/policy-guidance/cms-key-management-handbook/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"CMS Key Management Handbook | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Guidance on the management lifecycle of cryptographic keys: data used to lock or unlock functions, including authentication, authorization, and encryption \"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/policy-guidance/cms-key-management-handbook/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink