1 line
No EOL
356 KiB
Text
1 line
No EOL
356 KiB
Text
<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>RMH Chapter 16: System & Communications Protection | CMS Information Security & Privacy Group</title><meta name="description" content="RMH Chapter 16 identifies the System & Communications Protection (SC) family of controls that monitor, control, and protect organizational communication at CMS"/><link rel="canonical" href="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-16-system-communications-protection"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="RMH Chapter 16: System & Communications Protection | CMS Information Security & Privacy Group"/><meta property="og:description" content="RMH Chapter 16 identifies the System & Communications Protection (SC) family of controls that monitor, control, and protect organizational communication at CMS"/><meta property="og:url" content="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-16-system-communications-protection"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-16-system-communications-protection/opengraph-image.jpg?a856d5522b751df7"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="RMH Chapter 16: System & Communications Protection | CMS Information Security & Privacy Group"/><meta name="twitter:description" content="RMH Chapter 16 identifies the System & Communications Protection (SC) family of controls that monitor, control, and protect organizational communication at CMS"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-16-system-communications-protection/opengraph-image.jpg?a856d5522b751df7"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=16&q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=32&q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=32&q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here's how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here's how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance & Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance & Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments & Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy & Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy & Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools & Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools & Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting & Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests & Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-library undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">RMH Chapter 16: System & Communications Protection</h1><p class="hero__description">RMH Chapter 16 identifies the System & Communications Protection (SC) family of controls that monitor, control, and protect organizational communication at CMS</p><p class="font-sans-2xs line-height-sans-5 margin-bottom-0">Last reviewed<!-- -->: <!-- -->7/10/2020</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8"><section class="resource-collection radius-md padding-y-2 padding-x-3 bg-base-lightest"><h1 class="resource-collection__header h3 margin-top-0 margin-bottom-2">Related Resources</h1><div class="grid-row grid-gap-4"><div class="tablet:grid-col-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS) </a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2">CMS Information Systems Security and Privacy Policy (IS2P2)</a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/learn/cms-security-and-privacy-handbooks">CMS Security and Privacy Handbooks (all)</a></div></div></section><section><div class="text-block text-block--theme-library"><h2>Introduction</h2><p>The Risk Management Handbook Chapter 16: System and Communications Protection (SC) focuses on how the organization must: monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and employ architectural designs, software development techniques, and systems engineering principles that promote effective information security and privacy assurance within organizational information systems. Some of the controls discussed within this chapter include Application Partitioning, Security Function Isolation, Information Shared Resources, Denial of Service Protection, Boundary Protection, Transmission Confidentiality and Integrity, Cryptographic Protection, and Public Key Infrastructure Certificates. There are also procedures surrounding Mobile Code, Voice Over Internet Protocol (VOIP), Session Authenticity, Email and Website Usage.</p><h2>System and Communications Protection (SC) Controls</h2><h3>Application Partitioning (SC-2)</h3><p>The purpose of this control is to ensure separation of the user functionality from the information system management functionality by the information system either physically or logically. Enforcing the separation of information flows by type can enhance protection by ensuring that information is protected while in transit. Types of separable information include, for example, inbound and outbound communications traffic and service requests.</p><p>The CMS Technical Reference Architecture (TRA) provides the authoritative technical architecture approach and technical reference standards of CMS. Compliance with the TRA helps ensure that CMS information technology (IT) systems and infrastructure will support secure and high-quality delivery of healthcare services to beneficiaries, providers, and business partners, plus align CMS systems with the Federal Enterprise Architecture Framework (FEAF).</p><p>The CMS Target Life Cycle (TLC) replaces the CMS legacy Expedited Life Cycle (XLC) with a more business focused and flexible System Development Life Cycle (SDLC) process. The TLC replaces XLC point-in-time gate reviews with required artifacts, with “as needed” consultations via the Business Owner with the Office of Information Technology (OIT) Navigator, the EA team, Subject Matter Experts (SMEs), and/or Governance Review Teams (GRT). This flexible approach will provide for a more continuous evaluation, and situational reviews governance as needed to</p><p>better meet CMS program needs. The four phases of the TLC include: Intake, Develop, Operate and Retire. During the Develop Phase, detailed user stories or requirements are created, the solution is designed, built, deployed to a non-production environment, and tested for compliance with the requirements and CMS standards so that it is production ready. Requirements, user stories, design, development and testing must all be done in compliance with the CMS TRA and security, privacy and accessibility standards.</p><p>Guidance for systems processing, storing, or transmitting PII (to include PHI):</p><p>It is necessary to store sensitive information, such as PII, on separate logical partitions from applications and software that provide user functionality to restrict accidental or unintentional loss of, or access to, sensitive information by both unauthorized users and unauthorized applications.</p><p>CMS applications must be configured to prevent the operation of all system administrative functions except those that originate from the Management and Security Bands. When necessary, application administrative functions can be accessed via the Application Zone by defining application administrative roles and documenting the associated risks and compensating controls in the System Security and Privacy Plan (SSPP) and Information Security Risk Analysis (ISRA). CMS uses, for example, different computers, different central processing units, different network addresses or combinations of these to implement separation of system management-related functionality from user functionality.</p><h3>Security Function Isolation (SC-3)</h3><p>Security functions and non-security functions are separated by the information systems through an isolation boundary. Security functions, for example, include establishing system accounts and configuring access authorizations. At CMS, an isolation boundary provides access control and protects the reliability of the hardware, software, and firmware that perform security functions. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of different ways.</p><p>At CMS, developers and implementers increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries.</p><p>Each System Developer and Maintainer (SDM) is also responsible for maintaining appropriate security for all secure boundaries and for implementing the appropriate tools and technologies to meet CMS and federal requirements.</p><h3> Information in Shared Resources (SC-4)</h3><p>Preventing unauthorized information transfers mitigates the risk of information from being available to any current users/roles (or current processes) that are granted access to shared system resources after those resources have been released back to information systems.</p><p>Guidance for systems processing, storing, or transmitting PII (to include PHI):</p><p>Following use of a shared system resource, ensure that shared system resource(s) is purged of personally identifiable information (PII) to prevent unintended users or processes from accessing PII.</p><p>CMS, in accordance with <a href="https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf">OMB Circular NO. A-130</a>, implements information security programs and privacy programs with the flexibility to meet current and future information management needs and the sufficiency to comply with Federal requirements and manage risks.</p><h3>Denial of Service Protection (SC-5)</h3><p>The purpose of this control is to ensure the information system protects against or limits the effects of the types of denial of service attacks defined in federal guidelines.</p><p>Denial of Service (DoS) attacks are generally defined as any attack that can destabilize the network or systems’ ability to perform expected functions. In the case of a Distributed Denial of Service (DDoS) attack, the attacker uses multiple compromised or controlled sources to generate an attack. Protection against DoS attacks involves the use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate.</p><p>The table below outlines the CMS organizationally defined parameters (ODPs) SC-5.</p><p><strong>Table 1: CMS Defined Parameters – Control SC-5</strong></p><table><tbody><tr><td><strong>Control</strong></td><td><strong>Control Requirement</strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>SC-5</td><td>The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization- defined security safeguards].</td><td>The information system protects against or limits the effects of the types of denial of service attacks defined in NIST SP 800-61, Computer Security Incident Handling Guide, and the following websites by employing defined security safeguards (defined in the applicable system security and privacy plan): <a href="https://www.sans.org/security-resources/">SANS Organization’s Roadmap to Defeating Distributed Denial of Service (DDoS)</a> and the <a href="https://nvd.nist.gov/">NIST National Vulnerability Database</a></td></tr></tbody></table><p>CMS adheres to security safeguards listed in SANS Institute to reduce chances of DoS attacks, which include:</p><ul><li>Egress filtering to stop spoofed IP packets from leaving network.<ul><li>Deny invalid source IP addresses</li><li>Deny private & reserved source IP addresses (not necessary if invalid source IP address is denied)</li></ul></li><li>Stopping network from being used as a broadcast amplification site.<ul><li>Disable IP directed broadcast on all systems</li><li>Test your network to determine if it is an amplification site</li><li>Require that vendors disable IP directed broadcast by default</li></ul></li></ul><p>CMS also adheres to the <a href="https://www.sans.org/dosstep/roadmap">Consensus Roadmap for Defeating Distributed Denial of Service Attacks</a> outlined by the SANS institute, as amended.</p><p>CMS complies with <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf">NIST Special Publication 800-61 rev2</a> on <em>Computer Security Incident Handling Guide</em>, which provides guidelines for incident handling of DoS/DDoS attacks, particularly for analyzing incident-related data and determining the appropriate response to each incident.</p><h3>Boundary Protection (SC-7)</h3><p>This control ensures the monitoring and control of communications within the “external boundary” of the overall information systems landscape for purposes of preventing and detecting malicious, unauthorized communication via the use of numerous tools. More specifically, boundary protection differentiates boundaries between external, untrusted networks from those deemed trusted and secure. Boundary protection is yet another information security principle that aids in ensuring the confidentiality, integrity, and availability (CIA) of an organization’s critical system resources.</p><p>At CMS, communications and processing connections are controlled via an integrated system of firewalls, routers, and through the use of Intrusion Detection Systems (IDS) equipment. Traffic flow is controlled through managed routers and switches. The configuration of the firewall systems </p><p>follows vendor recommendations. CMS utilizes firewall perimeter routers and IDS, configured to provide a defense-in-depth.</p><h4>Access Points (SC-7(3))</h4><p>The purpose of this control enhancement is to protect the information system by restricting access from external network connections. The number of access points to the information system must be restricted to allow for more wider-range of the monitoring of inbound and outbound communications and network traffic.</p><p>CMS access points consist of boundary protection devices arranged in accordance with it’s effective security architecture. Connections are consistent with the organizations enterprise technology and security architecture.</p><p>CMS complies with the Office of Management and Budget (OMB) Memorandum, <em>Implementation of Trusted Internet Connections, </em><a href="https://georgewbush-whitehouse.archives.gov/omb/memoranda/fy2008/m08-05.pdf">M-08-05</a>6, November 20, 2007, which states that all federal agencies must optimize and standardize the security of individual external connections. In addition, security controls must be implemented within all federal network operating environments.</p><h4>External Telecommunications Services (SC-7(4))</h4><p>This purpose of this control enhancement is to ensure the organization implements a managed interface7 for each external telecommunication service, establishes a traffic flow policy for each managed interface and protects the confidentiality and integrity of the information being transmitted across each interface.</p><p>The table below outlines the CMS organizationally defined parameters (ODPs) for SC-7(4).</p><p><strong>Table 1: CMS Defined Parameters – Control SC-7(4)</strong></p><table><tbody><tr><td><strong>Control</strong></td><td><strong>Control Requirement</strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>SC-7(4)</td><td><p>The organization:</p><p>e. Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions no longer supported by an explicit mission/business need.</p></td><td><p>The organization:</p><p>e. Reviews exceptions to the traffic flow policy within every three hundred sixty-five (365) days or implementation of major new system, and removes exceptions that are no longer supported by an explicit mission/business need.</p></td></tr></tbody></table><p>Firewalls provide protection to the mainframe and the rest of the infrastructure at CMS.</p><p>CMS has deployed firewalls at all internet access points and between shared support infrastructure and customer networks. Firewall and/or routing requests are necessary to facilitate new firewall rules and/or connectivity for user-to-system or system-to-system across the CMS Wide Area Network (WAN).</p><p>For information on CMS Firewall and Routing Request Form, contact the CMS IT Service Desk by calling (410) 786-2580 or (800) 562-1963; or by sending an email to <a href="mailto:cms_it_service_desk@cms.hhs.gov">cms_it_service_desk@cms.hhs.gov </a>to open a ticket.</p><h4>Deny by Default/Allow by Exception (SC-7(5))</h4><p>The purpose of this control enhancement is to ensure only connections which are integral and vetted are allowed through inbound and outbound network communications traffic. The information system of organizations enlists a firewall configuration policy that forces the user to be registered at the site, authenticate their registration and authorize their registration prior to gaining access.</p><p>As CMS brings a lot of applications onto the Internet, it is imperative to ensure the security of the applications, and the integrity of the information transferred to and from them. For Machine-to- machine connections, not only must the system be physically secure, but incoming and outgoing data must be protected to prevent compromise of CMS information integrity. In order to establish that connection, each machine must ensure that it is connecting to a trusted machine on the other end. Failing to identify and prohibit unauthorized traffic leaves the enclave vulnerable to attack. The initial defense for the internal network is for protection measures to block any traffic at the perimeter that is attempting to make a connection (or otherwise establish a traffic flow) to a host in the internal network. Outbound traffic is allowed by default, and inbound traffic is blocked by default, which is accomplished by the CMS’s firewalls and load balancers. The firewalls deny all and permit by exception using CMS specific infrastructural rules</p><h4>Prevent Split Tunneling for Remote Devices (SC-7(7))</h4><p>The purpose of this control is to ensure the information system, in conjunction with a remote device, prevents a device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.</p><p>CMS enforces the use of VPNs, sufficiently provisioned with applicable security controls, to provide a means for allowing non-remote communications paths from remote devices.</p><p>In order to securely connect to the CMS Network remotely, a user must have:</p><ul><li>A CMS issued laptop (for example). This will contain the VPN software you need to access the VPN.</li><li>An Authentication Device. This can be either your PIV Card (Personal Identity Verification), PIV PIN (Personal Identity Number), or RSA Token “fob.”. If you have been issued a PIV card, this should be the method of connecting to the VPN. The RSA Token should only be used if your PIV card has not been issued yet.</li><li>High speed Internet access from a remote location (dial-up is not supported).</li></ul><p>Additional information on connecting to the CMS Network using VPN can be found in <a href="https://cmsintranet.share.cms.gov/CT/Documents/20120807_getting_started_with_remote_access_v2.pdf">Getting</a> <a href="https://cmsintranet.share.cms.gov/CT/Documents/20120807_getting_started_with_remote_access_v2.pdf">Started with Remote Access to the CMS Network</a>.</p><h4>Route Traffic to Authenticated Proxy Servers (SC-7(8))</h4><p>The purpose of this control enhancement is to ensure the information system routes all user- initiated internal communications traffic to untrusted external networks through authenticated proxy servers at managed interfaces. A proxy server is a server application or appliance that acts as an intermediary for requests from clients seeking resources from servers that provide those resources. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.</p><p>The table below outlines the CMS organizationally defined parameters (ODPs) for SC-7(8).</p><p><strong>Table 3: CMS Defined Parameters – Control SC-7(8)</strong></p><table><tbody><tr><td><strong>Control</strong></td><td><strong>Control Requirement</strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>SC-7(8)</td><td><p>The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed</p><p>interfaces.</p></td><td>The information system routes all user- initiated internal communications traffic to untrusted external networks through authenticated proxy servers at managed interfaces.</td></tr></tbody></table><p>At CMS, the proxy server acts as a single point of contact serving client requests. The proxy server authenticates each request based on Client Exchange/Device ID and other parameters and forwards the request to the desired destination server. URL filter servers, a form of proxy server, can block access to unsafe websites. They also produce logs that track access to known malware hosting sites and URL block list access. These logs can assist a security analyst in identifying compromised hosts on the local network. The System Developer and Maintainer (SDM) must collect and forward proxy/URL logs according to the organizational requirements.</p><h4>Fail Secure (SC-7(18))</h4><p>The purpose of this control enhancement is to ensure that in the event of operational failures of boundary protection devices at managed interfaces, the information system fails securely.</p><p>CMS utilizes Network Firewalls to prevent loss of boundary protection and to meet the requirement for this control enhancement. Network firewalls guard the internal computer network against malicious access from the outside, such as malware-infested websites or vulnerable, open network ports.</p><p>Firewalls are implemented in redundant pairs to prevent loss of boundary protection.</p><p>Each Network Firewall in the CMS Processing Environments must be provisioned with separate interfaces dedicated to each network segment and band with which it connects. CMS Network Firewalls provide various functions and restrict the ability to perform certain functions to an authorized administrator.</p><h4>Isolation of Information System Components (SC-7(21))</h4><p>Separating system components with boundary protection devices provides the capability for increased protection of individual components and to more effectively control information flows between those components. Isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected components.</p><p>The table below outlines the CMS organizationally defined parameters (ODPs) for SC-7(21).</p><p><strong>Table 4: CMS Defined Parameters – Control SC-7(21)</strong></p><table><tbody><tr><td><strong>Control</strong></td><td><strong>Control Requirement</strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>SC-7(21)</td><td><p>The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-</p><p>defined missions and/or business functions].</p></td><td>The organization employs boundary protection mechanisms to separate defined information system components (defined in the applicable system security plan) supporting CMS missions and/or business functions.</td></tr></tbody></table><p>CMS employs firewalls and a Network-based Intrusion Detection System (NIDS) to meet the requirements for this control enhancement. A network-based intrusion detection system (NIDS) is used to monitor and analyze network traffic to protect a system from network-based threats. A </p><p>NIDS reads all inbound packets and searches for any suspicious patterns. When threats are discovered, based on its severity, the system takes action such as notifying administrators, or barring the source IP address from accessing the network.</p><h3>Transmission Confidentiality and Integrity (SC-8)</h3><p>The purpose of this control is to ensure the information system protects the confidentiality and integrity of data in transit.</p><p>In accordance with the HHS Standard for Encryption of Computing Devices and Information, CMS policy states that all sensitive information at rest (and in transit) must be encrypted using a <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf">Federal Information Processing Standard (FIPS) 140-2</a> validated solution to safeguard the confidentiality and integrity of information. CMS Data Encryption Standards mandates that it is the responsibility of all CMS personnel and business partners to protect CMS <strong>sensitive information</strong> while data is in transit (and at rest). When encryption is not technically feasible, CMS business owners must implement a specific set of compensating controls. <a href="https://security.cms.gov/learn/cms-enterprise-data-encryption-cede">CMS enterprise data encryption</a> standards can be reviewed by visiting the CMS CEDE page. </p><p>Guidance for systems processing, storing, or transmitting PII (to include PHI):</p><p>Because of the sensitivity of personally identifiable information (PII) and protected health information (PHI), the confidentiality and integrity of such information in transit must be assured.</p><p><strong>Sending an encrypted email using Office 365</strong></p><p>Communication between CMS.Net and email-as-a-service (also known as Office 365) has automated encryption. CMS utilizes Office 365 Message Encryption (OME) within Microsoft Outlook to send sensitive and protected data securely to recipients outside of CMS. All Government-Furnished Equipment (GFE) has this feature.</p><p>CMS adheres to the mandatory Email Services procedures outlined in <a href="https://intranet.hhs.gov/policy/hhs-policy-internet-and-email-security">HHS Policy for Internet and</a> <a href="https://intranet.hhs.gov/policy/hhs-policy-internet-and-email-security">Email Security</a>, as amended, which establishes minimum requirements for securing the internet and email services throughout CMS in order to enhance integrity and confidentiality of internet-delivered data, minimize spam, unauthorized access, and misuse of information, and better protect users who might otherwise fall victim to attacks that appear to come from government-owned systems.</p><p><strong>Sending an encrypted email using your PIV</strong></p><p>CMS recommends the use of Personal Identity Verification (PIV) Card encryption to send documentations across the network. Email and any attachment that contains sensitive information when transmitted inside and outside of CMS premises shall be encrypted using the user’s PIV card when possible. If PIV encryption is not feasible, a FIPS 140-2 validated solution must be employed:</p><ul><li>Password protection of files is recommended to add an additional layer of data protection but shall not be used in lieu of encryption solutions.</li><li>Password and/or encryption key shall not be included in the same email that contains sensitive information or in separate email.</li><li>Password/encryption key shall be provided to the recipient separately via text message, verbally, or other out-of-band solution.</li></ul><p><strong>Sending an encrypted email to a third party through SecureZIP</strong></p><p>All e-mails with CMS sensitive information must be encrypted through the use of CMS approved encryption software when outside of a controlled environment. The CMS approved software is SecureZIP (PK Zip). SecureZIP is an application for zipping files to save storage space as well as encrypting files with password control to protect information.</p><p>For the procedure on how to encrypt using SecureZIP, go to <a href="https://cmsintranet.share.cms.gov/CT/_layouts/15/WopiFrame2.aspx?sourcedoc=%257B1629458C-DE32-43EF-8EF7-3569A96ABDC3%257D&file=SecureZip-Instructions-2013.docx&action=default&DefaultItemOpen=1">SecureZIP Instructions</a>.</p><p>CMS also has specific encryption requirements for large file transfers. Additional information on large file transfers can be requested through the <a href="https://cmsintranet.share.cms.gov/OIT/Pages/IUSG.aspx">Infrastructure and User Services Group.</a></p><h4>Cryptographic or Alternate Physical Protection (SC-8(1))</h4><p>The purpose of this control enhancement is to ensure the information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information when data is in transit.</p><p>Cryptography is a branch of applied mathematics concerned with transformations of data for security. In cryptography, a sender transforms unprotected information (plaintext) into coded text (ciphertext). A receiver uses cryptography to either:</p><ul><li>transform the ciphertext back into plaintext</li><li>verify the sender’s identity</li><li>verify the data’s integrity, or some combination.</li></ul><p>Guidance for systems processing, storing, or transmitting PII (to include PHI):</p><p>Because of the sensitivity of PII, the confidentiality and integrity of such information in transit must be assured with encryption techniques if assurance is not provided by other means.</p><p>Guidance for systems processing, storing, or transmitting PHI:</p><p>Under the HIPAA Security Rule, this is an addressable implementation specification. HIPAA covered entities must conduct an analysis as described at 45 C.F.R. § 164.306 (Security standards: General rules) part (d) (Implementation specifications) to determine how it must be applied within the organization. However, using cryptographic protection allows the organization to utilize the “Safe Harbor” provision under the Breach Notification Rule. If PHI is encrypted pursuant to the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (45 C.F.R. Part 164 Subpart D), then no breach notification is required following an impermissible use or disclosure of the information. Therefore, organizations should use cryptographic protections for PHI stored on electronic media.</p><p>The table below outlines the CMS organizationally defined parameters (ODPs) for SC-8(1).</p><p><strong>Table 5: CMS Defined Parameters – Control SC-8(1)</strong></p><table><tbody><tr><td><strong>Control</strong></td><td><strong>Control Requirement</strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>SC-8(1)</td><td>The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].</td><td>The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by approved alternative safeguards and defined in the applicable system security plan and Information System Risk Assessment.</td></tr></tbody></table><p>At CMS, when cryptographic mechanisms are needed, the information system uses encryption products that have been validated under the <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/standards">Cryptographic Module Validation Program </a>to confirm compliance with FIPS 140-2 in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</p><h3>Network Disconnect (SC-10)</h3><p>The purpose of this control is to ensure the termination of both internal and external networks associated with a communications session at the end of the session. A session is an encounter between an end-user interface device (e.g., computer, terminal, process) and an application, including a network logon. A connection-based session is one that requires a connection to be established between hosts prior to an exchange of data.</p><p>The table below outlines the CMS organizationally defined parameters (ODPs) for SC-10.</p><p><strong>Table 6: CMS Defined Parameters – Control SC-10</strong></p><table><tbody><tr><td><strong>Control</strong></td><td><strong>Control Requirement</strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>SC-10</td><td>The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.</td><td>The information system: a. terminates the network connection associated with a communications session at the end of the session, or: 1. Forcibly de-allocates communications session Dynamic Host Configuration Protocol (DHCP) leases after seven (7) days; and 2. Forcibly disconnects inactive VPN connections after thirty (30) minutes or less of inactivity; and b. terminates or suspends network connections (i.e., a system-to-system interconnection) upon issuance of an order by the CMS CIO, CISO, or Senior Official for Privacy (SOP).</td></tr></tbody></table><p>CMS information systems identify and terminate all inactive remote sessions (both user and information system sessions) automatically.</p><p>CMS applies the following Standard(s) in addition to the parameters listed in the table above:</p><ul><li>Configure systems to disable local access (i.e., lock the session) automatically after fifteen (15) minutes of inactivity. Require a password to restore local access.</li><li>Configure the information system to automatically terminate all remote sessions (user and information system) after time stated in systems SSPP.</li><li>Concurrent User ID network log-on sessions is limited to one (1); however, the number of concurrent application/process sessions is limited to what is expressly required for the performance of job duties, and must be documented in the SSPP if it is more than one (1) concurrent session.</li></ul><h3>Cryptographic Key Establishment and Management (SC-12)</h3><p>The purpose of this control is to ensure the organization establishes and manages cryptographic keys for required cryptography in accordance with applicable federal laws, executive orders, directives, regulations, policies, standards, and organizational guidance, when cryptography is required.</p><p>In cryptography, a <em>key </em>is a string of characters used within an encryption algorithm for altering data so that it appears random. Like a physical key, it locks (encrypts) data so that only someone with the right key can unlock (decrypt) it. The original data is known as the plaintext, and the data after the key encrypts it is known as the ciphertext. The formula:plaintext + key = ciphertext. Cryptographic techniques use cryptographic keys that are managed and protected throughout their lifecycles by a Cryptographic Key Management System (CKMS).</p><p>Guidance for systems processing, storing, or transmitting PII (to include PHI):</p><p>Because cryptography is desired to protect sensitive information such as personally identifiable information (PII) and protected health information (PHI), cryptographic key establishment and management must be performed in such a way that even the loss of keys will not permit access to the sensitive information.</p><p>See section 3.6.1 Cryptographic or Alternate Physical Protection SC-8(1) for Guidance for systems and processing, storing, or transmitting PHI.</p><p>The table below outlines the CMS organizationally defined parameters (ODPs) for SC-12.</p><p><strong>Table 7: CMS Defined Parameters – Control SC-12</strong></p><table><tbody><tr><td><strong>Control</strong></td><td><strong>Control Requirement</strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>SC-12</td><td>The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].</td><td>When cryptography is required and used within the information system, the organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with the HHS Standard for Encryption of Computing Device and organizationally-defined requirements (defined in, or referenced by, the applicable System Security Plan) for key generation, distribution, storage, access, and destruction.</td></tr></tbody></table><p>At CMS, when cryptographic mechanisms are needed, the information system uses encryption products that have been validated under the Cryptographic Module Validation Program to confirm compliance with FIPS 140-2 in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</p><p>CMS complies with the HHS Standard for Encryption of Computing Devices and Information, as amended, for cryptographic key establishment and management, when cryptography is required.</p><h4>Cryptographic Key Establishment and Management (Availability) (SC-12(1))</h4><p>The purpose of this control is to ensure the organization maintains availability of information in the event of the loss of cryptographic keys by users.</p><p>At CMS, mechanisms are employed to:</p><ul><li>Prohibit the use of encryption keys that are not recoverable by authorized personnel</li><li>Require senior management approval to authorize recovery of keys by someone other than the key owner</li><li>Comply with approved cryptography standards mentioned in section 3.9 Cryptographic Protection (SC-13).</li></ul><h3>Cryptographic Protection (SC-13)</h3><p>This control aims to ensure that the information system implements cryptographic devices in transit and at rest, as <a href="https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/policies-guides-encryption.pdf">HHS Standard for Encryption of Computing Devices and</a> <a href="https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/policies-guides-encryption.pdf">Information</a> mandates, and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</p><p>Guidance for systems processing, storing, or transmitting PII (to include PHI):</p><p>FIPS-validated cryptographic modules are the government standard for encryption. When sensitive information such as PII requires encryption, the organization must comply with these standards.</p><p>See Crptographic or Alternate Physical Protection SC-8(1) for Guidance for systems and processing, storing, or transmitting PHI.</p><p>The table below outlines the CMS organizationally defined parameters (ODPs) for SC-13.</p><p><strong>Table 8: CMS Defined Parameters – Control SC-13</strong></p><table><tbody><tr><td><strong>Control</strong></td><td><strong>Control Requirement</strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>SC-13</td><td>The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</td><td>The information system implements cryptographic mechanisms, in transit and at rest, as defined in the HHS Standard for Encryption of Computing Devices and Information, and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</td></tr></tbody></table><p>At CMS, cryptographic protection applies to both portable storage devices (e.g., USB memory sticks, CDs, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers).</p><p>When cryptographic mechanisms are needed, the information system uses encryption products that have been validated under the Cryptographic Module Validation Program to confirm compliance with FIPS 140-2 in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</p><h3>Collaborative Computing Devices (SC-15)</h3><p>At CMS, the use of collaborative computing devices such as white boards, cameras, and microphones are strictly prohibited, unless authorized, in writing, by the CMS CIO or his authorized representative. If collaborative computing mechanisms are authorized, the authorization must explicitly identify allowed devices, allowed purpose, and the information system upon which the devices can be used. CMS network users are prohibited from loading non- approved collaborative software such as chat programs onto their GFE.</p><p>The table below outlines the CMS organizationally defined parameters (ODPs) for SC-15.</p><p><strong>Table 9: CMS Defined Parameters – Control SC-15</strong></p><table><tbody><tr><td><strong>Control</strong></td><td><strong>Control Requirement</strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>SC-15</td><td><p>The information system:</p><ol><li>Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and</li><li>Provides an explicit indication of use to users physically present at the devices.</li></ol></td><td><p>The information system:</p><ol><li>Prohibits remote activation of collaborative computing devices; and</li><li>Provides an explicit indication of use to users physically present at the devices.</li></ol></td></tr></tbody></table><p>CMS offers employees a variety of CMS CIO-approved ways to collaborate and engage whether it be for meetings or projects. These tools allow users to collaborate on projects and share or annotate on one another's screen. Some collaborative tools allow users to schedule immediate meetings or recurring sessions.</p><p>CMS Collaborative tools users must follow the following video/audio conference call etiquette:</p><ul><li>Be on time.</li><li>Introduce yourself at the beginning of the call (unless you’re late).</li><li>Mute your phone when you’re not speaking.</li><li>Identify yourself each time you speak.</li><li>Say “over” or “I’m done” when you are finished speaking, to avoid talking over others.</li><li>While you are speaking, keep background noise and movement to a minimum (e.g., don’t shuffle papers) so others can hear you.</li><li>Use a handset or headset, rather than a speakerphone.</li><li>If you need to leave a call early, let everyone know at the start of the call.</li><li>Do not put the call on hold (on-hold music will play)</li><li>Close out of collaborative sessions after use, and regularly power down your device each day</li><li>Be mindful of phishing exploits associated with collaborative tools, especially those which have links for scheduled meetings.</li></ul><p>For more information on all approved Collaborative computing devices, go to <a href="https://cmsintranet.share.cms.gov/CT/Pages/CMSCollaborationTools.aspx">CMS Collaboration</a> <a href="https://cmsintranet.share.cms.gov/CT/Pages/CMSCollaborationTools.aspx">Tools</a> on the CMS Intranet. </p><h4>Physical Disconnect (SC-15(1))</h4><p>The purpose of this control enhancement is to ensure the information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use and prevents the compromise of organizational information.</p><p>At the end of each meeting with a CMS collaborative tool which includes video conferencing, there’s an option to securely “leave meeting” on the screen or the meeting participants can wait for the host of the meeting to securely end the conference call.</p><h3>Public Key Infrastructure Certificates (SC-17)</h3><p>The purpose of this control is to ensure the organization issues public key certificates under an appropriate certificate policy or obtains public key certificates from an approved service provider.</p><p>Public key infrastructure (PKI), as stated in <em>NIST Special Publication 800-32: Introduction to Public Key Technology and the Federal PKI Infrastructure</em>, is the combination of software, encryption technologies, and services that enables enterprises to protect the security of their communications and business transactions on networks21. PKI integrates digital certificates, public key cryptography, and certification authorities (CA) into a complete enterprise-wide network security architecture.</p><p>The table below outlines the CMS organizationally defined parameters (ODPs) for SC-17.</p><p><strong>Table 10: CMS Defined Parameters – Control SC-17</strong></p><table><tbody><tr><td><strong>Control</strong></td><td><strong>Control Requirement</strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>SC-17</td><td><p>The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an</p><p>approved service provider.</p></td><td>The organization issues public key certificates under an appropriate certificate policy or obtains public key certificates from an approved service provider.</td></tr></tbody></table><p>All public key certificates used at CMS are issued in accordance with Federal PKI policy and validated to the Federal PKI trust anchor when being used for user signing, encrypting purposes, authentication, and authorization.</p><p>The Certification Authority (CA) is responsible for issuing a public key certificate for each identity, confirming that the identity has the appropriate credentials.</p><p>At CMS, various Certificate Authority requests are available and processed through the Infrastructure and User Services Group - Division of Operations Management (IUSG-DOM).</p><p>There are two ways to submit a CA request for a certificate:</p><ul><li>Requestor submits a request through the Agency Solutions for Customer Support (ASCS) System.</li></ul><p><em><strong>Note: </strong>Only users with a CMS USER ID who have access to or VPN to the CMS Network will be able to login to ASCS. If you do not have a CMS USER ID, see option #2 below to submit an email request.</em></p><ul><li>Requestor sends certificate request email to the <strong>CMS - DOMSSLCert </strong>mailbox at<a href="mailto:DOMSSLCert@cms.hhs.gov"> DOMSSLCert@cms.hhs.gov</a></li></ul><p>For inquiries on the type of certificate to request, contact the CMS - DOMSSLCert mailbox at <a href="mailto:DOMSSLCert@cms.hhs.gov">DOMSSLCert@cms.hhs.gov </a>for assistance.</p><h3>Mobile Code (SC-18)</h3><p>CMS establishes usage restrictions and implementation guidance which apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations within CMS information systems. The organization must document, monitor, and implement controls for the use of mobile code within the CMS information system. The CMS Technical Review Board (TRB) has the authority to permit or deny the use of mobile code.</p><p>CMS complies with the federal guidelines <a href="https://csrc.nist.gov/publications/detail/sp/800-28/version-2/final">NIST Special Publication 800-28 v2 Guidelines on</a> <a href="https://csrc.nist.gov/publications/detail/sp/800-28/version-2/final">Active Content and Mobile Code</a>, as amended.</p><p>Each form of mobile code has a different security model and Configuration Management process, increasing the complexity of securing mobile code hosts and the code itself. The Configuration Management process prevents the development, acquisition, or introduction of unacceptable mobile code within the information system.</p><h3>Voice Over Internet Protocol (SC-19)</h3><p>CMS prohibits the use of Voice over Internet Protocol (VoIP) devices, unless explicitly authorized, in writing, by the CIO or his authorized representative. At CMS, Integrated VoIP is an audio feature that sends the audio from your WebEx meeting over the Internet, instead of through the telephone. VoIP applications and devices must be configured to meet CMS FIPS 140-2 validated module requirements and must also be on the approved <a href="https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Validation/FIPS-171-Validation-List">FIPS 171 Validation List</a>.</p><p>Integrated VoIP can be a convenient and cost-effective alternative to traditional teleconferencing or WebEx Audio. You may want to use this option when:</p><ul><li>There will be a large number of attendees (up to 500 in Meeting Center).</li><li>Your meeting does not require much attendee participation, for example, a presentation rather than a discussion.</li><li>You don’t have a toll-free number for attendees to call, or prefer not to incur the cost.</li></ul><p><em><strong>Note</strong>: There are some limitations with VoIP, such as the number of active microphones permitted and the number of participants who can speak simultaneously.</em></p><p>Additional information on Conducting VoIP meetings can be located in <a href="https://cmsintranet.share.cms.gov/CT/Documents/Conduct_Meetings_with_VoIP_Only.pdf">Cisco WebEx University</a> <a href="https://cmsintranet.share.cms.gov/CT/Documents/Conduct_Meetings_with_VoIP_Only.pdf">Guide-to-Go</a>.</p><h3>Secure Name/Address Resolution Service (Authoritative Source) (SC-20)</h3><p>This control enables external clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers and DNS Security (DNSSEC) digital signatures.</p><p>The Domain Name System (DNS) is a distributed computing system that enables access to Internet resources by user-friendly domain names rather than IP addresses, by translating domain names to IP addresses and back.</p><p>At CMS, the DNS infrastructure is made up of computing and communication entities called Name Servers. DNS Security (DNSSEC) provides cryptographic protections to DNS communication exchanges, thereby removing threats of DNS-based attacks and improving the overall integrity and authenticity of information processed over the Internet. Domain Name Service Security (DNSSEC) provides security measures by introducing authentication and validation of sources for DNS responses and by ensuring that responses have not been altered.</p><p>A significant portion of <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf">NIST SP 800-81rev2</a> <em>Secure Domain Name System (DNS) Deployment Guide </em>addresses DNSSEC implementation and CMS relies on this guidance.</p><h3>Secure Name/Address Resolution Service (Recursive or Caching Resolver) (SC-21)</h3><p>Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and </p><p>address resolution services for local clients include, for example, recursive resolving or caching DNS servers.</p><p>Recursive queries are actions taken when a DNS server is needed to query on behalf of a DNS resolver. DNS name servers deployed within CMS’s Processing Environments are configured to disable recursive queries from the Internet. CMS also uses caching servers at the edge of the Internet to store responses to requests originating from the intranet and received from the Internet.</p><p>CMS adheres to the guidance in <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf">NIST SP 800-81rev2</a> <em>Secure Domain Name System (DNS) Deployment Guide</em>, as amended.</p><p><strong>Architecture and Provisioning for Name/Address Resolution Service (SC-22)</strong></p><p>The purpose of this control is to ensure the information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.</p><p>CMS’s DNS Architecture employs different types of authoritative name servers. To improve fault tolerance these servers are deployed in each CMS data center.</p><p>CMS data center contractors manage all DNS servers, configurations, and tools in accordance with CMS Change Management and Configuration Management processes. The CMS Production Environment contractors currently provide integrated DNS system and error logs into other existing network management facilities to enable a real-time view of the Enterprise DNS for CMS Operations staff.</p><p>CMS has developed a DNS Business Rules to guide the development of the agency’s DNS architecture, design, and implementations.</p><p>CMS adheres to the guidance in <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf">NIST SP 800-81rev2</a> <em>Secure Domain Name System (DNS) Deployment Guide</em>, as amended.</p><h3>Session Authenticity (SC-23)</h3><p>This control addresses communications protection at the session, versus packet level and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. </p><p>At CMS, session authenticity is protected through the use of user and device identification and authentication. VPN connections to the information system are re-authenticated periodically during connection.</p><p>Additional information on connecting to the VPN can be found in <a href="https://cmsintranet.share.cms.gov/CT/Documents/20120807_getting_started_with_remote_access_v2.pdf">Getting Started with Remote</a> <a href="https://cmsintranet.share.cms.gov/CT/Documents/20120807_getting_started_with_remote_access_v2.pdf">Access to the CMS Network</a>.</p><h3>Fail in Known State (SC-24)</h3><p>Failure in a known state helps to avert the loss of confidentiality, integrity, or availability (CIA) of information as a result of failures of organizational information systems or system components.</p><p>The table below outlines the CMS organizationally defined parameters (ODPs) for SC-24.</p><p><strong>Table 11: CMS Defined Parameters – Control SC-24</strong></p><table><tbody><tr><td><strong>Control</strong></td><td><strong>Control Requirement</strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>SC-24</td><td>The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure.</td><td>The information system fails to a known secure state for all failures preserving the maximum amount of state information in failure.</td></tr></tbody></table><p>At CMS, each operating system fails to a known secure state for all types of failures. Differential system backups are performed on a daily basis, with full backups performed at the weekend. Tape backups allow for restoration of the system back to the previous evening. Backup tapes are stored in an off-site facility. The minimum retention period for tape backups is 90 days.</p><h3>Protection of Information at Rest (SC-28)</h3><p>The purpose of this control is to ensure the security of inactive data stored on any device or network.</p><p>Data at rest is data that is not actively moving from device to device or network to network such as data stored on a hard drive, laptop, flash drive, or archived/stored in some other way. Data protection at rest aims to secure inactive data stored on any device or network.</p><p>Guidance for systems processing, storing, or transmitting PII (to include PHI):</p><p>Because of the sensitivity of PII and protected health information (PHI), the confidentiality and integrity of such information must be assured for data at rest.</p><p>Guidance for systems processing, storing, or transmitting PHI:</p><p>Under the HIPAA Security Rule, this is an addressable implementation specification. HIPAA covered entities must conduct an analysis as described at 45 C.F.R. § 164.306 (Security standards: General rules) part (d) (Implementation specifications) to determine how it must be applied within the organization. However, using cryptographic protection allows the organization to utilize the “Safe Harbor” provision under the Breach Notification Rule. If PHI is encrypted pursuant to the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 FR 42740), then no breach notification is required following an impermissible use or disclosure of the information. Therefore, organizations should use cryptographic protections for PHI stored on electronic media.</p><p>The table below outlines the CMS organizationally defined parameters (ODPs) for SC-28.</p><p><strong>Table 12: CMS Defined Parameters – Control SC-28</strong></p><table><tbody><tr><td><strong>Control</strong></td><td><strong>Control Requirement</strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>SC-28</td><td>The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].</td><td>The information system protects the confidentiality and integrity of information at rest, as defined in the HHS Standard for Encryption of Computing Devices and Information.</td></tr></tbody></table><p>CMS complies with the <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/HHS-Standard-for-Encryption-of-Computing-Devices-and-Information">HHS Policy (HHS Standard for Encryption of Computing Devices and</a> <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/HHS-Standard-for-Encryption-of-Computing-Devices-and-Information">Information)</a>, as amended, which mandates the use of the data encryption software on workstations that will automatically encrypt data on removable storage devices once they are inserted into the workstation.</p><p>Removable data storage devices allow users to move data from their CMS issued laptop to other computing devices.</p><p>CMS currently supports the following data storage devices:</p><ul><li>CMS issued or CMS approved USB Flash Drive.</li><li>CD/DVDs.</li><li>CMS approved External Hard Drives</li></ul><p>For information on writing an encrypted file to CD/DVD, go to <a href="https://cmsintranet.share.cms.gov/CT/Pages/StorageDeviceandEncryption.aspx">Storage Device and Encryption</a>.</p><p>Sensitive data stored either on GFE or non-GFE (contractor owned) shall be safeguarded in accordance with <a href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-111.pdf">NIST SP 800-111</a> <em>Guide to Storage Encryption Technologies for End User Devices </em>and the HHS Information Security and Privacy Policy (IS2P), as amended, including but not limited to:</p><ul><li>Folders/files containing sensitive Personally Identifiable Information (PII) or other sensitive data stored in shared drive shall be encrypted and the folders configured to restrict access on a need-to-know basis;</li><li>Data backups shall be encrypted and securely transported/filed/archived.</li><li>For high-impact systems, cryptographic mechanisms shall be employed to protect the integrity of audit information (e.g. log, and audit tools).</li></ul><p>For highly sensitive information such as Sensitive PII (SPII), whole disk encryption alone is insufficient protection. Encryption at the file or folder level is required. Encryption within a database at the field/record/table level will also meet this enhanced standard.</p><p>The <em>CMS Encryption of Sensitive Information Memorandum - Appendix A </em>located in the <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Information-Security-Library">ISP</a> <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Information-Security-Library">library</a> contains additional information on the CMS Encryption Policy and security controls.</p><h3>Process Isolation (SC-39)</h3><p>The purpose of this control is to ensure the information system maintains a separate execution domain for each executing process.</p><p>At CMS, each executing process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot change the executing code of another process. Relevant information is contained in the information system design documentation and the information system configuration settings in the SSPP of each system.</p><h3>Electronic Mail (SC-CMS-1)</h3><p>Incorporated into SC-8.</p><h3>Website Usage (SC-CMS-2)</h3><p>The CMS website and web services employ secure connections, such as Hypertext Transfer Protocol Secure (HTTPS). HTTPS is a combination of HTTP (Hypertext Transfer Protocol) and the network protocol Transport Layer Security (TLS), which establishes an encrypted connection to an authenticated peer over an untrusted network. CMS implements and configures TLS in accordance with <a href="https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final">NIST SP 800-52</a>, as amended.</p><p>CMS complies with procedures outlined in the <a href="https://intranet.hhs.gov/policy/hhs-policy-internet-and-email-security">HHS Policy for Internet and Email Security</a>, as amended, which include, but not limited to:</p><ul><li>Securing all public-facing websites and internet services and only providing services through a secure connection using Hypertext Transfer Protocol Secure HTTPS-only, with HTTP Strict Transport Security (HSTS)</li><li>Monitoring all active websites periodically and randomly to ensure users adhere to HHS policies</li><li>Using only third-party websites, applications, and services that are authorized and compliant with HHS security and privacy policies.</li></ul><p>CMS also complies and operates within the conditions detailed in <a href="https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-22.pdf">OMB directives M-10-22</a> "<em>Guidance for Online Use of Web Measurement and Customization Technologies,</em>" <a href="https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf">M-10-23</a> "<em>Guidance for Agency Use of Third-Party Websites and Applications</em>” and <a href="https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2015/m-15-13.pdf">M-15-13</a> "<em>Policy to Require Secure Connections across Federal Websites and Web Services”</em></p><p> </p></div></section></div></div></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare & Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"risk-management-handbook-chapter-16-system-communications-protection\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"policy-guidance\",\"risk-management-handbook-chapter-16-system-communications-protection\"],\"initialTree\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"risk-management-handbook-chapter-16-system-communications-protection\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"risk-management-handbook-chapter-16-system-communications-protection\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[3055,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"907\",\"static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js\"],\"default\"]\n18:Tefb6,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eIntroduction\u003c/h2\u003e\u003cp\u003eThe Risk Management Handbook Chapter 16: System and Communications Protection (SC) focuses on how the organization must: monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and employ architectural designs, software development techniques, and systems engineering principles that promote effective information security and privacy assurance within organizational information systems. Some of the controls discussed within this chapter include Application Partitioning, Security Function Isolation, Information Shared Resources, Denial of Service Protection, Boundary Protection, Transmission Confidentiality and Integrity, Cryptographic Protection, and Public Key Infrastructure Certificates. There are also procedures surrounding Mobile Code, Voice Over Internet Protocol (VOIP), Session Authenticity, Email and Website Usage.\u003c/p\u003e\u003ch2\u003eSystem and Communications Protection (SC) Controls\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eApplication Partitioning (SC-2)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure separation of the user functionality from the information system management functionality by the information system either physically or logically. Enforcing the separation of information flows by type can enhance protection by ensuring that information is protected while in transit. Types of separable information include, for example, inbound and outbound communications traffic and service requests.\u003c/p\u003e\u003cp\u003eThe CMS Technical Reference Architecture (TRA) provides the authoritative technical architecture approach and technical reference standards of CMS. Compliance with the TRA helps ensure that CMS information technology (IT) systems and infrastructure will support secure and high-quality delivery of healthcare services to beneficiaries, providers, and business partners, plus align CMS systems with the Federal Enterprise Architecture Framework (FEAF).\u003c/p\u003e\u003cp\u003eThe CMS Target Life Cycle (TLC) replaces the CMS legacy Expedited Life Cycle (XLC) with a more business focused and flexible System Development Life Cycle (SDLC) process. The TLC replaces XLC point-in-time gate reviews with required artifacts, with “as needed” consultations via the Business Owner with the Office of Information Technology (OIT) Navigator, the EA team, Subject Matter Experts (SMEs), and/or Governance Review Teams (GRT). This flexible approach will provide for a more continuous evaluation, and situational reviews governance as needed to\u003c/p\u003e\u003cp\u003ebetter meet CMS program needs. The four phases of the TLC include: Intake, Develop, Operate and Retire. During the Develop Phase, detailed user stories or requirements are created, the solution is designed, built, deployed to a non-production environment, and tested for compliance with the requirements and CMS standards so that it is production ready. Requirements, user stories, design, development and testing must all be done in compliance with the CMS TRA and security, privacy and accessibility standards.\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PII (to include PHI):\u003c/p\u003e\u003cp\u003eIt is necessary to store sensitive information, such as PII, on separate logical partitions from applications and software that provide user functionality to restrict accidental or unintentional loss of, or access to, sensitive information by both unauthorized users and unauthorized applications.\u003c/p\u003e\u003cp\u003eCMS applications must be configured to prevent the operation of all system administrative functions except those that originate from the Management and Security Bands. When necessary, application administrative functions can be accessed via the Application Zone by defining application administrative roles and documenting the associated risks and compensating controls in the System Security and Privacy Plan (SSPP) and Information Security Risk Analysis (ISRA). CMS uses, for example, different computers, different central processing units, different network addresses or combinations of these to implement separation of system management-related functionality from user functionality.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecurity Function Isolation (SC-3)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSecurity functions and non-security functions are separated by the information systems through an isolation boundary. Security functions, for example, include establishing system accounts and configuring access authorizations. At CMS, an isolation boundary provides access control and protects the reliability of the hardware, software, and firmware that perform security functions. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of different ways.\u003c/p\u003e\u003cp\u003eAt CMS, developers and implementers increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries.\u003c/p\u003e\u003cp\u003eEach System Developer and Maintainer (SDM) is also responsible for maintaining appropriate security for all secure boundaries and for implementing the appropriate tools and technologies to meet CMS and federal requirements.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e\u0026nbsp;Information in Shared Resources (SC-4)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePreventing unauthorized information transfers mitigates the risk of information from being available to any current users/roles (or current processes) that are granted access to shared system resources after those resources have been released back to information systems.\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PII (to include PHI):\u003c/p\u003e\u003cp\u003eFollowing use of a shared system resource, ensure that shared system resource(s) is purged of personally identifiable information (PII) to prevent unintended users or processes from accessing PII.\u003c/p\u003e\u003cp\u003eCMS, in accordance with \u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\"\u003eOMB Circular NO. A-130\u003c/a\u003e, implements information security programs and privacy programs with the flexibility to meet current and future information management needs and the sufficiency to comply with Federal requirements and manage risks.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eDenial of Service Protection (SC-5)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure the information system protects against or limits the effects of the types of denial of service attacks defined in federal guidelines.\u003c/p\u003e\u003cp\u003eDenial of Service (DoS) attacks are generally defined as any attack that can destabilize the network or systems’ ability to perform expected functions. In the case of a Distributed Denial of Service (DDoS) attack, the attacker uses multiple compromised or controlled sources to generate an attack. Protection against DoS attacks involves the use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) SC-5.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 1: CMS Defined Parameters – Control SC-5\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-5\u003c/td\u003e\u003ctd\u003eThe information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization- defined security safeguards].\u003c/td\u003e\u003ctd\u003eThe information system protects against or limits the effects of the types of denial of service attacks defined in NIST SP 800-61, Computer Security Incident Handling Guide, and the following websites by employing defined security safeguards (defined in the applicable system security and privacy plan): \u003ca href=\"https://www.sans.org/security-resources/\"\u003eSANS Organization’s Roadmap to Defeating Distributed Denial of Service (DDoS)\u003c/a\u003e\u0026nbsp;and the \u003ca href=\"https://nvd.nist.gov/\"\u003eNIST National Vulnerability Database\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS adheres to security safeguards listed in SANS Institute\u0026nbsp;to reduce chances of DoS attacks, which include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEgress filtering to stop spoofed IP packets from leaving network.\u003cul\u003e\u003cli\u003eDeny invalid source IP addresses\u003c/li\u003e\u003cli\u003eDeny private \u0026amp; reserved source IP addresses (not necessary if invalid source IP address is denied)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eStopping network from being used as a broadcast amplification site.\u003cul\u003e\u003cli\u003eDisable IP directed broadcast on all systems\u003c/li\u003e\u003cli\u003eTest your network to determine if it is an amplification site\u003c/li\u003e\u003cli\u003eRequire that vendors disable IP directed broadcast by default\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS also adheres to the \u003ca href=\"https://www.sans.org/dosstep/roadmap\"\u003eConsensus Roadmap for Defeating Distributed Denial of Service Attacks\u003c/a\u003e\u0026nbsp;outlined by the SANS institute, as amended.\u003c/p\u003e\u003cp\u003eCMS complies with \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf\"\u003eNIST Special Publication 800-61 rev2\u003c/a\u003e\u0026nbsp;on \u003cem\u003eComputer Security Incident Handling Guide\u003c/em\u003e, which provides guidelines for incident handling of DoS/DDoS attacks, particularly for analyzing incident-related data and determining the appropriate response to each incident.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBoundary Protection (SC-7)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis control ensures the monitoring and control of communications within the “external boundary” of the overall information systems landscape for purposes of preventing and detecting malicious, unauthorized communication via the use of numerous tools. More specifically, boundary protection differentiates boundaries between external, untrusted networks from those deemed trusted and secure. Boundary protection is yet another information security principle that aids in ensuring the confidentiality, integrity, and availability (CIA) of an organization’s critical system resources.\u003c/p\u003e\u003cp\u003eAt CMS, communications and processing connections are controlled via an integrated system of firewalls, routers, and through the use of Intrusion Detection Systems (IDS) equipment. Traffic flow is controlled through managed routers and switches. The configuration of the firewall systems\u0026nbsp;\u003c/p\u003e\u003cp\u003efollows vendor recommendations. CMS utilizes firewall perimeter routers and IDS, configured to provide a defense-in-depth.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAccess Points (SC-7(3))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control enhancement is to protect the information system by restricting access from external network connections. The number of access points to the information system must be restricted to allow for more wider-range of the monitoring of inbound and outbound communications and network traffic.\u003c/p\u003e\u003cp\u003eCMS access points consist of boundary protection devices arranged in accordance with it’s effective security architecture. Connections are consistent with the organizations enterprise technology and security architecture.\u003c/p\u003e\u003cp\u003eCMS complies with the Office of Management and Budget (OMB) Memorandum, \u003cem\u003eImplementation of Trusted Internet Connections, \u003c/em\u003e\u003ca href=\"https://georgewbush-whitehouse.archives.gov/omb/memoranda/fy2008/m08-05.pdf\"\u003eM-08-05\u003c/a\u003e6, November 20, 2007, which states that all federal agencies must optimize and standardize the security of individual external connections. In addition, security controls must be implemented within all federal network operating environments.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eExternal Telecommunications Services (SC-7(4))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis purpose of this control enhancement is to ensure the organization implements a managed interface7 for each external telecommunication service, establishes a traffic flow policy for each managed interface and protects the confidentiality and integrity of the information being transmitted across each interface.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-7(4).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 1: CMS Defined Parameters – Control SC-7(4)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-7(4)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003ee. Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions no longer supported by an explicit mission/business need.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003ee. Reviews exceptions to the traffic flow policy within every three hundred sixty-five (365) days or implementation of major new system, and removes exceptions that are no longer\u0026nbsp;supported by\u0026nbsp;an\u0026nbsp;explicit mission/business need.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eFirewalls provide protection to the mainframe and the rest of the infrastructure at CMS.\u003c/p\u003e\u003cp\u003eCMS has deployed firewalls at all internet access points and between shared support infrastructure and customer networks. Firewall and/or routing requests are necessary to facilitate new firewall rules and/or connectivity for user-to-system or system-to-system across the CMS Wide Area Network (WAN).\u003c/p\u003e\u003cp\u003eFor information on CMS Firewall and Routing Request Form, contact the CMS IT Service Desk by calling (410) 786-2580 or (800) 562-1963; or by sending an email to \u003ca href=\"mailto:cms_it_service_desk@cms.hhs.gov\"\u003ecms_it_service_desk@cms.hhs.gov \u003c/a\u003eto open a ticket.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eDeny by Default/Allow by Exception (SC-7(5))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control enhancement is to ensure only connections which are integral and vetted are allowed through inbound and outbound network communications traffic. The information system of organizations enlists a firewall configuration policy that forces the user to be registered at the site, authenticate their registration and authorize their registration prior to gaining access.\u003c/p\u003e\u003cp\u003eAs CMS brings a lot of applications onto the Internet, it is imperative to ensure the security of the applications, and the integrity of the information transferred to and from them. For Machine-to- machine connections, not only must the system be physically secure, but incoming and outgoing data must be protected to prevent compromise of CMS information integrity. In order to establish that connection, each machine must ensure that it is connecting to a trusted machine on the other end. Failing to identify and prohibit unauthorized traffic leaves the enclave vulnerable to attack. The initial defense for the internal network is for protection measures to block any traffic at the perimeter that is attempting to make a connection (or otherwise establish a traffic flow) to a host in the internal network. Outbound traffic is allowed by default, and inbound traffic is blocked by default, which is accomplished by the CMS’s firewalls and load balancers. The firewalls deny all and permit by exception using CMS specific infrastructural rules\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePrevent Split Tunneling for Remote Devices (SC-7(7))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure the information system, in conjunction with a remote device, prevents a device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.\u003c/p\u003e\u003cp\u003eCMS enforces the use of VPNs, sufficiently provisioned with applicable security controls, to provide a means for allowing non-remote communications paths from remote devices.\u003c/p\u003e\u003cp\u003eIn order to securely connect to the CMS Network remotely, a user must have:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA CMS issued laptop (for example). This will contain the VPN software you need to access the VPN.\u003c/li\u003e\u003cli\u003eAn Authentication Device. This can be either your PIV Card (Personal Identity Verification), PIV PIN (Personal Identity Number), or RSA Token “fob.”. If you have been issued a PIV card, this should be the method of connecting to the VPN. The RSA Token should only be used if your PIV card has not been issued yet.\u003c/li\u003e\u003cli\u003eHigh speed Internet access from a remote location (dial-up is not supported).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAdditional information on connecting to the CMS Network using VPN can be found in \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Documents/20120807_getting_started_with_remote_access_v2.pdf\"\u003eGetting\u003c/a\u003e \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Documents/20120807_getting_started_with_remote_access_v2.pdf\"\u003eStarted with Remote Access to the CMS Network\u003c/a\u003e.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eRoute Traffic to Authenticated Proxy Servers (SC-7(8))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control enhancement is to ensure the information system routes all user- initiated internal communications traffic to untrusted external networks through authenticated proxy servers at managed interfaces. A proxy server is a server application or appliance that acts as an intermediary for requests from clients seeking resources from servers that provide those resources. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-7(8).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 3: CMS Defined Parameters – Control SC-7(8)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-7(8)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed\u003c/p\u003e\u003cp\u003einterfaces.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe information system routes all user- initiated internal communications traffic to untrusted external networks through authenticated proxy servers at managed interfaces.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAt CMS, the proxy server acts as a single point of contact serving client requests. The proxy server authenticates each request based on Client Exchange/Device ID and other parameters and forwards the request to the desired destination server. URL filter servers, a form of proxy server, can block access to unsafe websites. They also produce logs that track access to known malware hosting sites and URL block list access. These logs can assist a security analyst in identifying compromised hosts on the local network. The System Developer and Maintainer (SDM) must collect and forward proxy/URL logs according to the organizational requirements.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eFail Secure (SC-7(18))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control enhancement is to ensure that in the event of operational failures of boundary protection devices at managed interfaces, the information system fails securely.\u003c/p\u003e\u003cp\u003eCMS utilizes Network Firewalls to prevent loss of boundary protection and to meet the requirement for this control enhancement. Network firewalls guard the internal computer network against malicious access from the outside, such as malware-infested websites or vulnerable, open network ports.\u003c/p\u003e\u003cp\u003eFirewalls are implemented in redundant pairs to prevent loss of boundary protection.\u003c/p\u003e\u003cp\u003eEach Network Firewall in the CMS Processing Environments must be provisioned with separate interfaces dedicated to each network segment and band with which it connects. CMS Network Firewalls provide various functions and restrict the ability to perform certain functions to an authorized administrator.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIsolation of Information System Components (SC-7(21))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSeparating system components with boundary protection devices provides the capability for increased protection of individual components and to more effectively control information flows between those components. Isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected components.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-7(21).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 4: CMS Defined Parameters – Control SC-7(21)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-7(21)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-\u003c/p\u003e\u003cp\u003edefined missions and/or business functions].\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe organization employs boundary protection mechanisms to separate defined information system components (defined in the applicable system security plan) supporting CMS missions and/or business functions.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS employs firewalls and a Network-based Intrusion Detection System (NIDS) to meet the requirements for this control enhancement. A network-based intrusion detection system (NIDS) is used to monitor and analyze network traffic to protect a system from network-based threats. A\u0026nbsp;\u003c/p\u003e\u003cp\u003eNIDS reads all inbound packets and searches for any suspicious patterns. When threats are discovered, based on its severity, the system takes action such as notifying administrators, or barring the source IP address from accessing the network.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTransmission Confidentiality and Integrity (SC-8)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure the information system protects the confidentiality and integrity of data in transit.\u003c/p\u003e\u003cp\u003eIn accordance with the HHS Standard for Encryption of Computing Devices and Information, CMS policy states that all sensitive information at rest (and in transit) must be encrypted using a \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf\"\u003eFederal Information Processing Standard (FIPS) 140-2\u003c/a\u003e\u0026nbsp;validated solution to safeguard the confidentiality and integrity of information. CMS Data Encryption Standards mandates that it is the responsibility of all CMS personnel and business partners to protect CMS \u003cstrong\u003esensitive information\u003c/strong\u003e\u0026nbsp;while data is in transit (and at rest). When encryption is not technically feasible, CMS business owners must implement a specific set of compensating controls. \u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/cms-enterprise-data-encryption-cede\"\u003eCMS enterprise data encryption\u003c/a\u003e standards can be reviewed by visiting the CMS CEDE page.\u0026nbsp;\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PII (to include PHI):\u003c/p\u003e\u003cp\u003eBecause of the sensitivity of personally identifiable information (PII) and protected health information (PHI), the confidentiality and integrity of such information in transit must be assured.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSending an encrypted email using Office 365\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCommunication between CMS.Net and email-as-a-service (also known as Office 365) has automated encryption. CMS utilizes Office 365 Message Encryption (OME) within Microsoft Outlook to send sensitive and protected data securely to recipients outside of CMS. All Government-Furnished Equipment (GFE) has this feature.\u003c/p\u003e\u003cp\u003eCMS adheres to the mandatory Email Services procedures outlined in \u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-internet-and-email-security\"\u003eHHS Policy for Internet and\u003c/a\u003e \u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-internet-and-email-security\"\u003eEmail Security\u003c/a\u003e, as amended, which establishes minimum requirements for securing the internet and email services throughout CMS in order to enhance integrity and confidentiality of internet-delivered data, minimize spam, unauthorized access, and misuse of information, and better protect\u0026nbsp;users who might otherwise fall victim to attacks that appear to come from government-owned systems.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSending an encrypted email using your PIV\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCMS recommends the use of Personal Identity Verification (PIV) Card encryption to send documentations across the network. Email and any attachment that contains sensitive information when transmitted inside and outside of CMS premises shall be encrypted using the user’s PIV card when possible. If PIV encryption is not feasible, a FIPS 140-2 validated solution must be employed:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePassword protection of files is recommended to add an additional layer of data protection but shall not be used in lieu of encryption solutions.\u003c/li\u003e\u003cli\u003ePassword and/or encryption key shall not be included in the same email that contains sensitive information or in separate email.\u003c/li\u003e\u003cli\u003ePassword/encryption key shall be provided to the recipient separately via text message, verbally, or other out-of-band solution.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSending an encrypted email to a third party through SecureZIP\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll e-mails with CMS sensitive information must be encrypted through the use of CMS approved encryption software when outside of a controlled environment. The CMS approved software is SecureZIP (PK Zip). SecureZIP is an application for zipping files to save storage space as well as encrypting files with password control to protect information.\u003c/p\u003e\u003cp\u003eFor the procedure on how to encrypt using SecureZIP, go to \u003ca href=\"https://cmsintranet.share.cms.gov/CT/_layouts/15/WopiFrame2.aspx?sourcedoc=%257B1629458C-DE32-43EF-8EF7-3569A96ABDC3%257D\u0026amp;file=SecureZip-Instructions-2013.docx\u0026amp;action=default\u0026amp;DefaultItemOpen=1\"\u003eSecureZIP Instructions\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eCMS also has specific encryption requirements for large file transfers. Additional information on large file transfers can be requested through the \u003ca href=\"https://cmsintranet.share.cms.gov/OIT/Pages/IUSG.aspx\"\u003eInfrastructure and User Services Group.\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCryptographic or Alternate Physical Protection (SC-8(1))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control enhancement is to ensure the information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information when data is in transit.\u003c/p\u003e\u003cp\u003eCryptography is a branch of applied mathematics concerned with transformations of data for security. In cryptography, a sender transforms unprotected information (plaintext) into coded text (ciphertext). A receiver uses cryptography to either:\u003c/p\u003e\u003cul\u003e\u003cli\u003etransform the ciphertext back into plaintext\u003c/li\u003e\u003cli\u003everify the sender’s identity\u003c/li\u003e\u003cli\u003everify the data’s integrity, or some combination.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PII (to include PHI):\u003c/p\u003e\u003cp\u003eBecause of the sensitivity of PII, the confidentiality and integrity of such information in transit must be assured with encryption techniques if assurance is not provided by other means.\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PHI:\u003c/p\u003e\u003cp\u003eUnder the HIPAA Security Rule, this is an addressable implementation specification. HIPAA covered entities must conduct an analysis as described at 45 C.F.R. § 164.306 (Security standards: General rules) part (d) (Implementation specifications) to determine how it must be applied within the organization. However, using cryptographic protection allows the organization to utilize the “Safe Harbor” provision under the Breach Notification Rule. If PHI is encrypted pursuant to the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (45 C.F.R. Part 164 Subpart D), then no breach notification is required following an impermissible use or disclosure of the information. Therefore, organizations should use cryptographic protections for PHI stored on electronic media.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-8(1).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 5: CMS Defined Parameters – Control SC-8(1)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-8(1)\u003c/td\u003e\u003ctd\u003eThe information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].\u003c/td\u003e\u003ctd\u003eThe information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by approved alternative safeguards and defined in the applicable system security plan and Information System Risk Assessment.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAt CMS, when cryptographic mechanisms are needed, the information system uses encryption products that have been validated under the \u003ca href=\"https://csrc.nist.gov/projects/cryptographic-module-validation-program/standards\"\u003eCryptographic Module Validation Program \u003c/a\u003eto confirm compliance with FIPS 140-2 in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNetwork Disconnect (SC-10)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure the termination of both internal and external networks associated with a communications session at the end of the session. A session is an encounter between an end-user interface device (e.g., computer, terminal, process) and an application, including a network logon. A connection-based session is one that requires a connection to be established between hosts prior to an exchange of data.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-10.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 6: CMS Defined Parameters – Control SC-10\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-10\u003c/td\u003e\u003ctd\u003eThe information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.\u003c/td\u003e\u003ctd\u003eThe information system: a. terminates the network connection associated with a communications session at the end of the session, or: 1. Forcibly de-allocates communications session Dynamic Host Configuration Protocol (DHCP) leases after seven (7) days; and 2. Forcibly disconnects inactive VPN connections after thirty (30) minutes or less of inactivity; and b. terminates or suspends network connections (i.e., a system-to-system interconnection) upon issuance of an order by the CMS CIO, CISO, or Senior Official for Privacy (SOP).\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS information systems identify and terminate all inactive remote sessions (both user and information system sessions) automatically.\u003c/p\u003e\u003cp\u003eCMS applies the following Standard(s) in addition to the parameters listed in the table above:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConfigure systems to disable local access (i.e., lock the session) automatically after fifteen (15) minutes of inactivity. Require a password to restore local access.\u003c/li\u003e\u003cli\u003eConfigure the information system to automatically terminate all remote sessions (user and information system) after time stated in systems SSPP.\u003c/li\u003e\u003cli\u003eConcurrent User ID network log-on sessions is limited to one (1); however, the number of concurrent application/process sessions is limited to what is expressly required for the performance of job duties, and must be documented in the SSPP if it is more than one (1) concurrent session.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCryptographic Key Establishment and Management (SC-12)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure the organization establishes and manages cryptographic keys for required cryptography in accordance with applicable federal laws, executive orders, directives, regulations, policies, standards, and organizational guidance, when cryptography is required.\u003c/p\u003e\u003cp\u003eIn cryptography, a \u003cem\u003ekey \u003c/em\u003eis a string of characters used within an encryption algorithm for altering data so that it appears random. Like a physical key, it locks (encrypts) data so that only someone with the right key can unlock (decrypt) it. The original data is known as the plaintext, and the data after the key encrypts it is known as the ciphertext. The formula:plaintext + key = ciphertext. Cryptographic techniques use cryptographic keys that are managed and protected throughout their lifecycles by a Cryptographic Key Management System (CKMS).\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PII (to include PHI):\u003c/p\u003e\u003cp\u003eBecause cryptography is desired to protect sensitive information such as personally identifiable information (PII) and protected health information (PHI), cryptographic key establishment and management must be performed in such a way that even the loss of keys will not permit access to the sensitive information.\u003c/p\u003e\u003cp\u003eSee section 3.6.1 Cryptographic or Alternate Physical Protection SC-8(1) for Guidance for systems and processing, storing, or transmitting PHI.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-12.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 7: CMS Defined Parameters – Control SC-12\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-12\u003c/td\u003e\u003ctd\u003eThe organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].\u003c/td\u003e\u003ctd\u003eWhen cryptography is required and used within the information system, the organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with the HHS Standard for Encryption of Computing Device and organizationally-defined requirements (defined in, or referenced by, the applicable System Security Plan) for key generation, distribution, storage, access, and destruction.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAt CMS, when cryptographic mechanisms are needed, the information system uses encryption products that have been validated under the Cryptographic Module Validation Program to confirm compliance with FIPS 140-2 in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/p\u003e\u003cp\u003eCMS complies with the HHS Standard for Encryption of Computing Devices and Information, as amended, for cryptographic key establishment and management, when cryptography is required.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCryptographic Key Establishment and Management (Availability) (SC-12(1))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure the organization maintains availability of information in the event of the loss of cryptographic keys by users.\u003c/p\u003e\u003cp\u003eAt CMS, mechanisms are employed to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProhibit the use of encryption keys that are not recoverable by authorized personnel\u003c/li\u003e\u003cli\u003eRequire senior management approval to authorize recovery of keys by someone other than the key owner\u003c/li\u003e\u003cli\u003eComply with approved cryptography standards mentioned in section 3.9 Cryptographic Protection (SC-13).\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCryptographic Protection (SC-13)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis control aims to ensure that the information system implements cryptographic devices in transit and at rest, as \u003ca href=\"https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/policies-guides-encryption.pdf\"\u003eHHS Standard for Encryption of Computing Devices and\u003c/a\u003e \u003ca href=\"https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/policies-guides-encryption.pdf\"\u003eInformation\u003c/a\u003e\u0026nbsp;mandates, and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PII (to include PHI):\u003c/p\u003e\u003cp\u003eFIPS-validated cryptographic modules are the government standard for encryption. When sensitive information such as PII requires encryption, the organization must comply with these standards.\u003c/p\u003e\u003cp\u003eSee Crptographic or Alternate Physical Protection SC-8(1) for Guidance for systems and processing, storing, or transmitting PHI.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-13.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 8: CMS Defined Parameters – Control SC-13\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-13\u003c/td\u003e\u003ctd\u003eThe information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/td\u003e\u003ctd\u003eThe information system implements cryptographic mechanisms, in transit and at rest, as defined in the HHS Standard for Encryption of Computing Devices and Information, and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAt CMS, cryptographic protection applies to both portable storage devices (e.g., USB memory sticks, CDs, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers).\u003c/p\u003e\u003cp\u003eWhen cryptographic mechanisms are needed, the information system uses encryption products that have been validated under the Cryptographic Module Validation Program to confirm compliance with FIPS 140-2 in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCollaborative Computing Devices (SC-15)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAt CMS, the use of collaborative computing devices such as white boards, cameras, and microphones are strictly prohibited, unless authorized, in writing, by the CMS CIO or his authorized representative. If collaborative computing mechanisms are authorized, the\u0026nbsp;authorization must explicitly identify allowed devices, allowed purpose, and the information system upon which the devices can be used. CMS network users are prohibited from loading non- approved collaborative software such as chat programs onto their GFE.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-15.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 9: CMS Defined Parameters – Control SC-15\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-15\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe information system:\u003c/p\u003e\u003col\u003e\u003cli\u003eProhibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and\u003c/li\u003e\u003cli\u003eProvides an explicit indication of use to users physically present at the devices.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe information system:\u003c/p\u003e\u003col\u003e\u003cli\u003eProhibits remote activation of collaborative computing devices; and\u003c/li\u003e\u003cli\u003eProvides an explicit indication of use to users physically present at the devices.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS offers employees a variety of CMS CIO-approved ways to collaborate and engage whether it be for meetings or projects. These tools allow users to collaborate on projects and share or annotate on one another's screen. Some collaborative tools allow users to schedule immediate meetings or recurring sessions.\u003c/p\u003e\u003cp\u003eCMS Collaborative tools users must follow the following video/audio conference call etiquette:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBe on time.\u003c/li\u003e\u003cli\u003eIntroduce yourself at the beginning of the call (unless you’re late).\u003c/li\u003e\u003cli\u003eMute your phone when you’re not speaking.\u003c/li\u003e\u003cli\u003eIdentify yourself each time you speak.\u003c/li\u003e\u003cli\u003eSay “over” or “I’m done” when you are finished speaking, to avoid talking over others.\u003c/li\u003e\u003cli\u003eWhile you are speaking, keep background noise and movement to a minimum (e.g., don’t shuffle papers) so others can hear you.\u003c/li\u003e\u003cli\u003eUse a handset or headset, rather than a speakerphone.\u003c/li\u003e\u003cli\u003eIf you need to leave a call early, let everyone know at the start of the call.\u003c/li\u003e\u003cli\u003eDo not put the call on hold (on-hold music will play)\u003c/li\u003e\u003cli\u003eClose out of collaborative sessions after use, and regularly power down your device each day\u003c/li\u003e\u003cli\u003eBe mindful of phishing exploits associated with collaborative tools, especially those which have links for scheduled meetings.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor more information on all approved Collaborative computing devices, go to \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Pages/CMSCollaborationTools.aspx\"\u003eCMS Collaboration\u003c/a\u003e \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Pages/CMSCollaborationTools.aspx\"\u003eTools\u003c/a\u003e\u0026nbsp;on the CMS Intranet.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePhysical Disconnect (SC-15(1))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control enhancement is to ensure the information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use and prevents the compromise of organizational information.\u003c/p\u003e\u003cp\u003eAt the end of each meeting with a CMS collaborative tool which includes video conferencing, there’s an option to securely “leave meeting” on the screen or the meeting participants can wait for the host of the meeting to securely end the conference call.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePublic Key Infrastructure Certificates (SC-17)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure the organization issues public key certificates under an appropriate certificate policy or obtains public key certificates from an approved service provider.\u003c/p\u003e\u003cp\u003ePublic key infrastructure (PKI), as stated in \u003cem\u003eNIST Special Publication 800-32: Introduction to Public Key Technology and the Federal PKI Infrastructure\u003c/em\u003e, is the combination of software, encryption technologies, and services that enables enterprises to protect the security of their communications and business transactions on networks21. PKI integrates digital certificates, public key cryptography, and certification authorities (CA) into a complete enterprise-wide network security architecture.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-17.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 10: CMS Defined Parameters – Control SC-17\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-17\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an\u003c/p\u003e\u003cp\u003eapproved service provider.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe organization issues public key certificates under an appropriate certificate policy or obtains public key certificates from an approved service provider.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAll public key certificates used at CMS are issued in accordance with Federal PKI policy and validated to the Federal PKI trust anchor when being used for user signing, encrypting purposes, authentication, and authorization.\u003c/p\u003e\u003cp\u003eThe Certification Authority (CA) is responsible for issuing a public key certificate for each identity, confirming that the identity has the appropriate credentials.\u003c/p\u003e\u003cp\u003eAt CMS, various Certificate Authority requests are available and processed through the Infrastructure and User Services Group - Division of Operations Management (IUSG-DOM).\u003c/p\u003e\u003cp\u003eThere are two ways to submit a CA request for a certificate:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRequestor submits a request through the Agency Solutions for Customer Support (ASCS) System.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eOnly users with a CMS USER ID who have access to or VPN to the CMS Network will be able to login to ASCS. If you do not have a CMS USER ID, see option #2 below to submit an email request.\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eRequestor sends certificate request email to the \u003cstrong\u003eCMS - DOMSSLCert \u003c/strong\u003emailbox at\u003ca href=\"mailto:DOMSSLCert@cms.hhs.gov\"\u003e DOMSSLCert@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor inquiries on the type of certificate to request, contact the CMS - DOMSSLCert mailbox at \u003ca href=\"mailto:DOMSSLCert@cms.hhs.gov\"\u003eDOMSSLCert@cms.hhs.gov \u003c/a\u003efor assistance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMobile Code (SC-18)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS establishes usage restrictions and implementation guidance which apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations within CMS information systems. The organization must document, monitor, and implement controls for the use of mobile code within the CMS information system. The CMS Technical Review Board (TRB) has the authority to permit or deny the use of mobile code.\u003c/p\u003e\u003cp\u003eCMS complies with the federal guidelines \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-28/version-2/final\"\u003eNIST Special Publication 800-28 v2 Guidelines on\u003c/a\u003e \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-28/version-2/final\"\u003eActive Content and Mobile Code\u003c/a\u003e, as amended.\u003c/p\u003e\u003cp\u003eEach form of mobile code has a different security model and Configuration Management process, increasing the complexity of securing mobile code hosts and the code itself. The Configuration Management process prevents the development, acquisition, or introduction of unacceptable mobile code within the information system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eVoice Over Internet Protocol (SC-19)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS prohibits the use of Voice over Internet Protocol (VoIP) devices, unless explicitly authorized, in writing, by the CIO or his authorized representative. At CMS, Integrated VoIP is an audio feature that sends the audio from your WebEx meeting over the Internet, instead of through the telephone. VoIP applications and devices must be configured to meet CMS FIPS 140-2 validated module requirements and must also be on the approved \u003ca href=\"https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Validation/FIPS-171-Validation-List\"\u003eFIPS 171 Validation List\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eIntegrated VoIP can be a convenient and cost-effective alternative to traditional teleconferencing or WebEx Audio. You may want to use this option when:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThere will be a large number of attendees (up to 500 in Meeting Center).\u003c/li\u003e\u003cli\u003eYour meeting does not require much attendee participation, for example, a presentation rather than a discussion.\u003c/li\u003e\u003cli\u003eYou don’t have a toll-free number for attendees to call, or prefer not to incur the cost.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote\u003c/strong\u003e: There are some limitations with VoIP, such as the number of active microphones permitted and the number of participants who can speak simultaneously.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eAdditional information on Conducting VoIP meetings can be located in \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Documents/Conduct_Meetings_with_VoIP_Only.pdf\"\u003eCisco WebEx University\u003c/a\u003e \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Documents/Conduct_Meetings_with_VoIP_Only.pdf\"\u003eGuide-to-Go\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecure Name/Address Resolution Service (Authoritative Source) (SC-20)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis control enables external clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers and DNS Security (DNSSEC) digital signatures.\u003c/p\u003e\u003cp\u003eThe Domain Name System (DNS) is a distributed computing system that enables access to Internet resources by user-friendly domain names rather than IP addresses, by translating domain names to IP addresses and back.\u003c/p\u003e\u003cp\u003eAt CMS, the DNS infrastructure is made up of computing and communication entities called Name Servers. DNS Security (DNSSEC) provides cryptographic protections to DNS communication exchanges, thereby removing threats of DNS-based attacks and improving the overall integrity and authenticity of information processed over the Internet. Domain Name Service Security (DNSSEC) provides security measures by introducing authentication and validation of sources for DNS responses and by ensuring that responses have not been altered.\u003c/p\u003e\u003cp\u003eA significant portion of \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf\"\u003eNIST SP 800-81rev2\u003c/a\u003e\u0026nbsp;\u003cem\u003eSecure Domain Name System (DNS) Deployment Guide \u003c/em\u003eaddresses DNSSEC implementation and CMS relies on this guidance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecure Name/Address Resolution Service (Recursive or Caching Resolver) (SC-21)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEach client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and\u0026nbsp;\u003c/p\u003e\u003cp\u003eaddress resolution services for local clients include, for example, recursive resolving or caching DNS servers.\u003c/p\u003e\u003cp\u003eRecursive queries are actions taken when a DNS server is needed to query on behalf of a DNS resolver. DNS name servers deployed within CMS’s Processing Environments are configured to disable recursive queries from the Internet. CMS also uses caching servers at the edge of the Internet to store responses to requests originating from the intranet and received from the Internet.\u003c/p\u003e\u003cp\u003eCMS adheres to the guidance in \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf\"\u003eNIST SP 800-81rev2\u003c/a\u003e\u0026nbsp;\u003cem\u003eSecure Domain Name System (DNS) Deployment Guide\u003c/em\u003e, as amended.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eArchitecture and Provisioning for Name/Address Resolution Service (SC-22)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe purpose of this control is to ensure the information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.\u003c/p\u003e\u003cp\u003eCMS’s DNS Architecture employs different types of authoritative name servers. To improve fault tolerance these servers are deployed in each CMS data center.\u003c/p\u003e\u003cp\u003eCMS data center contractors manage all DNS servers, configurations, and tools in accordance with CMS Change Management and Configuration Management processes. The CMS Production Environment contractors currently provide integrated DNS system and error logs into other existing network management facilities to enable a real-time view of the Enterprise DNS for CMS Operations staff.\u003c/p\u003e\u003cp\u003eCMS has developed a DNS Business Rules to guide the development of the agency’s DNS architecture, design, and implementations.\u003c/p\u003e\u003cp\u003eCMS adheres to the guidance in \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf\"\u003eNIST SP 800-81rev2\u003c/a\u003e\u0026nbsp;\u003cem\u003eSecure Domain Name System (DNS) Deployment Guide\u003c/em\u003e, as amended.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSession Authenticity (SC-23)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis control addresses communications protection at the session, versus packet level and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAt CMS, session authenticity is protected through the use of user and device identification and authentication. VPN connections to the information system are re-authenticated periodically during connection.\u003c/p\u003e\u003cp\u003eAdditional information on connecting to the VPN can be found in \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Documents/20120807_getting_started_with_remote_access_v2.pdf\"\u003eGetting Started with Remote\u003c/a\u003e \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Documents/20120807_getting_started_with_remote_access_v2.pdf\"\u003eAccess to the CMS Network\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFail in Known State (SC-24)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFailure in a known state helps to avert the loss of confidentiality, integrity, or availability (CIA) of information as a result of failures of organizational information systems or system components.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-24.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 11: CMS Defined Parameters – Control SC-24\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-24\u003c/td\u003e\u003ctd\u003eThe information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure.\u003c/td\u003e\u003ctd\u003eThe information system fails to a known secure state for all failures preserving the maximum amount of state information in failure.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAt CMS, each operating system fails to a known secure state for all types of failures. Differential system backups are performed on a daily basis, with full backups performed at the weekend. Tape backups allow for restoration of the system back to the previous evening. Backup tapes are stored in an off-site facility. The minimum retention period for tape backups is 90 days.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eProtection of Information at Rest (SC-28)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure the security of inactive data stored on any device or network.\u003c/p\u003e\u003cp\u003eData at rest is data that is not actively moving from device to device or network to network such as data stored on a hard drive, laptop, flash drive, or archived/stored in some other way. Data protection at rest aims to secure inactive data stored on any device or network.\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PII (to include PHI):\u003c/p\u003e\u003cp\u003eBecause of the sensitivity of PII and protected health information (PHI), the confidentiality and integrity of such information must be assured for data at rest.\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PHI:\u003c/p\u003e\u003cp\u003eUnder the HIPAA Security Rule, this is an addressable implementation specification. HIPAA covered entities must conduct an analysis as described at 45 C.F.R. § 164.306 (Security standards: General rules) part (d) (Implementation specifications) to determine how it must be applied within the organization. However, using cryptographic protection allows the organization to utilize the “Safe Harbor” provision under the Breach Notification Rule. If PHI is encrypted pursuant to the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 FR 42740), then no breach notification is required following an impermissible use or disclosure of the information. Therefore, organizations should use cryptographic protections for PHI stored on electronic media.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-28.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 12: CMS Defined Parameters – Control SC-28\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-28\u003c/td\u003e\u003ctd\u003eThe information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].\u003c/td\u003e\u003ctd\u003eThe information system protects the confidentiality and integrity of information at rest, as defined in the HHS Standard for Encryption of Computing Devices and Information.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS complies with the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/HHS-Standard-for-Encryption-of-Computing-Devices-and-Information\"\u003eHHS Policy (HHS Standard for Encryption of Computing Devices and\u003c/a\u003e \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/HHS-Standard-for-Encryption-of-Computing-Devices-and-Information\"\u003eInformation)\u003c/a\u003e, as amended, which mandates the use of the data encryption software on workstations that will automatically encrypt data on removable storage devices once they are inserted into the workstation.\u003c/p\u003e\u003cp\u003eRemovable data storage devices allow users to move data from their CMS issued laptop to other computing devices.\u003c/p\u003e\u003cp\u003eCMS currently supports the following data storage devices:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS issued or CMS approved USB Flash Drive.\u003c/li\u003e\u003cli\u003eCD/DVDs.\u003c/li\u003e\u003cli\u003eCMS approved External Hard Drives\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor information on writing an encrypted file to CD/DVD, go to \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Pages/StorageDeviceandEncryption.aspx\"\u003eStorage Device and Encryption\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eSensitive data stored either on GFE or non-GFE (contractor owned) shall be safeguarded in accordance with \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-111.pdf\"\u003eNIST SP 800-111\u003c/a\u003e\u0026nbsp;\u003cem\u003eGuide to Storage Encryption Technologies for End User Devices \u003c/em\u003eand the HHS Information Security and Privacy Policy (IS2P), as amended, including but not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFolders/files containing sensitive Personally Identifiable Information (PII) or other sensitive data stored in shared drive shall be encrypted and the folders configured to restrict access on a need-to-know basis;\u003c/li\u003e\u003cli\u003eData backups shall be encrypted and securely transported/filed/archived.\u003c/li\u003e\u003cli\u003eFor high-impact systems, cryptographic mechanisms shall be employed to protect the integrity of audit information (e.g. log, and audit tools).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor highly sensitive information such as Sensitive PII (SPII), whole disk encryption alone is insufficient protection. Encryption at the file or folder level is required. Encryption within a database at the field/record/table level will also meet this enhanced standard.\u003c/p\u003e\u003cp\u003eThe \u003cem\u003eCMS Encryption of Sensitive Information Memorandum - Appendix A \u003c/em\u003elocated in the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Information-Security-Library\"\u003eISP\u003c/a\u003e \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Information-Security-Library\"\u003elibrary\u003c/a\u003e\u0026nbsp;contains additional information on the CMS Encryption Policy and security controls.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eProcess Isolation (SC-39)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure the information system maintains a separate execution domain for each executing process.\u003c/p\u003e\u003cp\u003eAt CMS, each executing process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot change the executing code of another process. Relevant information is contained in the information system design documentation and the information system configuration settings in the SSPP of each system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eElectronic Mail (SC-CMS-1)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIncorporated into SC-8.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWebsite Usage (SC-CMS-2)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS website and web services employ secure connections, such as Hypertext Transfer Protocol Secure (HTTPS). HTTPS is a combination of HTTP (Hypertext Transfer Protocol) and the network protocol Transport Layer Security (TLS), which establishes an encrypted connection to an authenticated peer over an untrusted network. CMS implements and configures TLS in accordance with \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final\"\u003eNIST SP 800-52\u003c/a\u003e, as amended.\u003c/p\u003e\u003cp\u003eCMS complies with procedures outlined in the \u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-internet-and-email-security\"\u003eHHS Policy for Internet and Email Security\u003c/a\u003e, as amended, which include, but not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecuring all public-facing websites and internet services and only providing services through a secure connection using Hypertext Transfer Protocol Secure HTTPS-only, with HTTP Strict Transport Security (HSTS)\u003c/li\u003e\u003cli\u003eMonitoring all active websites periodically and randomly to ensure users adhere to HHS policies\u003c/li\u003e\u003cli\u003eUsing only third-party websites, applications, and services that are authorized and compliant with HHS security and privacy policies.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS also complies and operates within the conditions detailed in \u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-22.pdf\"\u003eOMB directives M-10-22\u003c/a\u003e\u0026nbsp;\"\u003cem\u003eGuidance for Online Use of Web Measurement and Customization Technologies,\u003c/em\u003e\" \u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf\"\u003eM-10-23\u003c/a\u003e\u0026nbsp;\"\u003cem\u003eGuidance for Agency Use of Third-Party Websites and Applications\u003c/em\u003e” and \u003ca href=\"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2015/m-15-13.pdf\"\u003eM-15-13\u003c/a\u003e\u0026nbsp;\"\u003cem\u003ePolicy to Require Secure Connections across Federal Websites and Web Services”\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:Tefb6,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eIntroduction\u003c/h2\u003e\u003cp\u003eThe Risk Management Handbook Chapter 16: System and Communications Protection (SC) focuses on how the organization must: monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and employ architectural designs, software development techniques, and systems engineering principles that promote effective information security and privacy assurance within organizational information systems. Some of the controls discussed within this chapter include Application Partitioning, Security Function Isolation, Information Shared Resources, Denial of Service Protection, Boundary Protection, Transmission Confidentiality and Integrity, Cryptographic Protection, and Public Key Infrastructure Certificates. There are also procedures surrounding Mobile Code, Voice Over Internet Protocol (VOIP), Session Authenticity, Email and Website Usage.\u003c/p\u003e\u003ch2\u003eSystem and Communications Protection (SC) Controls\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eApplication Partitioning (SC-2)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure separation of the user functionality from the information system management functionality by the information system either physically or logically. Enforcing the separation of information flows by type can enhance protection by ensuring that information is protected while in transit. Types of separable information include, for example, inbound and outbound communications traffic and service requests.\u003c/p\u003e\u003cp\u003eThe CMS Technical Reference Architecture (TRA) provides the authoritative technical architecture approach and technical reference standards of CMS. Compliance with the TRA helps ensure that CMS information technology (IT) systems and infrastructure will support secure and high-quality delivery of healthcare services to beneficiaries, providers, and business partners, plus align CMS systems with the Federal Enterprise Architecture Framework (FEAF).\u003c/p\u003e\u003cp\u003eThe CMS Target Life Cycle (TLC) replaces the CMS legacy Expedited Life Cycle (XLC) with a more business focused and flexible System Development Life Cycle (SDLC) process. The TLC replaces XLC point-in-time gate reviews with required artifacts, with “as needed” consultations via the Business Owner with the Office of Information Technology (OIT) Navigator, the EA team, Subject Matter Experts (SMEs), and/or Governance Review Teams (GRT). This flexible approach will provide for a more continuous evaluation, and situational reviews governance as needed to\u003c/p\u003e\u003cp\u003ebetter meet CMS program needs. The four phases of the TLC include: Intake, Develop, Operate and Retire. During the Develop Phase, detailed user stories or requirements are created, the solution is designed, built, deployed to a non-production environment, and tested for compliance with the requirements and CMS standards so that it is production ready. Requirements, user stories, design, development and testing must all be done in compliance with the CMS TRA and security, privacy and accessibility standards.\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PII (to include PHI):\u003c/p\u003e\u003cp\u003eIt is necessary to store sensitive information, such as PII, on separate logical partitions from applications and software that provide user functionality to restrict accidental or unintentional loss of, or access to, sensitive information by both unauthorized users and unauthorized applications.\u003c/p\u003e\u003cp\u003eCMS applications must be configured to prevent the operation of all system administrative functions except those that originate from the Management and Security Bands. When necessary, application administrative functions can be accessed via the Application Zone by defining application administrative roles and documenting the associated risks and compensating controls in the System Security and Privacy Plan (SSPP) and Information Security Risk Analysis (ISRA). CMS uses, for example, different computers, different central processing units, different network addresses or combinations of these to implement separation of system management-related functionality from user functionality.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecurity Function Isolation (SC-3)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSecurity functions and non-security functions are separated by the information systems through an isolation boundary. Security functions, for example, include establishing system accounts and configuring access authorizations. At CMS, an isolation boundary provides access control and protects the reliability of the hardware, software, and firmware that perform security functions. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of different ways.\u003c/p\u003e\u003cp\u003eAt CMS, developers and implementers increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries.\u003c/p\u003e\u003cp\u003eEach System Developer and Maintainer (SDM) is also responsible for maintaining appropriate security for all secure boundaries and for implementing the appropriate tools and technologies to meet CMS and federal requirements.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003e\u0026nbsp;Information in Shared Resources (SC-4)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePreventing unauthorized information transfers mitigates the risk of information from being available to any current users/roles (or current processes) that are granted access to shared system resources after those resources have been released back to information systems.\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PII (to include PHI):\u003c/p\u003e\u003cp\u003eFollowing use of a shared system resource, ensure that shared system resource(s) is purged of personally identifiable information (PII) to prevent unintended users or processes from accessing PII.\u003c/p\u003e\u003cp\u003eCMS, in accordance with \u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\"\u003eOMB Circular NO. A-130\u003c/a\u003e, implements information security programs and privacy programs with the flexibility to meet current and future information management needs and the sufficiency to comply with Federal requirements and manage risks.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eDenial of Service Protection (SC-5)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure the information system protects against or limits the effects of the types of denial of service attacks defined in federal guidelines.\u003c/p\u003e\u003cp\u003eDenial of Service (DoS) attacks are generally defined as any attack that can destabilize the network or systems’ ability to perform expected functions. In the case of a Distributed Denial of Service (DDoS) attack, the attacker uses multiple compromised or controlled sources to generate an attack. Protection against DoS attacks involves the use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) SC-5.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 1: CMS Defined Parameters – Control SC-5\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-5\u003c/td\u003e\u003ctd\u003eThe information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization- defined security safeguards].\u003c/td\u003e\u003ctd\u003eThe information system protects against or limits the effects of the types of denial of service attacks defined in NIST SP 800-61, Computer Security Incident Handling Guide, and the following websites by employing defined security safeguards (defined in the applicable system security and privacy plan): \u003ca href=\"https://www.sans.org/security-resources/\"\u003eSANS Organization’s Roadmap to Defeating Distributed Denial of Service (DDoS)\u003c/a\u003e\u0026nbsp;and the \u003ca href=\"https://nvd.nist.gov/\"\u003eNIST National Vulnerability Database\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS adheres to security safeguards listed in SANS Institute\u0026nbsp;to reduce chances of DoS attacks, which include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEgress filtering to stop spoofed IP packets from leaving network.\u003cul\u003e\u003cli\u003eDeny invalid source IP addresses\u003c/li\u003e\u003cli\u003eDeny private \u0026amp; reserved source IP addresses (not necessary if invalid source IP address is denied)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eStopping network from being used as a broadcast amplification site.\u003cul\u003e\u003cli\u003eDisable IP directed broadcast on all systems\u003c/li\u003e\u003cli\u003eTest your network to determine if it is an amplification site\u003c/li\u003e\u003cli\u003eRequire that vendors disable IP directed broadcast by default\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS also adheres to the \u003ca href=\"https://www.sans.org/dosstep/roadmap\"\u003eConsensus Roadmap for Defeating Distributed Denial of Service Attacks\u003c/a\u003e\u0026nbsp;outlined by the SANS institute, as amended.\u003c/p\u003e\u003cp\u003eCMS complies with \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf\"\u003eNIST Special Publication 800-61 rev2\u003c/a\u003e\u0026nbsp;on \u003cem\u003eComputer Security Incident Handling Guide\u003c/em\u003e, which provides guidelines for incident handling of DoS/DDoS attacks, particularly for analyzing incident-related data and determining the appropriate response to each incident.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBoundary Protection (SC-7)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis control ensures the monitoring and control of communications within the “external boundary” of the overall information systems landscape for purposes of preventing and detecting malicious, unauthorized communication via the use of numerous tools. More specifically, boundary protection differentiates boundaries between external, untrusted networks from those deemed trusted and secure. Boundary protection is yet another information security principle that aids in ensuring the confidentiality, integrity, and availability (CIA) of an organization’s critical system resources.\u003c/p\u003e\u003cp\u003eAt CMS, communications and processing connections are controlled via an integrated system of firewalls, routers, and through the use of Intrusion Detection Systems (IDS) equipment. Traffic flow is controlled through managed routers and switches. The configuration of the firewall systems\u0026nbsp;\u003c/p\u003e\u003cp\u003efollows vendor recommendations. CMS utilizes firewall perimeter routers and IDS, configured to provide a defense-in-depth.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAccess Points (SC-7(3))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control enhancement is to protect the information system by restricting access from external network connections. The number of access points to the information system must be restricted to allow for more wider-range of the monitoring of inbound and outbound communications and network traffic.\u003c/p\u003e\u003cp\u003eCMS access points consist of boundary protection devices arranged in accordance with it’s effective security architecture. Connections are consistent with the organizations enterprise technology and security architecture.\u003c/p\u003e\u003cp\u003eCMS complies with the Office of Management and Budget (OMB) Memorandum, \u003cem\u003eImplementation of Trusted Internet Connections, \u003c/em\u003e\u003ca href=\"https://georgewbush-whitehouse.archives.gov/omb/memoranda/fy2008/m08-05.pdf\"\u003eM-08-05\u003c/a\u003e6, November 20, 2007, which states that all federal agencies must optimize and standardize the security of individual external connections. In addition, security controls must be implemented within all federal network operating environments.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eExternal Telecommunications Services (SC-7(4))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis purpose of this control enhancement is to ensure the organization implements a managed interface7 for each external telecommunication service, establishes a traffic flow policy for each managed interface and protects the confidentiality and integrity of the information being transmitted across each interface.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-7(4).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 1: CMS Defined Parameters – Control SC-7(4)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-7(4)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003ee. Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions no longer supported by an explicit mission/business need.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003ee. Reviews exceptions to the traffic flow policy within every three hundred sixty-five (365) days or implementation of major new system, and removes exceptions that are no longer\u0026nbsp;supported by\u0026nbsp;an\u0026nbsp;explicit mission/business need.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eFirewalls provide protection to the mainframe and the rest of the infrastructure at CMS.\u003c/p\u003e\u003cp\u003eCMS has deployed firewalls at all internet access points and between shared support infrastructure and customer networks. Firewall and/or routing requests are necessary to facilitate new firewall rules and/or connectivity for user-to-system or system-to-system across the CMS Wide Area Network (WAN).\u003c/p\u003e\u003cp\u003eFor information on CMS Firewall and Routing Request Form, contact the CMS IT Service Desk by calling (410) 786-2580 or (800) 562-1963; or by sending an email to \u003ca href=\"mailto:cms_it_service_desk@cms.hhs.gov\"\u003ecms_it_service_desk@cms.hhs.gov \u003c/a\u003eto open a ticket.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eDeny by Default/Allow by Exception (SC-7(5))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control enhancement is to ensure only connections which are integral and vetted are allowed through inbound and outbound network communications traffic. The information system of organizations enlists a firewall configuration policy that forces the user to be registered at the site, authenticate their registration and authorize their registration prior to gaining access.\u003c/p\u003e\u003cp\u003eAs CMS brings a lot of applications onto the Internet, it is imperative to ensure the security of the applications, and the integrity of the information transferred to and from them. For Machine-to- machine connections, not only must the system be physically secure, but incoming and outgoing data must be protected to prevent compromise of CMS information integrity. In order to establish that connection, each machine must ensure that it is connecting to a trusted machine on the other end. Failing to identify and prohibit unauthorized traffic leaves the enclave vulnerable to attack. The initial defense for the internal network is for protection measures to block any traffic at the perimeter that is attempting to make a connection (or otherwise establish a traffic flow) to a host in the internal network. Outbound traffic is allowed by default, and inbound traffic is blocked by default, which is accomplished by the CMS’s firewalls and load balancers. The firewalls deny all and permit by exception using CMS specific infrastructural rules\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePrevent Split Tunneling for Remote Devices (SC-7(7))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure the information system, in conjunction with a remote device, prevents a device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.\u003c/p\u003e\u003cp\u003eCMS enforces the use of VPNs, sufficiently provisioned with applicable security controls, to provide a means for allowing non-remote communications paths from remote devices.\u003c/p\u003e\u003cp\u003eIn order to securely connect to the CMS Network remotely, a user must have:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA CMS issued laptop (for example). This will contain the VPN software you need to access the VPN.\u003c/li\u003e\u003cli\u003eAn Authentication Device. This can be either your PIV Card (Personal Identity Verification), PIV PIN (Personal Identity Number), or RSA Token “fob.”. If you have been issued a PIV card, this should be the method of connecting to the VPN. The RSA Token should only be used if your PIV card has not been issued yet.\u003c/li\u003e\u003cli\u003eHigh speed Internet access from a remote location (dial-up is not supported).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAdditional information on connecting to the CMS Network using VPN can be found in \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Documents/20120807_getting_started_with_remote_access_v2.pdf\"\u003eGetting\u003c/a\u003e \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Documents/20120807_getting_started_with_remote_access_v2.pdf\"\u003eStarted with Remote Access to the CMS Network\u003c/a\u003e.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eRoute Traffic to Authenticated Proxy Servers (SC-7(8))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control enhancement is to ensure the information system routes all user- initiated internal communications traffic to untrusted external networks through authenticated proxy servers at managed interfaces. A proxy server is a server application or appliance that acts as an intermediary for requests from clients seeking resources from servers that provide those resources. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-7(8).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 3: CMS Defined Parameters – Control SC-7(8)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-7(8)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed\u003c/p\u003e\u003cp\u003einterfaces.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe information system routes all user- initiated internal communications traffic to untrusted external networks through authenticated proxy servers at managed interfaces.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAt CMS, the proxy server acts as a single point of contact serving client requests. The proxy server authenticates each request based on Client Exchange/Device ID and other parameters and forwards the request to the desired destination server. URL filter servers, a form of proxy server, can block access to unsafe websites. They also produce logs that track access to known malware hosting sites and URL block list access. These logs can assist a security analyst in identifying compromised hosts on the local network. The System Developer and Maintainer (SDM) must collect and forward proxy/URL logs according to the organizational requirements.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eFail Secure (SC-7(18))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control enhancement is to ensure that in the event of operational failures of boundary protection devices at managed interfaces, the information system fails securely.\u003c/p\u003e\u003cp\u003eCMS utilizes Network Firewalls to prevent loss of boundary protection and to meet the requirement for this control enhancement. Network firewalls guard the internal computer network against malicious access from the outside, such as malware-infested websites or vulnerable, open network ports.\u003c/p\u003e\u003cp\u003eFirewalls are implemented in redundant pairs to prevent loss of boundary protection.\u003c/p\u003e\u003cp\u003eEach Network Firewall in the CMS Processing Environments must be provisioned with separate interfaces dedicated to each network segment and band with which it connects. CMS Network Firewalls provide various functions and restrict the ability to perform certain functions to an authorized administrator.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIsolation of Information System Components (SC-7(21))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSeparating system components with boundary protection devices provides the capability for increased protection of individual components and to more effectively control information flows between those components. Isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected components.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-7(21).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 4: CMS Defined Parameters – Control SC-7(21)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-7(21)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-\u003c/p\u003e\u003cp\u003edefined missions and/or business functions].\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe organization employs boundary protection mechanisms to separate defined information system components (defined in the applicable system security plan) supporting CMS missions and/or business functions.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS employs firewalls and a Network-based Intrusion Detection System (NIDS) to meet the requirements for this control enhancement. A network-based intrusion detection system (NIDS) is used to monitor and analyze network traffic to protect a system from network-based threats. A\u0026nbsp;\u003c/p\u003e\u003cp\u003eNIDS reads all inbound packets and searches for any suspicious patterns. When threats are discovered, based on its severity, the system takes action such as notifying administrators, or barring the source IP address from accessing the network.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTransmission Confidentiality and Integrity (SC-8)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure the information system protects the confidentiality and integrity of data in transit.\u003c/p\u003e\u003cp\u003eIn accordance with the HHS Standard for Encryption of Computing Devices and Information, CMS policy states that all sensitive information at rest (and in transit) must be encrypted using a \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf\"\u003eFederal Information Processing Standard (FIPS) 140-2\u003c/a\u003e\u0026nbsp;validated solution to safeguard the confidentiality and integrity of information. CMS Data Encryption Standards mandates that it is the responsibility of all CMS personnel and business partners to protect CMS \u003cstrong\u003esensitive information\u003c/strong\u003e\u0026nbsp;while data is in transit (and at rest). When encryption is not technically feasible, CMS business owners must implement a specific set of compensating controls. \u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/cms-enterprise-data-encryption-cede\"\u003eCMS enterprise data encryption\u003c/a\u003e standards can be reviewed by visiting the CMS CEDE page.\u0026nbsp;\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PII (to include PHI):\u003c/p\u003e\u003cp\u003eBecause of the sensitivity of personally identifiable information (PII) and protected health information (PHI), the confidentiality and integrity of such information in transit must be assured.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSending an encrypted email using Office 365\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCommunication between CMS.Net and email-as-a-service (also known as Office 365) has automated encryption. CMS utilizes Office 365 Message Encryption (OME) within Microsoft Outlook to send sensitive and protected data securely to recipients outside of CMS. All Government-Furnished Equipment (GFE) has this feature.\u003c/p\u003e\u003cp\u003eCMS adheres to the mandatory Email Services procedures outlined in \u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-internet-and-email-security\"\u003eHHS Policy for Internet and\u003c/a\u003e \u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-internet-and-email-security\"\u003eEmail Security\u003c/a\u003e, as amended, which establishes minimum requirements for securing the internet and email services throughout CMS in order to enhance integrity and confidentiality of internet-delivered data, minimize spam, unauthorized access, and misuse of information, and better protect\u0026nbsp;users who might otherwise fall victim to attacks that appear to come from government-owned systems.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSending an encrypted email using your PIV\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCMS recommends the use of Personal Identity Verification (PIV) Card encryption to send documentations across the network. Email and any attachment that contains sensitive information when transmitted inside and outside of CMS premises shall be encrypted using the user’s PIV card when possible. If PIV encryption is not feasible, a FIPS 140-2 validated solution must be employed:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePassword protection of files is recommended to add an additional layer of data protection but shall not be used in lieu of encryption solutions.\u003c/li\u003e\u003cli\u003ePassword and/or encryption key shall not be included in the same email that contains sensitive information or in separate email.\u003c/li\u003e\u003cli\u003ePassword/encryption key shall be provided to the recipient separately via text message, verbally, or other out-of-band solution.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSending an encrypted email to a third party through SecureZIP\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll e-mails with CMS sensitive information must be encrypted through the use of CMS approved encryption software when outside of a controlled environment. The CMS approved software is SecureZIP (PK Zip). SecureZIP is an application for zipping files to save storage space as well as encrypting files with password control to protect information.\u003c/p\u003e\u003cp\u003eFor the procedure on how to encrypt using SecureZIP, go to \u003ca href=\"https://cmsintranet.share.cms.gov/CT/_layouts/15/WopiFrame2.aspx?sourcedoc=%257B1629458C-DE32-43EF-8EF7-3569A96ABDC3%257D\u0026amp;file=SecureZip-Instructions-2013.docx\u0026amp;action=default\u0026amp;DefaultItemOpen=1\"\u003eSecureZIP Instructions\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eCMS also has specific encryption requirements for large file transfers. Additional information on large file transfers can be requested through the \u003ca href=\"https://cmsintranet.share.cms.gov/OIT/Pages/IUSG.aspx\"\u003eInfrastructure and User Services Group.\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCryptographic or Alternate Physical Protection (SC-8(1))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control enhancement is to ensure the information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information when data is in transit.\u003c/p\u003e\u003cp\u003eCryptography is a branch of applied mathematics concerned with transformations of data for security. In cryptography, a sender transforms unprotected information (plaintext) into coded text (ciphertext). A receiver uses cryptography to either:\u003c/p\u003e\u003cul\u003e\u003cli\u003etransform the ciphertext back into plaintext\u003c/li\u003e\u003cli\u003everify the sender’s identity\u003c/li\u003e\u003cli\u003everify the data’s integrity, or some combination.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PII (to include PHI):\u003c/p\u003e\u003cp\u003eBecause of the sensitivity of PII, the confidentiality and integrity of such information in transit must be assured with encryption techniques if assurance is not provided by other means.\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PHI:\u003c/p\u003e\u003cp\u003eUnder the HIPAA Security Rule, this is an addressable implementation specification. HIPAA covered entities must conduct an analysis as described at 45 C.F.R. § 164.306 (Security standards: General rules) part (d) (Implementation specifications) to determine how it must be applied within the organization. However, using cryptographic protection allows the organization to utilize the “Safe Harbor” provision under the Breach Notification Rule. If PHI is encrypted pursuant to the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (45 C.F.R. Part 164 Subpart D), then no breach notification is required following an impermissible use or disclosure of the information. Therefore, organizations should use cryptographic protections for PHI stored on electronic media.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-8(1).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 5: CMS Defined Parameters – Control SC-8(1)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-8(1)\u003c/td\u003e\u003ctd\u003eThe information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].\u003c/td\u003e\u003ctd\u003eThe information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by approved alternative safeguards and defined in the applicable system security plan and Information System Risk Assessment.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAt CMS, when cryptographic mechanisms are needed, the information system uses encryption products that have been validated under the \u003ca href=\"https://csrc.nist.gov/projects/cryptographic-module-validation-program/standards\"\u003eCryptographic Module Validation Program \u003c/a\u003eto confirm compliance with FIPS 140-2 in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNetwork Disconnect (SC-10)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure the termination of both internal and external networks associated with a communications session at the end of the session. A session is an encounter between an end-user interface device (e.g., computer, terminal, process) and an application, including a network logon. A connection-based session is one that requires a connection to be established between hosts prior to an exchange of data.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-10.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 6: CMS Defined Parameters – Control SC-10\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-10\u003c/td\u003e\u003ctd\u003eThe information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.\u003c/td\u003e\u003ctd\u003eThe information system: a. terminates the network connection associated with a communications session at the end of the session, or: 1. Forcibly de-allocates communications session Dynamic Host Configuration Protocol (DHCP) leases after seven (7) days; and 2. Forcibly disconnects inactive VPN connections after thirty (30) minutes or less of inactivity; and b. terminates or suspends network connections (i.e., a system-to-system interconnection) upon issuance of an order by the CMS CIO, CISO, or Senior Official for Privacy (SOP).\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS information systems identify and terminate all inactive remote sessions (both user and information system sessions) automatically.\u003c/p\u003e\u003cp\u003eCMS applies the following Standard(s) in addition to the parameters listed in the table above:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConfigure systems to disable local access (i.e., lock the session) automatically after fifteen (15) minutes of inactivity. Require a password to restore local access.\u003c/li\u003e\u003cli\u003eConfigure the information system to automatically terminate all remote sessions (user and information system) after time stated in systems SSPP.\u003c/li\u003e\u003cli\u003eConcurrent User ID network log-on sessions is limited to one (1); however, the number of concurrent application/process sessions is limited to what is expressly required for the performance of job duties, and must be documented in the SSPP if it is more than one (1) concurrent session.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCryptographic Key Establishment and Management (SC-12)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure the organization establishes and manages cryptographic keys for required cryptography in accordance with applicable federal laws, executive orders, directives, regulations, policies, standards, and organizational guidance, when cryptography is required.\u003c/p\u003e\u003cp\u003eIn cryptography, a \u003cem\u003ekey \u003c/em\u003eis a string of characters used within an encryption algorithm for altering data so that it appears random. Like a physical key, it locks (encrypts) data so that only someone with the right key can unlock (decrypt) it. The original data is known as the plaintext, and the data after the key encrypts it is known as the ciphertext. The formula:plaintext + key = ciphertext. Cryptographic techniques use cryptographic keys that are managed and protected throughout their lifecycles by a Cryptographic Key Management System (CKMS).\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PII (to include PHI):\u003c/p\u003e\u003cp\u003eBecause cryptography is desired to protect sensitive information such as personally identifiable information (PII) and protected health information (PHI), cryptographic key establishment and management must be performed in such a way that even the loss of keys will not permit access to the sensitive information.\u003c/p\u003e\u003cp\u003eSee section 3.6.1 Cryptographic or Alternate Physical Protection SC-8(1) for Guidance for systems and processing, storing, or transmitting PHI.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-12.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 7: CMS Defined Parameters – Control SC-12\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-12\u003c/td\u003e\u003ctd\u003eThe organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].\u003c/td\u003e\u003ctd\u003eWhen cryptography is required and used within the information system, the organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with the HHS Standard for Encryption of Computing Device and organizationally-defined requirements (defined in, or referenced by, the applicable System Security Plan) for key generation, distribution, storage, access, and destruction.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAt CMS, when cryptographic mechanisms are needed, the information system uses encryption products that have been validated under the Cryptographic Module Validation Program to confirm compliance with FIPS 140-2 in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/p\u003e\u003cp\u003eCMS complies with the HHS Standard for Encryption of Computing Devices and Information, as amended, for cryptographic key establishment and management, when cryptography is required.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCryptographic Key Establishment and Management (Availability) (SC-12(1))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure the organization maintains availability of information in the event of the loss of cryptographic keys by users.\u003c/p\u003e\u003cp\u003eAt CMS, mechanisms are employed to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProhibit the use of encryption keys that are not recoverable by authorized personnel\u003c/li\u003e\u003cli\u003eRequire senior management approval to authorize recovery of keys by someone other than the key owner\u003c/li\u003e\u003cli\u003eComply with approved cryptography standards mentioned in section 3.9 Cryptographic Protection (SC-13).\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCryptographic Protection (SC-13)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis control aims to ensure that the information system implements cryptographic devices in transit and at rest, as \u003ca href=\"https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/policies-guides-encryption.pdf\"\u003eHHS Standard for Encryption of Computing Devices and\u003c/a\u003e \u003ca href=\"https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/policies-guides-encryption.pdf\"\u003eInformation\u003c/a\u003e\u0026nbsp;mandates, and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PII (to include PHI):\u003c/p\u003e\u003cp\u003eFIPS-validated cryptographic modules are the government standard for encryption. When sensitive information such as PII requires encryption, the organization must comply with these standards.\u003c/p\u003e\u003cp\u003eSee Crptographic or Alternate Physical Protection SC-8(1) for Guidance for systems and processing, storing, or transmitting PHI.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-13.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 8: CMS Defined Parameters – Control SC-13\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-13\u003c/td\u003e\u003ctd\u003eThe information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/td\u003e\u003ctd\u003eThe information system implements cryptographic mechanisms, in transit and at rest, as defined in the HHS Standard for Encryption of Computing Devices and Information, and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAt CMS, cryptographic protection applies to both portable storage devices (e.g., USB memory sticks, CDs, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers).\u003c/p\u003e\u003cp\u003eWhen cryptographic mechanisms are needed, the information system uses encryption products that have been validated under the Cryptographic Module Validation Program to confirm compliance with FIPS 140-2 in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCollaborative Computing Devices (SC-15)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAt CMS, the use of collaborative computing devices such as white boards, cameras, and microphones are strictly prohibited, unless authorized, in writing, by the CMS CIO or his authorized representative. If collaborative computing mechanisms are authorized, the\u0026nbsp;authorization must explicitly identify allowed devices, allowed purpose, and the information system upon which the devices can be used. CMS network users are prohibited from loading non- approved collaborative software such as chat programs onto their GFE.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-15.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 9: CMS Defined Parameters – Control SC-15\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-15\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe information system:\u003c/p\u003e\u003col\u003e\u003cli\u003eProhibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and\u003c/li\u003e\u003cli\u003eProvides an explicit indication of use to users physically present at the devices.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe information system:\u003c/p\u003e\u003col\u003e\u003cli\u003eProhibits remote activation of collaborative computing devices; and\u003c/li\u003e\u003cli\u003eProvides an explicit indication of use to users physically present at the devices.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS offers employees a variety of CMS CIO-approved ways to collaborate and engage whether it be for meetings or projects. These tools allow users to collaborate on projects and share or annotate on one another's screen. Some collaborative tools allow users to schedule immediate meetings or recurring sessions.\u003c/p\u003e\u003cp\u003eCMS Collaborative tools users must follow the following video/audio conference call etiquette:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBe on time.\u003c/li\u003e\u003cli\u003eIntroduce yourself at the beginning of the call (unless you’re late).\u003c/li\u003e\u003cli\u003eMute your phone when you’re not speaking.\u003c/li\u003e\u003cli\u003eIdentify yourself each time you speak.\u003c/li\u003e\u003cli\u003eSay “over” or “I’m done” when you are finished speaking, to avoid talking over others.\u003c/li\u003e\u003cli\u003eWhile you are speaking, keep background noise and movement to a minimum (e.g., don’t shuffle papers) so others can hear you.\u003c/li\u003e\u003cli\u003eUse a handset or headset, rather than a speakerphone.\u003c/li\u003e\u003cli\u003eIf you need to leave a call early, let everyone know at the start of the call.\u003c/li\u003e\u003cli\u003eDo not put the call on hold (on-hold music will play)\u003c/li\u003e\u003cli\u003eClose out of collaborative sessions after use, and regularly power down your device each day\u003c/li\u003e\u003cli\u003eBe mindful of phishing exploits associated with collaborative tools, especially those which have links for scheduled meetings.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor more information on all approved Collaborative computing devices, go to \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Pages/CMSCollaborationTools.aspx\"\u003eCMS Collaboration\u003c/a\u003e \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Pages/CMSCollaborationTools.aspx\"\u003eTools\u003c/a\u003e\u0026nbsp;on the CMS Intranet.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePhysical Disconnect (SC-15(1))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control enhancement is to ensure the information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use and prevents the compromise of organizational information.\u003c/p\u003e\u003cp\u003eAt the end of each meeting with a CMS collaborative tool which includes video conferencing, there’s an option to securely “leave meeting” on the screen or the meeting participants can wait for the host of the meeting to securely end the conference call.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePublic Key Infrastructure Certificates (SC-17)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure the organization issues public key certificates under an appropriate certificate policy or obtains public key certificates from an approved service provider.\u003c/p\u003e\u003cp\u003ePublic key infrastructure (PKI), as stated in \u003cem\u003eNIST Special Publication 800-32: Introduction to Public Key Technology and the Federal PKI Infrastructure\u003c/em\u003e, is the combination of software, encryption technologies, and services that enables enterprises to protect the security of their communications and business transactions on networks21. PKI integrates digital certificates, public key cryptography, and certification authorities (CA) into a complete enterprise-wide network security architecture.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-17.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 10: CMS Defined Parameters – Control SC-17\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-17\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an\u003c/p\u003e\u003cp\u003eapproved service provider.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe organization issues public key certificates under an appropriate certificate policy or obtains public key certificates from an approved service provider.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAll public key certificates used at CMS are issued in accordance with Federal PKI policy and validated to the Federal PKI trust anchor when being used for user signing, encrypting purposes, authentication, and authorization.\u003c/p\u003e\u003cp\u003eThe Certification Authority (CA) is responsible for issuing a public key certificate for each identity, confirming that the identity has the appropriate credentials.\u003c/p\u003e\u003cp\u003eAt CMS, various Certificate Authority requests are available and processed through the Infrastructure and User Services Group - Division of Operations Management (IUSG-DOM).\u003c/p\u003e\u003cp\u003eThere are two ways to submit a CA request for a certificate:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRequestor submits a request through the Agency Solutions for Customer Support (ASCS) System.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eOnly users with a CMS USER ID who have access to or VPN to the CMS Network will be able to login to ASCS. If you do not have a CMS USER ID, see option #2 below to submit an email request.\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eRequestor sends certificate request email to the \u003cstrong\u003eCMS - DOMSSLCert \u003c/strong\u003emailbox at\u003ca href=\"mailto:DOMSSLCert@cms.hhs.gov\"\u003e DOMSSLCert@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor inquiries on the type of certificate to request, contact the CMS - DOMSSLCert mailbox at \u003ca href=\"mailto:DOMSSLCert@cms.hhs.gov\"\u003eDOMSSLCert@cms.hhs.gov \u003c/a\u003efor assistance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMobile Code (SC-18)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS establishes usage restrictions and implementation guidance which apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations within CMS information systems. The organization must document, monitor, and implement controls for the use of mobile code within the CMS information system. The CMS Technical Review Board (TRB) has the authority to permit or deny the use of mobile code.\u003c/p\u003e\u003cp\u003eCMS complies with the federal guidelines \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-28/version-2/final\"\u003eNIST Special Publication 800-28 v2 Guidelines on\u003c/a\u003e \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-28/version-2/final\"\u003eActive Content and Mobile Code\u003c/a\u003e, as amended.\u003c/p\u003e\u003cp\u003eEach form of mobile code has a different security model and Configuration Management process, increasing the complexity of securing mobile code hosts and the code itself. The Configuration Management process prevents the development, acquisition, or introduction of unacceptable mobile code within the information system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eVoice Over Internet Protocol (SC-19)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS prohibits the use of Voice over Internet Protocol (VoIP) devices, unless explicitly authorized, in writing, by the CIO or his authorized representative. At CMS, Integrated VoIP is an audio feature that sends the audio from your WebEx meeting over the Internet, instead of through the telephone. VoIP applications and devices must be configured to meet CMS FIPS 140-2 validated module requirements and must also be on the approved \u003ca href=\"https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Validation/FIPS-171-Validation-List\"\u003eFIPS 171 Validation List\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eIntegrated VoIP can be a convenient and cost-effective alternative to traditional teleconferencing or WebEx Audio. You may want to use this option when:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThere will be a large number of attendees (up to 500 in Meeting Center).\u003c/li\u003e\u003cli\u003eYour meeting does not require much attendee participation, for example, a presentation rather than a discussion.\u003c/li\u003e\u003cli\u003eYou don’t have a toll-free number for attendees to call, or prefer not to incur the cost.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote\u003c/strong\u003e: There are some limitations with VoIP, such as the number of active microphones permitted and the number of participants who can speak simultaneously.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eAdditional information on Conducting VoIP meetings can be located in \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Documents/Conduct_Meetings_with_VoIP_Only.pdf\"\u003eCisco WebEx University\u003c/a\u003e \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Documents/Conduct_Meetings_with_VoIP_Only.pdf\"\u003eGuide-to-Go\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecure Name/Address Resolution Service (Authoritative Source) (SC-20)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis control enables external clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers and DNS Security (DNSSEC) digital signatures.\u003c/p\u003e\u003cp\u003eThe Domain Name System (DNS) is a distributed computing system that enables access to Internet resources by user-friendly domain names rather than IP addresses, by translating domain names to IP addresses and back.\u003c/p\u003e\u003cp\u003eAt CMS, the DNS infrastructure is made up of computing and communication entities called Name Servers. DNS Security (DNSSEC) provides cryptographic protections to DNS communication exchanges, thereby removing threats of DNS-based attacks and improving the overall integrity and authenticity of information processed over the Internet. Domain Name Service Security (DNSSEC) provides security measures by introducing authentication and validation of sources for DNS responses and by ensuring that responses have not been altered.\u003c/p\u003e\u003cp\u003eA significant portion of \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf\"\u003eNIST SP 800-81rev2\u003c/a\u003e\u0026nbsp;\u003cem\u003eSecure Domain Name System (DNS) Deployment Guide \u003c/em\u003eaddresses DNSSEC implementation and CMS relies on this guidance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecure Name/Address Resolution Service (Recursive or Caching Resolver) (SC-21)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEach client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and\u0026nbsp;\u003c/p\u003e\u003cp\u003eaddress resolution services for local clients include, for example, recursive resolving or caching DNS servers.\u003c/p\u003e\u003cp\u003eRecursive queries are actions taken when a DNS server is needed to query on behalf of a DNS resolver. DNS name servers deployed within CMS’s Processing Environments are configured to disable recursive queries from the Internet. CMS also uses caching servers at the edge of the Internet to store responses to requests originating from the intranet and received from the Internet.\u003c/p\u003e\u003cp\u003eCMS adheres to the guidance in \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf\"\u003eNIST SP 800-81rev2\u003c/a\u003e\u0026nbsp;\u003cem\u003eSecure Domain Name System (DNS) Deployment Guide\u003c/em\u003e, as amended.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eArchitecture and Provisioning for Name/Address Resolution Service (SC-22)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe purpose of this control is to ensure the information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.\u003c/p\u003e\u003cp\u003eCMS’s DNS Architecture employs different types of authoritative name servers. To improve fault tolerance these servers are deployed in each CMS data center.\u003c/p\u003e\u003cp\u003eCMS data center contractors manage all DNS servers, configurations, and tools in accordance with CMS Change Management and Configuration Management processes. The CMS Production Environment contractors currently provide integrated DNS system and error logs into other existing network management facilities to enable a real-time view of the Enterprise DNS for CMS Operations staff.\u003c/p\u003e\u003cp\u003eCMS has developed a DNS Business Rules to guide the development of the agency’s DNS architecture, design, and implementations.\u003c/p\u003e\u003cp\u003eCMS adheres to the guidance in \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf\"\u003eNIST SP 800-81rev2\u003c/a\u003e\u0026nbsp;\u003cem\u003eSecure Domain Name System (DNS) Deployment Guide\u003c/em\u003e, as amended.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSession Authenticity (SC-23)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis control addresses communications protection at the session, versus packet level and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAt CMS, session authenticity is protected through the use of user and device identification and authentication. VPN connections to the information system are re-authenticated periodically during connection.\u003c/p\u003e\u003cp\u003eAdditional information on connecting to the VPN can be found in \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Documents/20120807_getting_started_with_remote_access_v2.pdf\"\u003eGetting Started with Remote\u003c/a\u003e \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Documents/20120807_getting_started_with_remote_access_v2.pdf\"\u003eAccess to the CMS Network\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFail in Known State (SC-24)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFailure in a known state helps to avert the loss of confidentiality, integrity, or availability (CIA) of information as a result of failures of organizational information systems or system components.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-24.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 11: CMS Defined Parameters – Control SC-24\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-24\u003c/td\u003e\u003ctd\u003eThe information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure.\u003c/td\u003e\u003ctd\u003eThe information system fails to a known secure state for all failures preserving the maximum amount of state information in failure.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAt CMS, each operating system fails to a known secure state for all types of failures. Differential system backups are performed on a daily basis, with full backups performed at the weekend. Tape backups allow for restoration of the system back to the previous evening. Backup tapes are stored in an off-site facility. The minimum retention period for tape backups is 90 days.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eProtection of Information at Rest (SC-28)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure the security of inactive data stored on any device or network.\u003c/p\u003e\u003cp\u003eData at rest is data that is not actively moving from device to device or network to network such as data stored on a hard drive, laptop, flash drive, or archived/stored in some other way. Data protection at rest aims to secure inactive data stored on any device or network.\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PII (to include PHI):\u003c/p\u003e\u003cp\u003eBecause of the sensitivity of PII and protected health information (PHI), the confidentiality and integrity of such information must be assured for data at rest.\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PHI:\u003c/p\u003e\u003cp\u003eUnder the HIPAA Security Rule, this is an addressable implementation specification. HIPAA covered entities must conduct an analysis as described at 45 C.F.R. § 164.306 (Security standards: General rules) part (d) (Implementation specifications) to determine how it must be applied within the organization. However, using cryptographic protection allows the organization to utilize the “Safe Harbor” provision under the Breach Notification Rule. If PHI is encrypted pursuant to the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 FR 42740), then no breach notification is required following an impermissible use or disclosure of the information. Therefore, organizations should use cryptographic protections for PHI stored on electronic media.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for SC-28.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 12: CMS Defined Parameters – Control SC-28\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-28\u003c/td\u003e\u003ctd\u003eThe information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].\u003c/td\u003e\u003ctd\u003eThe information system protects the confidentiality and integrity of information at rest, as defined in the HHS Standard for Encryption of Computing Devices and Information.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS complies with the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/HHS-Standard-for-Encryption-of-Computing-Devices-and-Information\"\u003eHHS Policy (HHS Standard for Encryption of Computing Devices and\u003c/a\u003e \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/HHS-Standard-for-Encryption-of-Computing-Devices-and-Information\"\u003eInformation)\u003c/a\u003e, as amended, which mandates the use of the data encryption software on workstations that will automatically encrypt data on removable storage devices once they are inserted into the workstation.\u003c/p\u003e\u003cp\u003eRemovable data storage devices allow users to move data from their CMS issued laptop to other computing devices.\u003c/p\u003e\u003cp\u003eCMS currently supports the following data storage devices:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS issued or CMS approved USB Flash Drive.\u003c/li\u003e\u003cli\u003eCD/DVDs.\u003c/li\u003e\u003cli\u003eCMS approved External Hard Drives\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor information on writing an encrypted file to CD/DVD, go to \u003ca href=\"https://cmsintranet.share.cms.gov/CT/Pages/StorageDeviceandEncryption.aspx\"\u003eStorage Device and Encryption\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eSensitive data stored either on GFE or non-GFE (contractor owned) shall be safeguarded in accordance with \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-111.pdf\"\u003eNIST SP 800-111\u003c/a\u003e\u0026nbsp;\u003cem\u003eGuide to Storage Encryption Technologies for End User Devices \u003c/em\u003eand the HHS Information Security and Privacy Policy (IS2P), as amended, including but not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFolders/files containing sensitive Personally Identifiable Information (PII) or other sensitive data stored in shared drive shall be encrypted and the folders configured to restrict access on a need-to-know basis;\u003c/li\u003e\u003cli\u003eData backups shall be encrypted and securely transported/filed/archived.\u003c/li\u003e\u003cli\u003eFor high-impact systems, cryptographic mechanisms shall be employed to protect the integrity of audit information (e.g. log, and audit tools).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor highly sensitive information such as Sensitive PII (SPII), whole disk encryption alone is insufficient protection. Encryption at the file or folder level is required. Encryption within a database at the field/record/table level will also meet this enhanced standard.\u003c/p\u003e\u003cp\u003eThe \u003cem\u003eCMS Encryption of Sensitive Information Memorandum - Appendix A \u003c/em\u003elocated in the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Information-Security-Library\"\u003eISP\u003c/a\u003e \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Information-Security-Library\"\u003elibrary\u003c/a\u003e\u0026nbsp;contains additional information on the CMS Encryption Policy and security controls.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eProcess Isolation (SC-39)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this control is to ensure the information system maintains a separate execution domain for each executing process.\u003c/p\u003e\u003cp\u003eAt CMS, each executing process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot change the executing code of another process. Relevant information is contained in the information system design documentation and the information system configuration settings in the SSPP of each system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eElectronic Mail (SC-CMS-1)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIncorporated into SC-8.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWebsite Usage (SC-CMS-2)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS website and web services employ secure connections, such as Hypertext Transfer Protocol Secure (HTTPS). HTTPS is a combination of HTTP (Hypertext Transfer Protocol) and the network protocol Transport Layer Security (TLS), which establishes an encrypted connection to an authenticated peer over an untrusted network. CMS implements and configures TLS in accordance with \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final\"\u003eNIST SP 800-52\u003c/a\u003e, as amended.\u003c/p\u003e\u003cp\u003eCMS complies with procedures outlined in the \u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-internet-and-email-security\"\u003eHHS Policy for Internet and Email Security\u003c/a\u003e, as amended, which include, but not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecuring all public-facing websites and internet services and only providing services through a secure connection using Hypertext Transfer Protocol Secure HTTPS-only, with HTTP Strict Transport Security (HSTS)\u003c/li\u003e\u003cli\u003eMonitoring all active websites periodically and randomly to ensure users adhere to HHS policies\u003c/li\u003e\u003cli\u003eUsing only third-party websites, applications, and services that are authorized and compliant with HHS security and privacy policies.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS also complies and operates within the conditions detailed in \u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-22.pdf\"\u003eOMB directives M-10-22\u003c/a\u003e\u0026nbsp;\"\u003cem\u003eGuidance for Online Use of Web Measurement and Customization Technologies,\u003c/em\u003e\" \u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf\"\u003eM-10-23\u003c/a\u003e\u0026nbsp;\"\u003cem\u003eGuidance for Agency Use of Third-Party Websites and Applications\u003c/em\u003e” and \u003ca href=\"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2015/m-15-13.pdf\"\u003eM-15-13\u003c/a\u003e\u0026nbsp;\"\u003cem\u003ePolicy to Require Secure Connections across Federal Websites and Web Services”\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}\n1b:{\"self\":\"$1c\"}\n1f:[\"menu_ui\",\"scheduler\"]\n1e:{\"module\":\"$1f\"}\n22:[]\n21:{\"available_menus\":\"$22\",\"parent\":\"\"}\n23:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n20:{\"menu_ui\":\"$21\",\"scheduler\":\"$23\"}\n1d:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$1e\",\"third_party_settings\":\"$20\",\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1a:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":\"$1b\",\"attributes\":\"$1d\"}\n26:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}\n25:{\"self\":\"$26\"}\n27:{\"display_name\":\"jcallan - retired\"}\n24:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":\"$25\",\"attributes\":\"$27\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"meg - retired\"}\n28:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}\n2d:{\"self\":\"$2e\"}\n30:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n2f:{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_aff"])</script><script>self.__next_f.push([1,"ected\":true,\"path\":\"$30\"}\n34:{\"drupal_internal__target_id\":\"resource_type\"}\n33:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$34\"}\n36:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"}\n37:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}\n35:{\"related\":\"$36\",\"self\":\"$37\"}\n32:{\"data\":\"$33\",\"links\":\"$35\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n38:{\"data\":null,\"links\":\"$39\"}\n42:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n41:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$42\"}\n40:{\"help\":\"$41\"}\n3f:{\"links\":\"$40\"}\n3e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$3f\"}\n3d:[\"$3e\"]\n44:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"}\n45:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}\n43:{\"related\":\"$44\",\"self\":\"$45\"}\n3c:{\"data\":\"$3d\",\"links\":\"$43\"}\n31:{\"vid\":\"$32\",\"revision_user\":\"$38\",\"parent\":\"$3c\"}\n2c:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":\"$2d\",\"attributes\":\"$2f\",\"relationships\":\"$31\"}\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n47:{\"self\":\"$48\"}\n4a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n49:{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":"])</script><script>self.__next_f.push([1,"\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4a\"}\n4e:{\"drupal_internal__target_id\":\"roles\"}\n4d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$4e\"}\n50:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n51:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n4f:{\"related\":\"$50\",\"self\":\"$51\"}\n4c:{\"data\":\"$4d\",\"links\":\"$4f\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n52:{\"data\":null,\"links\":\"$53\"}\n5c:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5b:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5c\"}\n5a:{\"help\":\"$5b\"}\n59:{\"links\":\"$5a\"}\n58:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$59\"}\n57:[\"$58\"]\n5e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n5f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n5d:{\"related\":\"$5e\",\"self\":\"$5f\"}\n56:{\"data\":\"$57\",\"links\":\"$5d\"}\n4b:{\"vid\":\"$4c\",\"revision_user\":\"$52\",\"parent\":\"$56\"}\n46:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$47\",\"attributes\":\"$49\",\"relationships\":\"$4b\"}\n62:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26?resourceVersion=id%"])</script><script>self.__next_f.push([1,"3A81\"}\n61:{\"self\":\"$62\"}\n64:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n63:{\"drupal_internal__tid\":81,\"drupal_internal__revision_id\":81,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:09:11+00:00\",\"status\":true,\"name\":\"Data Guardian\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:09:11+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$64\"}\n68:{\"drupal_internal__target_id\":\"roles\"}\n67:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$68\"}\n6a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/vid?resourceVersion=id%3A81\"}\n6b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/vid?resourceVersion=id%3A81\"}\n69:{\"related\":\"$6a\",\"self\":\"$6b\"}\n66:{\"data\":\"$67\",\"links\":\"$69\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/revision_user?resourceVersion=id%3A81\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/revision_user?resourceVersion=id%3A81\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6c:{\"data\":null,\"links\":\"$6d\"}\n76:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n75:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$76\"}\n74:{\"help\":\"$75\"}\n73:{\"links\":\"$74\"}\n72:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$73\"}\n71:[\"$72\"]\n78:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/parent?resourceVersion=id%3A81\"}\n79:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/parent?resourceVersion=id%3A81\"}\n77:{\"related\":\"$78\",\"self\":\"$79\"}\n70:{\"data\":\"$71\",\"links\":\"$77\"}\n65:{\"vid\":\"$66\",\"revision_user\":\"$6c\",\"parent\":\"$70\"}\n60:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"links\":\"$61\",\"attributes\":\"$63\",\"relationsh"])</script><script>self.__next_f.push([1,"ips\":\"$65\"}\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n7b:{\"self\":\"$7c\"}\n7e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7d:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$7e\"}\n82:{\"drupal_internal__target_id\":\"roles\"}\n81:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$82\"}\n84:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n85:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n83:{\"related\":\"$84\",\"self\":\"$85\"}\n80:{\"data\":\"$81\",\"links\":\"$83\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n86:{\"data\":null,\"links\":\"$87\"}\n90:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n8f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$90\"}\n8e:{\"help\":\"$8f\"}\n8d:{\"links\":\"$8e\"}\n8c:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$8d\"}\n8b:[\"$8c\"]\n92:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n93:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n91:{\"related\":\"$92\",\"self\":\"$93\"}\n8a:{\"data\":\"$8b\",\"links\":\"$91\"}\n7f:{\"vid\":\"$8"])</script><script>self.__next_f.push([1,"0\",\"revision_user\":\"$86\",\"parent\":\"$8a\"}\n7a:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$7b\",\"attributes\":\"$7d\",\"relationships\":\"$7f\"}\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n95:{\"self\":\"$96\"}\n98:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n97:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$98\"}\n9c:{\"drupal_internal__target_id\":\"roles\"}\n9b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$9c\"}\n9e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n9f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n9d:{\"related\":\"$9e\",\"self\":\"$9f\"}\n9a:{\"data\":\"$9b\",\"links\":\"$9d\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\na0:{\"data\":null,\"links\":\"$a1\"}\naa:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\na9:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$aa\"}\na8:{\"help\":\"$a9\"}\na7:{\"links\":\"$a8\"}\na6:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$a7\"}\na5:[\"$a6\"]\nac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\nad:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-"])</script><script>self.__next_f.push([1,"af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\nab:{\"related\":\"$ac\",\"self\":\"$ad\"}\na4:{\"data\":\"$a5\",\"links\":\"$ab\"}\n99:{\"vid\":\"$9a\",\"revision_user\":\"$a0\",\"parent\":\"$a4\"}\n94:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$95\",\"attributes\":\"$97\",\"relationships\":\"$99\"}\nb0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\naf:{\"self\":\"$b0\"}\nb2:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb1:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b2\"}\nb6:{\"drupal_internal__target_id\":\"roles\"}\nb5:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$b6\"}\nb8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\nb9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\nb7:{\"related\":\"$b8\",\"self\":\"$b9\"}\nb4:{\"data\":\"$b5\",\"links\":\"$b7\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\nbd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\nbb:{\"related\":\"$bc\",\"self\":\"$bd\"}\nba:{\"data\":null,\"links\":\"$bb\"}\nc4:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc3:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c4\"}\nc2:{\"help\":\"$c3\"}\nc1:{\"links\":\"$c2\"}\nc0:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$c1\"}\nbf:[\"$c0\"]\nc6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f"])</script><script>self.__next_f.push([1,"0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\nc7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\nc5:{\"related\":\"$c6\",\"self\":\"$c7\"}\nbe:{\"data\":\"$bf\",\"links\":\"$c5\"}\nb3:{\"vid\":\"$b4\",\"revision_user\":\"$ba\",\"parent\":\"$be\"}\nae:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$af\",\"attributes\":\"$b1\",\"relationships\":\"$b3\"}\nca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c?resourceVersion=id%3A41\"}\nc9:{\"self\":\"$ca\"}\ncc:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\ncb:{\"drupal_internal__tid\":41,\"drupal_internal__revision_id\":41,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:04+00:00\",\"status\":true,\"name\":\"Application Security\",\"description\":null,\"weight\":0,\"changed\":\"2022-09-28T21:04:30+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$cc\"}\nd0:{\"drupal_internal__target_id\":\"topics\"}\ncf:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$d0\"}\nd2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/vid?resourceVersion=id%3A41\"}\nd3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/vid?resourceVersion=id%3A41\"}\nd1:{\"related\":\"$d2\",\"self\":\"$d3\"}\nce:{\"data\":\"$cf\",\"links\":\"$d1\"}\nd6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/revision_user?resourceVersion=id%3A41\"}\nd7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/revision_user?resourceVersion=id%3A41\"}\nd5:{\"related\":\"$d6\",\"self\":\"$d7\"}\nd4:{\"data\":null,\"links\":\"$d5\"}\nde:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\ndd:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$de\"}\ndc:{\"help\":\"$dd\"}\ndb:{\"links\":\"$dc\"}\nda:{\"type\":\"tax"])</script><script>self.__next_f.push([1,"onomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$db\"}\nd9:[\"$da\"]\ne0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/parent?resourceVersion=id%3A41\"}\ne1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/parent?resourceVersion=id%3A41\"}\ndf:{\"related\":\"$e0\",\"self\":\"$e1\"}\nd8:{\"data\":\"$d9\",\"links\":\"$df\"}\ncd:{\"vid\":\"$ce\",\"revision_user\":\"$d4\",\"parent\":\"$d8\"}\nc8:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"links\":\"$c9\",\"attributes\":\"$cb\",\"relationships\":\"$cd\"}\ne4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}\ne3:{\"self\":\"$e4\"}\ne6:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\ne5:{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$e6\"}\nea:{\"drupal_internal__target_id\":\"topics\"}\ne9:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$ea\"}\nec:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"}\ned:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}\neb:{\"related\":\"$ec\",\"self\":\"$ed\"}\ne8:{\"data\":\"$e9\",\"links\":\"$eb\"}\nf0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"}\nf1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}\nef:{\"related\":\"$f0\",\"self\":\"$f1\"}\nee:{\"data\":null,\"links\":\"$ef\"}\nf8:{\"about\":\"Usage and meaning of the 'virtual' resource identifier"])</script><script>self.__next_f.push([1,".\"}\nf7:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$f8\"}\nf6:{\"help\":\"$f7\"}\nf5:{\"links\":\"$f6\"}\nf4:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$f5\"}\nf3:[\"$f4\"]\nfa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"}\nfb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}\nf9:{\"related\":\"$fa\",\"self\":\"$fb\"}\nf2:{\"data\":\"$f3\",\"links\":\"$f9\"}\ne7:{\"vid\":\"$e8\",\"revision_user\":\"$ee\",\"parent\":\"$f2\"}\ne2:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":\"$e3\",\"attributes\":\"$e5\",\"relationships\":\"$e7\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--library\",\"id\":\"c0c6aea5-6964-46e4-b40c-c093583c09b5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c0c6aea5-6964-46e4-b40c-c093583c09b5?resourceVersion=id%3A5772\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c0c6aea5-6964-46e4-b40c-c093583c09b5?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__nid\":511,\"drupal_internal__vid\":5772,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T16:02:27+00:00\",\"status\":true,\"title\":\"RMH Chapter 16: System \u0026 Communications Protection\",\"created\":\"2022-08-29T18:09:03+00:00\",\"changed\":\"2024-08-05T16:02:27+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/risk-management-handbook-chapter-16-system-communications-protection\",\"pid\":501,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2020-07-10\",\"field_related_resources\":[{\"uri\":\"entity:node/631\",\"title\":\"CMS Acceptable Risk Safeguards (ARS) \",\"options\":[],\"url\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"},{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2)\",\"options\":[],\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"},{\"uri\":\"entity:node/681\",\"title\":\"CMS Security and Privacy Handbooks (all)\",\"options\":[],\"url\":\"/learn/cms-security-and-privacy-handbooks\"}],\"field_short_description\":{\"value\":\"RMH Chapter 16 identifies the System \u0026 Communications Protection (SC) family of controls that monitor, control, and protect organizational communication at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eRMH Chapter 16 identifies the System \u0026amp; Communications Protection (SC) family of controls that monitor, control, and protect organizational communication at CMS\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c0c6aea5-6964-46e4-b40c-c093583c09b5/node_type?resourceVersion=id%3A5772\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c0c6aea5-6964-46e4-b40c-c093583c09b5/relationships/node_type?resourceVersion=id%3A5772\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c0c6aea5-6964-46e4-b40c-c093583c09b5/revision_uid?resourceVersion=id%3A5772\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c0c6aea5-6964-46e4-b40c-c093583c09b5/relationships/revision_uid?resourceVersion=id%3A5772\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c0c6aea5-6964-46e4-b40c-c093583c09b5/uid?resourceVersion=id%3A5772\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c0c6aea5-6964-46e4-b40c-c093583c09b5/relationships/uid?resourceVersion=id%3A5772\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c0c6aea5-6964-46e4-b40c-c093583c09b5/field_resource_type?resourceVersion=id%3A5772\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c0c6aea5-6964-46e4-b40c-c093583c09b5/relationships/field_resource_type?resourceVersion=id%3A5772\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c0c6aea5-6964-46e4-b40c-c093583c09b5/field_roles?resourceVersion=id%3A5772\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c0c6aea5-6964-46e4-b40c-c093583c09b5/relationships/field_roles?resourceVersion=id%3A5772\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c0c6aea5-6964-46e4-b40c-c093583c09b5/field_topics?resourceVersion=id%3A5772\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c0c6aea5-6964-46e4-b40c-c093583c09b5/relationships/field_topics?resourceVersion=id%3A5772\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}},\"attributes\":{\"display_name\":\"jcallan - retired\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}},\"attributes\":{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26?resourceVersion=id%3A81\"}},\"attributes\":{\"drupal_internal__tid\":81,\"drupal_internal__revision_id\":81,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:09:11+00:00\",\"status\":true,\"name\":\"Data Guardian\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:09:11+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/vid?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/vid?resourceVersion=id%3A81\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/revision_user?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/revision_user?resourceVersion=id%3A81\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/parent?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/parent?resourceVersion=id%3A81\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c?resourceVersion=id%3A41\"}},\"attributes\":{\"drupal_internal__tid\":41,\"drupal_internal__revision_id\":41,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:04+00:00\",\"status\":true,\"name\":\"Application Security\",\"description\":null,\"weight\":0,\"changed\":\"2022-09-28T21:04:30+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/vid?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/vid?resourceVersion=id%3A41\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/revision_user?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/revision_user?resourceVersion=id%3A41\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/parent?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/parent?resourceVersion=id%3A41\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}},\"attributes\":{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}}}}}],\"includedMap\":{\"ab4b0312-f678-40b9-ae06-79025f52ff43\":\"$1a\",\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\":\"$24\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$28\",\"e3394b9a-cbff-4bad-b68e-c6fad326132e\":\"$2c\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$46\",\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\":\"$60\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$7a\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$94\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$ae\",\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\":\"$c8\",\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\":\"$e2\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"RMH Chapter 16: System \u0026 Communications Protection | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"RMH Chapter 16 identifies the System \u0026 Communications Protection (SC) family of controls that monitor, control, and protect organizational communication at CMS\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-16-system-communications-protection\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"RMH Chapter 16: System \u0026 Communications Protection | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"RMH Chapter 16 identifies the System \u0026 Communications Protection (SC) family of controls that monitor, control, and protect organizational communication at CMS\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-16-system-communications-protection\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-16-system-communications-protection/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"RMH Chapter 16: System \u0026 Communications Protection | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"RMH Chapter 16 identifies the System \u0026 Communications Protection (SC) family of controls that monitor, control, and protect organizational communication at CMS\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-16-system-communications-protection/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html> |