publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/cyber-risk-reports
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
397 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>Cyber Risk Reports (CRR) | CMS Information Security &amp; Privacy Group</title><meta name="description" content="Reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats"/><link rel="canonical" href="https://security.cms.gov/learn/cyber-risk-reports"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="Cyber Risk Reports (CRR) | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="Reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats"/><meta property="og:url" content="https://security.cms.gov/learn/cyber-risk-reports"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/cyber-risk-reports/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Cyber Risk Reports (CRR) | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="Reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/cyber-risk-reports/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">Cyber Risk Reports (CRR)</h1><p class="hero__description">Reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">CRM Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CRMPMO@cms.hhs.gov">CRMPMO@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#cyber-risk-management</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What are Cyber Risk Reports?</h2><p>Cyber Risk Reports are provided monthly by ISPG to communicate cyber risk metrics in a consistent manner across all <a href="/learn/federal-information-systems-management-act-fisma">Federal Information Security Management Act (FISMA)</a> systems. These reports help Business and System Owners make risk-based decisions and prioritize risk remediation activities at the system level.</p></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>View Cyber Risk Reports</h1><p>Ready to dive in? You can jump right to your Cyber Risk Dashboards from here, but you will need to have access to your Tableau and CFACTS (job codes) accounts.</p><p><a href="https://tableau.bi.cms.gov/#/site/CEDE/projects/51?:origin=card_share_link">Go to the dashboards</a></p></section><div class="text-block text-block--theme-explainer"><h3>Who can access the reports?</h3><p>The Cyber Risk Reports are sent to all component leadership, including Business Owners (such as ISSOs and CRAs) and to CMS Senior Leadership (such as the COO, CISO, and CIO). Additionally, in compliance with FISMA reporting, this data is also shared with HHS and DHS.</p><p>Contractor ISSOs and contractor Business Owners working with CMS FISMA systems can also access the reports, using a CFACTS job code. You will also need to be assigned a role and as a stakeholder to a specific FISMA package(s). Contact the CRM PMO team at <a href="mailto:CDMPMO@cms.hhs.gov">CDMPMO@cms.hhs.gov</a> to obtain the SOP for Tableau Access that will include the appropriate job codes for access.</p></div><div class="text-block text-block--theme-explainer"><h3>ISSO Reports</h3><p>ISSO Reports are a specific kind of Cyber Risk Report that help ISSOs identify security and privacy risks (along with ways to mitigate them) for their systems. These reports make it easier to spot things like overdue POA&amp;Ms, expiring Contingency Plans, and other areas where ISSOs need to take action. You can access ISSO reports from the <a href="https://tableau.bi.cms.gov/#/site/CEDE/projects/51?:origin=card_share_link">Cyber Risk Dashboards</a> (CMS internal link).</p></div><div class="text-block text-block--theme-explainer"><h3>The future of risk reporting at CMS</h3><p>The CMS Cyber Risk Management Program lays the foundation to help CMS Components implement better cybersecurity capabilities including the modernization of risk reporting. This is part of the overarching goal at CMS to align our information security and privacy activities with federal standards for a risk-based approach, which are outlined in the <a href="https://www.nist.gov/cyberframework">NIST Cybersecurity Framework</a> and the <a href="/learn/federal-information-systems-management-act-fisma">Federal Information Security Management Act (FISMA)</a>.</p><p>The initiatives that result from this approach will help us:</p><ul><li>Build security into development pipelines (DevSecOps)</li><li>Tailor system testing (such as <a rel="noopener noreferrer" href="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap">Cybersecurity and Risk Assessment Program (CSRAP</a>) to more specific uses</li><li>Expedite the <a href="/learn/authorization-operate-ato">ATO process&nbsp;</a></li><li>Approve and onboard more systems to <a href="/learn/ongoing-authorization">Ongoing Authorization</a></li></ul><p>For risk reporting, it means expanding capabilities to give CMS stakeholders accurate and actionable data about their system risks.</p><h2>Cyber Risk Dashboards</h2><p>As part of the modernization of risk reporting, Cyber Risk Dashboards are provided to help CMS stakeholders view reports, analyze data, and create proactive mitigation strategies. The dashboards give a snapshot of overall risk for specific systems in near-real time, including summaries of key high-risk metrics allowing users to prioritize the most important risk mitigation activities.&nbsp;</p><p>Cyber Risk Dashboards are helpful to the various CMS stakeholders who are accountable for the security and privacy of information and systems:</p><ul><li>Information System Security Officers (ISSO)</li><li>Application Development Organizations (ADO)</li><li>Data Centers</li><li>Business Owners / System Owners (BO / SO)</li><li>System Administrators&nbsp;</li></ul><p>Access to the reporting platform and dashboards requires a Tableau job code. You must also have a CFACTS job code as a prerequisite to accessing the reporting platform. If you need help getting these job codes, please contact the Cyber Risk Management Team: <a href="mailto:CDMPMO@cms.hhs.gov">CDMPMO@cms.hhs.gov</a>.</p><h3>Known Exploited Vulnerabilities (KEV) Dashboard</h3><p>The Known Exploited Vulnerabilities (KEV) Dashboard / Interactive Visualization displays the metrics associated with the Binding Operational Directive (BOD) 22-01. It also provides the current status for:</p><ul><li>Top Overdue Common Vulnerabilities and Exposures (CVEs)</li><li>Top Products (by Overdue CVEs)</li><li>Total Vulnerabilities (by Data Center)</li><li>Overdue Vulnerabilities (by Due Date)&nbsp;</li></ul><p>The dashboard also includes details for specific vendor/products by CVE and the total number of vulnerabilities by CVE.&nbsp;</p><p>The Known Exploited Vulnerabilities (KEV) Dashboard / List of Filters offers an alternate view of the KEV Dashboard / Interactive Visualization and shows BOD 22-01 data in a list format which users can customize by applying several dynamic filters. These filters include Data Center, BOD Due Date, Overdue CVEs, Vendor/Project, and Product.&nbsp; This dashboard also offers Search by BOD Due Date and Search by CVE, making it even easier to customize the data.</p></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>Quick start guide</h1><p>Learn how to access, customize, and manage the KEV Dashboard. (CMS internal link)</p><p><a href="https://confluenceent.cms.gov/display/ISPG/Next+Generation+Dashboard+Quick+Look+Guides?preview=/298341730/298341948/Known%20Exploited%20Vulnerabilities%20Dashboard%20-%20Quick%20Start%20Guide.pdf">See the KEV Dashboard guide</a></p></section><div class="text-block text-block--theme-explainer"><h3>Vulnerability Dashboard</h3><p>The Vulnerability Dashboard provides an overview of vulnerabilities found in the system and helps Business Owners prioritize which ones to remediate first.</p></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>Quick start guide</h1><p>Learn how to access and use the Vulnerability Dashboard. (CMS internal link)</p><p><a href="https://confluenceent.cms.gov/display/ISPG/Next+Generation+Dashboard+Quick+Look+Guides?preview=/298341730/298341950/Vulnerability%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20%281%29.pdf">See the Vulnerability Dashboard guide</a></p></section><div class="text-block text-block--theme-explainer"><h3>Ongoing Authorization Program Dashboard</h3><p><a href="/learn/ongoing-authorization">Ongoing Authorization (OA)</a> is closely tied to CMS goals for a proactive, risk-based approach to system security. Rather than going through the traditional, compliance-focused Authorization to Operate (ATO) process, a system can be approved to operate through OA, which focuses on continuous risk identification and management. The Ongoing Authorization Program Dashboard helps ISSOs and other security professionals to quickly identify what parts of their system meet the requirements for OA, and what steps they need to take (either to achieve or maintain OA).</p></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>Quick start guide</h1><p>Learn how to access and use the Ongoing Authorization Program Dashboard. (CMS internal link)</p><p><a href="https://confluenceent.cms.gov/pages/viewpage.action?pageId=195122542&amp;preview=/195122542/250712614/OA%20Program%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20102721_Final.pdf">See the OA Dashboard guide</a></p></section></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/fedramp">Federal Risk and Authorization Management Program (FedRAMP)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Provides a federally-recognized and standardized security framework for all cloud products and services</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Mitigation (CDM)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/policy-guidance/cms-cyber-risk-management-plan-crmp">CMS Cyber Risk Management Plan (CRMP)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>A plan that defines the overarching strategy for managing risk associated with the operation of CMS FISMA systems. </p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"cyber-risk-reports\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"cyber-risk-reports\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cyber-risk-reports\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cyber-risk-reports\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:Tdfd,"])</script><script>self.__next_f.push([1,"\u003ch3\u003e\u003cstrong\u003eThe future of risk reporting at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS Cyber Risk Management Program lays the foundation to help CMS Components implement better cybersecurity capabilities including the modernization of risk reporting. This is part of the overarching goal at CMS to align our information security and privacy activities with federal standards for a risk-based approach, which are outlined in the \u003ca href=\"https://www.nist.gov/cyberframework\"\u003eNIST Cybersecurity Framework\u003c/a\u003e and the \u003ca href=\"/learn/federal-information-systems-management-act-fisma\"\u003eFederal Information Security Management Act (FISMA)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe initiatives that result from this approach will help us:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBuild security into development pipelines (DevSecOps)\u003c/li\u003e\u003cli\u003eTailor system testing (such as \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eCybersecurity and Risk Assessment Program (CSRAP\u003c/a\u003e) to more specific uses\u003c/li\u003e\u003cli\u003eExpedite the \u003ca href=\"/learn/authorization-operate-ato\"\u003eATO process\u0026nbsp;\u003c/a\u003e\u003c/li\u003e\u003cli\u003eApprove and onboard more systems to \u003ca href=\"/learn/ongoing-authorization\"\u003eOngoing Authorization\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor risk reporting, it means expanding capabilities to give CMS stakeholders accurate and actionable data about their system risks.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eCyber Risk Dashboards\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAs part of the modernization of risk reporting, Cyber Risk Dashboards are provided to help CMS stakeholders view reports, analyze data, and create proactive mitigation strategies. The dashboards give a snapshot of overall risk for specific systems in near-real time, including summaries of key high-risk metrics allowing users to prioritize the most important risk mitigation activities.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCyber Risk Dashboards are helpful to the various CMS stakeholders who are accountable for the security and privacy of information and systems:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation System Security Officers (ISSO)\u003c/li\u003e\u003cli\u003eApplication Development Organizations (ADO)\u003c/li\u003e\u003cli\u003eData Centers\u003c/li\u003e\u003cli\u003eBusiness Owners / System Owners (BO / SO)\u003c/li\u003e\u003cli\u003eSystem Administrators\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAccess to the reporting platform and dashboards requires a Tableau job code. You must also have a CFACTS job code as a prerequisite to accessing the reporting platform. If you need help getting these job codes, please contact the Cyber Risk Management Team: \u003ca href=\"mailto:CDMPMO@cms.hhs.gov\"\u003eCDMPMO@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKnown Exploited Vulnerabilities (KEV) Dashboard\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Known Exploited Vulnerabilities (KEV) Dashboard / Interactive Visualization displays the metrics associated with the Binding Operational Directive (BOD) 22-01. It also provides the current status for:\u003c/p\u003e\u003cul\u003e\u003cli\u003eTop Overdue Common Vulnerabilities and Exposures (CVEs)\u003c/li\u003e\u003cli\u003eTop Products (by Overdue CVEs)\u003c/li\u003e\u003cli\u003eTotal Vulnerabilities (by Data Center)\u003c/li\u003e\u003cli\u003eOverdue Vulnerabilities (by Due Date)\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe dashboard also includes details for specific vendor/products by CVE and the total number of vulnerabilities by CVE.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Known Exploited Vulnerabilities (KEV) Dashboard / List of Filters offers an alternate view of the KEV Dashboard / Interactive Visualization and shows BOD 22-01 data in a list format which users can customize by applying several dynamic filters. These filters include Data Center, BOD Due Date, Overdue CVEs, Vendor/Project, and Product.\u0026nbsp; This dashboard also offers Search by BOD Due Date and Search by CVE, making it even easier to customize the data.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:Tdfd,"])</script><script>self.__next_f.push([1,"\u003ch3\u003e\u003cstrong\u003eThe future of risk reporting at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS Cyber Risk Management Program lays the foundation to help CMS Components implement better cybersecurity capabilities including the modernization of risk reporting. This is part of the overarching goal at CMS to align our information security and privacy activities with federal standards for a risk-based approach, which are outlined in the \u003ca href=\"https://www.nist.gov/cyberframework\"\u003eNIST Cybersecurity Framework\u003c/a\u003e and the \u003ca href=\"/learn/federal-information-systems-management-act-fisma\"\u003eFederal Information Security Management Act (FISMA)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe initiatives that result from this approach will help us:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBuild security into development pipelines (DevSecOps)\u003c/li\u003e\u003cli\u003eTailor system testing (such as \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eCybersecurity and Risk Assessment Program (CSRAP\u003c/a\u003e) to more specific uses\u003c/li\u003e\u003cli\u003eExpedite the \u003ca href=\"/learn/authorization-operate-ato\"\u003eATO process\u0026nbsp;\u003c/a\u003e\u003c/li\u003e\u003cli\u003eApprove and onboard more systems to \u003ca href=\"/learn/ongoing-authorization\"\u003eOngoing Authorization\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor risk reporting, it means expanding capabilities to give CMS stakeholders accurate and actionable data about their system risks.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eCyber Risk Dashboards\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAs part of the modernization of risk reporting, Cyber Risk Dashboards are provided to help CMS stakeholders view reports, analyze data, and create proactive mitigation strategies. The dashboards give a snapshot of overall risk for specific systems in near-real time, including summaries of key high-risk metrics allowing users to prioritize the most important risk mitigation activities.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCyber Risk Dashboards are helpful to the various CMS stakeholders who are accountable for the security and privacy of information and systems:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation System Security Officers (ISSO)\u003c/li\u003e\u003cli\u003eApplication Development Organizations (ADO)\u003c/li\u003e\u003cli\u003eData Centers\u003c/li\u003e\u003cli\u003eBusiness Owners / System Owners (BO / SO)\u003c/li\u003e\u003cli\u003eSystem Administrators\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAccess to the reporting platform and dashboards requires a Tableau job code. You must also have a CFACTS job code as a prerequisite to accessing the reporting platform. If you need help getting these job codes, please contact the Cyber Risk Management Team: \u003ca href=\"mailto:CDMPMO@cms.hhs.gov\"\u003eCDMPMO@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKnown Exploited Vulnerabilities (KEV) Dashboard\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Known Exploited Vulnerabilities (KEV) Dashboard / Interactive Visualization displays the metrics associated with the Binding Operational Directive (BOD) 22-01. It also provides the current status for:\u003c/p\u003e\u003cul\u003e\u003cli\u003eTop Overdue Common Vulnerabilities and Exposures (CVEs)\u003c/li\u003e\u003cli\u003eTop Products (by Overdue CVEs)\u003c/li\u003e\u003cli\u003eTotal Vulnerabilities (by Data Center)\u003c/li\u003e\u003cli\u003eOverdue Vulnerabilities (by Due Date)\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe dashboard also includes details for specific vendor/products by CVE and the total number of vulnerabilities by CVE.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Known Exploited Vulnerabilities (KEV) Dashboard / List of Filters offers an alternate view of the KEV Dashboard / Interactive Visualization and shows BOD 22-01 data in a list format which users can customize by applying several dynamic filters. These filters include Data Center, BOD Due Date, Overdue CVEs, Vendor/Project, and Product.\u0026nbsp; This dashboard also offers Search by BOD Due Date and Search by CVE, making it even easier to customize the data.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1a:T5768,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u0026nbsp;Introduction\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) operates information technology (IT) systems that process personally identifiable information (PII) of more than 140 million Americans. The CMS Information Security and Privacy Group (ISPG) is responsible for defining the overarching strategy for managing risk associated with the operation of these information systems. This CMS Cyber Risk Management Plan (CRMP) outlines that strategy. The CMS CRMP is primarily owned by the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP), who oversee its management, evolution, and modification. This plan is regularly updated to align with changes in policy, Office of Information Technology (OIT) direction, federal requirements, and the threat landscape.\u003c/p\u003e\u003cp\u003eRisk Management is the process of managing risk to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf\"\u003eoperation of an information system\u003c/a\u003e. Risk Management includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003ethe conduct of a risk assessment;\u003c/li\u003e\u003cli\u003ethe implementation of a risk mitigation strategy; and\u003c/li\u003e\u003cli\u003ethe employment of techniques and procedures for continuous monitoring the security state of the information system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISPG has outlined three objectives that support each of the components of risk management identified above. Together, these objectives form the overarching risk management strategy for CMS information and information systems. The risk management strategy and its associated objectives are described in detail in the Risk Management Strategy section.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Purpose\u003c/h2\u003e\u003cp\u003eThe purpose of the CMS CRMP is to outline the CMS risk management strategy, establish objectives to support that strategy, and establishes a program that aligns the processes, data, programs, technologies, and services with the risk management strategy to accomplish the objectives.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Risk Management Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Strategy establishes the program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation. The strategy includes: assessing risk, responding to risk once determined\u0026nbsp;(i.e. risk mitigation), and monitoring risk over time (i.e. continuous monitoring). To support these components of the risk management strategy CMS has identified three objectives:\u003c/p\u003e\u003col\u003e\u003cli\u003eDevelop and implement capabilities to provide ongoing awareness and visibility into the security posture of CMS information technology assets. (\u003cem\u003eRelates to: Risk Assessment)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eDevelop metrics, dashboards, and reports to inform and prioritize remediation efforts. \u003cem\u003e(Relates to: Risk Mitigation\u003c/em\u003e\u003c/li\u003e\u003cli\u003eImplement capabilities and tools to support continuous assessment and ongoing authorization (OA). \u003cem\u003e(Relates to: Continuous Monitoring)\u003c/em\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe ISPG maintains a pipeline of services and capabilities that support the three objectives identified above. These services and capabilities produce output (i.e. data) that is leveraged to support the CMS risk management strategy and is used to perform ongoing risk management activities. This CRMP establishes a framework to support the implementation of cybersecurity and privacy capabilities to protect CMS information and information systems. The components and services available to support each of the three components of the CMS risk management strategy are identified in the following subsections.\u003c/p\u003e\u003ch2\u003eRisk Assessment\u003c/h2\u003e\u003cp\u003eRisk assessment is part of risk management and incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Through the execution of the risk assessment organizations gain context and a comprehension of the nature of the risk which allows the level of the risk to be determined. Risk assessment is synonymous with risk analysis.\u003c/p\u003e\u003cp\u003eThe following CMS capabilities and services provide ongoing awareness into the security posture of CMS information technology assets and support the risk assessment process:\u003c/p\u003e\u003ch3\u003eThreat Modeling\u003c/h3\u003e\u003cp\u003eThreat Modeling is a form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment.\u003c/p\u003e\u003ch3\u003eVulnerability Analysis Services\u003c/h3\u003e\u003cp\u003eCMS has implemented the following capabilities to support the identification and analysis of information system vulnerabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStatic Code Analysis \u003c/strong\u003e provides tools that analyze source code without executing the code. Static code analyzers are designed to review bodies of source code (at the programming language level) or compiled code (at the machine language level) to identify poor coding practices. Static code analyzers provide feedback to developers during the code development phase on security flaws that might be introduced into code.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNetwork Scanning \u003c/strong\u003e provides tools allowing Users to automatically determine all active devices on the local network.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHost Scanning \u003c/strong\u003e provides tools to automate the identification of vulnerabilities in an operating system.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDatabase Scanning \u003c/strong\u003e provides specialized tool used specifically to identify vulnerabilities in database applications.\u003c/p\u003e\u003ch3\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003eThe Adaptive Capabilities Testing (ACT) Program is now the \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e. This change is a move toward a partnership-based methodology to align with ISPG strategies and the strategic goal of risk-based program management. This change is a holistic approach to assessing risk and will our partners make better data-driven, risk-based decisions by using analytics to help optimize performance, streamline, processes, and reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCSRAP is a security and risk assessment for FISMA systems at CMS. CSRAP assesses a systems security capabilities to ensure that it operates as intended and meets the security requirements for the information system. CSRAP is a critical component of the \u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process and is used to determine the overall system security and privacy posture throughout the system development life cycle (SDLC). For detailed information about CSRAP, see \u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCybersecurity and Risk Assessment Program Handbook\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eRisk Mitigation\u003c/h2\u003e\u003cp\u003eThe act of mitigating a vulnerability or a threat is referred to as risk mitigation. CMS maintains a suite of dashboards and reports to display and aggregate the results of the risk assessment and continuous assessment activities to support the prioritization of mitigating/remedial actions. The following dashboards and reports support the risk mitigation process.\u003c/p\u003e\u003ch3\u003eOngoing Authorization (OA) Program Dashboard\u003c/h3\u003e\u003cp\u003eThe CMS \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires).\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM) Dashboards\u003c/h3\u003e\u003cp\u003eCMS maintains the following dashboards which support the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM\u003c/a\u003e Vulnerability Management (VULN) and Hardware Asset Management (HWAM) capabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVULN\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVulnerability Monitoring Dashboard Provides vulnerability data across systems with breakdowns of Open, Reopened, and Remediated items\u003c/li\u003e\u003cli\u003eKnown Exploited Vulnerabilities Dashboard Provides key metrics associated with the BOD 22-01 requirements including the monthly CISA CVE catalog feed applied to CMS systems and vulnerabilities by data center\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eHWAM\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAsset Details Dashboard Provides comprehensive HWAM details for CMS System assets by datacenter\u003c/li\u003e\u003cli\u003eMaster Device Record Provides high level overview of CMS assets\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eThe terms continuous and ongoing in this context means security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk- based security decisions to adequately protect organization information.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003eCyber Risk Report\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cyber-risk-reports\"\u003eCMS Cyber Risk Report\u003c/a\u003e communicates cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) Systems. ISPG generates Cyber Risk Reports monthly to help Business Owners (BO) and System Owners make risk-based decisions including prioritizing risk remediation activities at the system level.\u003c/p\u003e\u003ch3\u003eHigh Risk Summary\u003c/h3\u003e\u003cp\u003eThe CMS High Risk Summary is a report delivered monthly to the CMS Chief Information Officer, Chief Information Security Officer, and Office of Information Technology (OIT) management. This report aggregates risk across the entire CMS enterprise and is reviewed at the Security Operations Center (SOC) debrief.\u003c/p\u003e\u003ch3\u003eCFACTS POA\u0026amp;M\u003c/h3\u003e\u003cp\u003eStakeholders must use \u003ca href=\"https://security.cms.gov/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e to identify, track, and manage all IT system weaknesses and associated \u003ca href=\"https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"\u003ePlans of Action and Milestones (POA\u0026amp;Ms) \u003c/a\u003eto closure for CMS information systems. The CFACTS POA\u0026amp;M User Guide provides detailed instructions for processing POA\u0026amp;M actions in the CFACTS tracking system.\u003c/p\u003e\u003ch3\u003eContinuous Monitoring\u003c/h3\u003e\u003cp\u003eContinuous Monitoring, which is synonymous with Information Security Continuous Monitoring (ISCM), is maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.\u003c/p\u003e\u003cp\u003eThe Department of Health and Human Services maintains an overarching strategy for ISCM. This HHS strategy defines the assessment frequencies for each required security control. CMS complies with the HHS ISCM strategy and further defines the CMS specific assessment frequencies within the CMS Acceptable Risk Safeguards (ARS). Security controls are assessed at their defined frequencies by leveraging a variety of capabilities and services available to CMS information systems. The following CMS capabilities and services support the continuous monitoring process.\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM Program\u003c/a\u003e provides a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program delivers cybersecurity tools, integration services, and dashboards that help participating agencies improve their security posture by:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReducing agency threat surface\u003c/li\u003e\u003cli\u003eIncreasing visibility into the federal cybersecurity posture\u003c/li\u003e\u003cli\u003eImproving federal cybersecurity response capabilities\u003c/li\u003e\u003cli\u003eStreamlining Federal Information Security Modernization Act (FISMA) reporting The CDM Program delivers capabilities in four areas:\u003cul\u003e\u003cli\u003eAsset Management | What is on the network?\u003c/li\u003e\u003cli\u003eIdentity and Access Management | Who is on the network?\u003c/li\u003e\u003cli\u003eNetwork Security Management | What is happening on the network? How is the network protected?\u003c/li\u003e\u003cli\u003eData Protection Management | How is data protected?\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CDM program aligns with the CDM program outlined by the DHS and is currently focused on implementing the following functional areas related to the asset management capability:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHardware Asset Management (HWAM)\u003c/li\u003e\u003cli\u003eSoftware Asset Management (SWAM)\u003c/li\u003e\u003cli\u003eSoftware Vulnerability Management (VUL)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003ePenetration Testing\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003ePenetration Testing \u003c/a\u003eis security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.\u003c/p\u003e\u003cp\u003eThe CMC Cybersecurity Integration Center (CCIC) maintains penetration testing teams that performs testing on a rolling basis. A systems ISSO can request an intake form for a penetration test via email to the Pen Test mailbox.\u003c/p\u003e\u003ch3\u003ebatCAVE\u003c/h3\u003e\u003cp\u003e\u003ca href=\"http://security.cms.gov/learn/batcave-infrastructure-service\"\u003ebatCAVE\u003c/a\u003e incorporates enterprise Kubernetes and continuous integration to take software from ideation to production faster. By decreasing the time dedicated to audits and alleviating fears associated with updating production code, batCAVE will incentivize faster innovation at CMS.\u003c/p\u003e\u003cp\u003eKey aspects of the batCAVE initiative:\u003c/p\u003e\u003col\u003e\u003cli\u003eReduce burden and obligations to Users\u003c/li\u003e\u003cli\u003eGive Users the knowledge necessary to make better security decisions\u003c/li\u003e\u003cli\u003eIncentivize behavior that strengthens the security posture of applications and CMS as a whole\u003c/li\u003e\u003cli\u003eIncrease transparency and empower distributed decision-making\u003c/li\u003e\u003cli\u003eMeasure, report, and champion the positive behavior rather than punish negative actions\u003c/li\u003e\u003c/ol\u003e\u003ch3\u003eCMS Security Automation Framework (SAF)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/security-automation-framework-saf\"\u003eCMS Security Automation Framework (SAF)\u003c/a\u003e brings together applications, techniques, libraries, and tools developed by the CMS Information Security and Privacy Group (ISPG) and the security community to streamline security automation for systems and DevOps pipelines. Benefits of using this framework include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ACT team will accept security testing data from this framework.\u003c/li\u003e\u003cli\u003eDevelopers can harden and run validation security early and often in their environments, using their own orchestration, functional and unit testing systems, to keep security defects as low as possible.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u0026nbsp;Ongoing Authorization\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e is the continuous evaluation of the effectiveness of security control implementations which supports risk determinations and risk acceptance decisions taken at agreed upon and documented frequencies subsequent to the initial authorization (i.e., during ops phase). OA decisions are time-driven and may also be event-driven. OA is not separate from ISCM but in fact is a subset of ISCM activities.\u003c/p\u003e\u003cp\u003eThere are two conditions for a system to participate in OA:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe system must have been granted an initial Authority to Operate (ATO) and must be in the operational phase.\u003c/li\u003e\u003cli\u003eA robust ISCM program is in place that monitors all implemented controls:\u003cul\u003e\u003cli\u003eAt the appropriate frequencies,\u003c/li\u003e\u003cli\u003eWith the appropriate degree of rigor, and\u003c/li\u003e\u003cli\u003eIn accordance with the organizations ISCM strategy.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eTime Driven Triggers \u003c/strong\u003e controls are assessed at a discrete frequency as defined by the organizations ISCM strategy. At CMS the assessment frequencies for each security control are defined within the CMS ARS 5.0.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent Driven Triggers \u003c/strong\u003e are defined by the organization. Examples include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIncrease in defects from ISCM\u003c/li\u003e\u003cli\u003eChange in risk assessment findings\u003c/li\u003e\u003cli\u003eNew threat/vulnerability information\u003c/li\u003e\u003cli\u003eSignificant changes\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eCMS OA Initiative\u003c/h3\u003e\u003cp\u003eCMS is transitioning from the traditional static (i.e. point in time) authorization process to ongoing authorization which will enable a dynamic near real-time understanding of security and privacy risks and will facilitate the prioritization of mitigating and remedial actions. With the implementation of a robust Cyber Risk Management Program, supported by the strategy defined within this plan, systems participating in the OA program would remain in perpetual state of authorization as long as the risks to the system do not exceed the thresholds established in the CMS Ongoing Authorization Framework.\u003c/p\u003e\u003cp\u003eCurrently, the CMS OA program is by invitation only and Business Owners and ISSOs will be notified by email if their system has been selected to participate in the program. To be selected for ongoing authorization systems must meet the following requirements:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHave been granted initial \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eATO\u003c/a\u003e;\u003c/li\u003e\u003cli\u003eBe fully OIT AWS cloud hosted - no hybrids;\u003c/li\u003e\u003cli\u003eHave Security Hub enabled;\u003c/li\u003e\u003cli\u003eKey CDM data feeds must be integrated into CDM architecture (currently HWAM and VUL);\u003c/li\u003e\u003cli\u003eData needs to be integrated into requisite reporting mechanisms and made visible; and\u003c/li\u003e\u003cli\u003eMeet \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\"\u003eOA metrics baseline requirements.\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eOnce placed into the OA program, systems are tracked against defined metrics each with an establish risk tolerance (i.e. threshold). Systems that comply with the requirements of the OA program as long as each metric remains below the established threshold. The CMS OA Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires). Each OA trigger has been assigned a severity level which corresponds to a unique workflow which dictates how the system should respond to the trigger. The CMS Ongoing Authorization Program Guide provides more detailed information on the OA Framework including the metrics, trigger, severity levels, and workflows.\u003c/p\u003e\u003ch2\u003eCMS Risk Management Program - Implementing the Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Program aligns the processes, data, technologies, capabilities, and services to effectively manage risk across the enterprise and implement the strategy defined in this plan. This program enables a shift to data-driven risk management enabling prioritized investments in cybersecurity by focusing mitigating/remedial efforts where they will reduce the most risk. In addition, a shift to continuous monitoring by leveraging the services and capabilities identified in this plan will enable a near-real time assessment of risk across the lifecycle of a system and will allow CMS to combat a dynamic threat environment.\u003c/p\u003e\u003cp\u003eTo support the Risk Management Program CMS has implemented data storage using an Enterprise Data Warehouse. The Data Warehouse aggregates relevant security data into repositories that provides consumers the tools to access security data and provide the means to understand their data in a\u0026nbsp;security context. Refer to Figure 1 to overview of the CMS Risk Management Program.\u003c/p\u003e\u003ch2\u003eAuthoritative Sources and References\u003c/h2\u003e\u003cp\u003eFederal agencies must proactively manage risk through implementing effective security and privacy capabilities mandated in Office of Management and Budget (OMB) Circulars and Memoranda as well as National Institute of Standards and Technology (NIST) publications, Emergency Directives (ED), Binding Operational Directives (BOD), and the \u003ca href=\"https://www.nist.gov/cyberframework\"\u003eNIST Cyber Security Framework (CSF)\u003c/a\u003e. This Plan incorporates guidance from authoritative sources and initiatives including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDepartment of Health \u0026amp; Human Services (HHS) Information Systems Security and Privacy Policy (IS2P) and \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/cms-security-and-privacy-handbooks\"\u003eRisk Management Handbooks (RMH)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act\"\u003eFederal Information Security Modernization Act of 2014\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\"\u003eOMB Circular A-130, Managing Information as a Strategic Resource\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2019/11/M-20-04.pdf\"\u003eOMB Memorandum M-20-04, Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf\"\u003eOMB M-19-03, Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/news-events/directives/binding-operational-directive-22-01\"\u003eBinding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf\"\u003eOMB M-21-31, Improving the Federal Governments Investigative and Remediation Capabilities Related to Cybersecurity Incidents\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/10/M-22-01.pdf\"\u003eOMB\u0026nbsp;M-22-01, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1b:T5768,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u0026nbsp;Introduction\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) operates information technology (IT) systems that process personally identifiable information (PII) of more than 140 million Americans. The CMS Information Security and Privacy Group (ISPG) is responsible for defining the overarching strategy for managing risk associated with the operation of these information systems. This CMS Cyber Risk Management Plan (CRMP) outlines that strategy. The CMS CRMP is primarily owned by the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP), who oversee its management, evolution, and modification. This plan is regularly updated to align with changes in policy, Office of Information Technology (OIT) direction, federal requirements, and the threat landscape.\u003c/p\u003e\u003cp\u003eRisk Management is the process of managing risk to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf\"\u003eoperation of an information system\u003c/a\u003e. Risk Management includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003ethe conduct of a risk assessment;\u003c/li\u003e\u003cli\u003ethe implementation of a risk mitigation strategy; and\u003c/li\u003e\u003cli\u003ethe employment of techniques and procedures for continuous monitoring the security state of the information system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISPG has outlined three objectives that support each of the components of risk management identified above. Together, these objectives form the overarching risk management strategy for CMS information and information systems. The risk management strategy and its associated objectives are described in detail in the Risk Management Strategy section.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Purpose\u003c/h2\u003e\u003cp\u003eThe purpose of the CMS CRMP is to outline the CMS risk management strategy, establish objectives to support that strategy, and establishes a program that aligns the processes, data, programs, technologies, and services with the risk management strategy to accomplish the objectives.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Risk Management Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Strategy establishes the program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation. The strategy includes: assessing risk, responding to risk once determined\u0026nbsp;(i.e. risk mitigation), and monitoring risk over time (i.e. continuous monitoring). To support these components of the risk management strategy CMS has identified three objectives:\u003c/p\u003e\u003col\u003e\u003cli\u003eDevelop and implement capabilities to provide ongoing awareness and visibility into the security posture of CMS information technology assets. (\u003cem\u003eRelates to: Risk Assessment)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eDevelop metrics, dashboards, and reports to inform and prioritize remediation efforts. \u003cem\u003e(Relates to: Risk Mitigation\u003c/em\u003e\u003c/li\u003e\u003cli\u003eImplement capabilities and tools to support continuous assessment and ongoing authorization (OA). \u003cem\u003e(Relates to: Continuous Monitoring)\u003c/em\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe ISPG maintains a pipeline of services and capabilities that support the three objectives identified above. These services and capabilities produce output (i.e. data) that is leveraged to support the CMS risk management strategy and is used to perform ongoing risk management activities. This CRMP establishes a framework to support the implementation of cybersecurity and privacy capabilities to protect CMS information and information systems. The components and services available to support each of the three components of the CMS risk management strategy are identified in the following subsections.\u003c/p\u003e\u003ch2\u003eRisk Assessment\u003c/h2\u003e\u003cp\u003eRisk assessment is part of risk management and incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Through the execution of the risk assessment organizations gain context and a comprehension of the nature of the risk which allows the level of the risk to be determined. Risk assessment is synonymous with risk analysis.\u003c/p\u003e\u003cp\u003eThe following CMS capabilities and services provide ongoing awareness into the security posture of CMS information technology assets and support the risk assessment process:\u003c/p\u003e\u003ch3\u003eThreat Modeling\u003c/h3\u003e\u003cp\u003eThreat Modeling is a form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment.\u003c/p\u003e\u003ch3\u003eVulnerability Analysis Services\u003c/h3\u003e\u003cp\u003eCMS has implemented the following capabilities to support the identification and analysis of information system vulnerabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStatic Code Analysis \u003c/strong\u003e provides tools that analyze source code without executing the code. Static code analyzers are designed to review bodies of source code (at the programming language level) or compiled code (at the machine language level) to identify poor coding practices. Static code analyzers provide feedback to developers during the code development phase on security flaws that might be introduced into code.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNetwork Scanning \u003c/strong\u003e provides tools allowing Users to automatically determine all active devices on the local network.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHost Scanning \u003c/strong\u003e provides tools to automate the identification of vulnerabilities in an operating system.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDatabase Scanning \u003c/strong\u003e provides specialized tool used specifically to identify vulnerabilities in database applications.\u003c/p\u003e\u003ch3\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003eThe Adaptive Capabilities Testing (ACT) Program is now the \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e. This change is a move toward a partnership-based methodology to align with ISPG strategies and the strategic goal of risk-based program management. This change is a holistic approach to assessing risk and will our partners make better data-driven, risk-based decisions by using analytics to help optimize performance, streamline, processes, and reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCSRAP is a security and risk assessment for FISMA systems at CMS. CSRAP assesses a systems security capabilities to ensure that it operates as intended and meets the security requirements for the information system. CSRAP is a critical component of the \u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process and is used to determine the overall system security and privacy posture throughout the system development life cycle (SDLC). For detailed information about CSRAP, see \u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCybersecurity and Risk Assessment Program Handbook\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eRisk Mitigation\u003c/h2\u003e\u003cp\u003eThe act of mitigating a vulnerability or a threat is referred to as risk mitigation. CMS maintains a suite of dashboards and reports to display and aggregate the results of the risk assessment and continuous assessment activities to support the prioritization of mitigating/remedial actions. The following dashboards and reports support the risk mitigation process.\u003c/p\u003e\u003ch3\u003eOngoing Authorization (OA) Program Dashboard\u003c/h3\u003e\u003cp\u003eThe CMS \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires).\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM) Dashboards\u003c/h3\u003e\u003cp\u003eCMS maintains the following dashboards which support the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM\u003c/a\u003e Vulnerability Management (VULN) and Hardware Asset Management (HWAM) capabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVULN\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVulnerability Monitoring Dashboard Provides vulnerability data across systems with breakdowns of Open, Reopened, and Remediated items\u003c/li\u003e\u003cli\u003eKnown Exploited Vulnerabilities Dashboard Provides key metrics associated with the BOD 22-01 requirements including the monthly CISA CVE catalog feed applied to CMS systems and vulnerabilities by data center\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eHWAM\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAsset Details Dashboard Provides comprehensive HWAM details for CMS System assets by datacenter\u003c/li\u003e\u003cli\u003eMaster Device Record Provides high level overview of CMS assets\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eThe terms continuous and ongoing in this context means security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk- based security decisions to adequately protect organization information.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003eCyber Risk Report\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cyber-risk-reports\"\u003eCMS Cyber Risk Report\u003c/a\u003e communicates cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) Systems. ISPG generates Cyber Risk Reports monthly to help Business Owners (BO) and System Owners make risk-based decisions including prioritizing risk remediation activities at the system level.\u003c/p\u003e\u003ch3\u003eHigh Risk Summary\u003c/h3\u003e\u003cp\u003eThe CMS High Risk Summary is a report delivered monthly to the CMS Chief Information Officer, Chief Information Security Officer, and Office of Information Technology (OIT) management. This report aggregates risk across the entire CMS enterprise and is reviewed at the Security Operations Center (SOC) debrief.\u003c/p\u003e\u003ch3\u003eCFACTS POA\u0026amp;M\u003c/h3\u003e\u003cp\u003eStakeholders must use \u003ca href=\"https://security.cms.gov/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e to identify, track, and manage all IT system weaknesses and associated \u003ca href=\"https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"\u003ePlans of Action and Milestones (POA\u0026amp;Ms) \u003c/a\u003eto closure for CMS information systems. The CFACTS POA\u0026amp;M User Guide provides detailed instructions for processing POA\u0026amp;M actions in the CFACTS tracking system.\u003c/p\u003e\u003ch3\u003eContinuous Monitoring\u003c/h3\u003e\u003cp\u003eContinuous Monitoring, which is synonymous with Information Security Continuous Monitoring (ISCM), is maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.\u003c/p\u003e\u003cp\u003eThe Department of Health and Human Services maintains an overarching strategy for ISCM. This HHS strategy defines the assessment frequencies for each required security control. CMS complies with the HHS ISCM strategy and further defines the CMS specific assessment frequencies within the CMS Acceptable Risk Safeguards (ARS). Security controls are assessed at their defined frequencies by leveraging a variety of capabilities and services available to CMS information systems. The following CMS capabilities and services support the continuous monitoring process.\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM Program\u003c/a\u003e provides a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program delivers cybersecurity tools, integration services, and dashboards that help participating agencies improve their security posture by:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReducing agency threat surface\u003c/li\u003e\u003cli\u003eIncreasing visibility into the federal cybersecurity posture\u003c/li\u003e\u003cli\u003eImproving federal cybersecurity response capabilities\u003c/li\u003e\u003cli\u003eStreamlining Federal Information Security Modernization Act (FISMA) reporting The CDM Program delivers capabilities in four areas:\u003cul\u003e\u003cli\u003eAsset Management | What is on the network?\u003c/li\u003e\u003cli\u003eIdentity and Access Management | Who is on the network?\u003c/li\u003e\u003cli\u003eNetwork Security Management | What is happening on the network? How is the network protected?\u003c/li\u003e\u003cli\u003eData Protection Management | How is data protected?\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CDM program aligns with the CDM program outlined by the DHS and is currently focused on implementing the following functional areas related to the asset management capability:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHardware Asset Management (HWAM)\u003c/li\u003e\u003cli\u003eSoftware Asset Management (SWAM)\u003c/li\u003e\u003cli\u003eSoftware Vulnerability Management (VUL)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003ePenetration Testing\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003ePenetration Testing \u003c/a\u003eis security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.\u003c/p\u003e\u003cp\u003eThe CMC Cybersecurity Integration Center (CCIC) maintains penetration testing teams that performs testing on a rolling basis. A systems ISSO can request an intake form for a penetration test via email to the Pen Test mailbox.\u003c/p\u003e\u003ch3\u003ebatCAVE\u003c/h3\u003e\u003cp\u003e\u003ca href=\"http://security.cms.gov/learn/batcave-infrastructure-service\"\u003ebatCAVE\u003c/a\u003e incorporates enterprise Kubernetes and continuous integration to take software from ideation to production faster. By decreasing the time dedicated to audits and alleviating fears associated with updating production code, batCAVE will incentivize faster innovation at CMS.\u003c/p\u003e\u003cp\u003eKey aspects of the batCAVE initiative:\u003c/p\u003e\u003col\u003e\u003cli\u003eReduce burden and obligations to Users\u003c/li\u003e\u003cli\u003eGive Users the knowledge necessary to make better security decisions\u003c/li\u003e\u003cli\u003eIncentivize behavior that strengthens the security posture of applications and CMS as a whole\u003c/li\u003e\u003cli\u003eIncrease transparency and empower distributed decision-making\u003c/li\u003e\u003cli\u003eMeasure, report, and champion the positive behavior rather than punish negative actions\u003c/li\u003e\u003c/ol\u003e\u003ch3\u003eCMS Security Automation Framework (SAF)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/security-automation-framework-saf\"\u003eCMS Security Automation Framework (SAF)\u003c/a\u003e brings together applications, techniques, libraries, and tools developed by the CMS Information Security and Privacy Group (ISPG) and the security community to streamline security automation for systems and DevOps pipelines. Benefits of using this framework include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ACT team will accept security testing data from this framework.\u003c/li\u003e\u003cli\u003eDevelopers can harden and run validation security early and often in their environments, using their own orchestration, functional and unit testing systems, to keep security defects as low as possible.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u0026nbsp;Ongoing Authorization\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e is the continuous evaluation of the effectiveness of security control implementations which supports risk determinations and risk acceptance decisions taken at agreed upon and documented frequencies subsequent to the initial authorization (i.e., during ops phase). OA decisions are time-driven and may also be event-driven. OA is not separate from ISCM but in fact is a subset of ISCM activities.\u003c/p\u003e\u003cp\u003eThere are two conditions for a system to participate in OA:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe system must have been granted an initial Authority to Operate (ATO) and must be in the operational phase.\u003c/li\u003e\u003cli\u003eA robust ISCM program is in place that monitors all implemented controls:\u003cul\u003e\u003cli\u003eAt the appropriate frequencies,\u003c/li\u003e\u003cli\u003eWith the appropriate degree of rigor, and\u003c/li\u003e\u003cli\u003eIn accordance with the organizations ISCM strategy.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eTime Driven Triggers \u003c/strong\u003e controls are assessed at a discrete frequency as defined by the organizations ISCM strategy. At CMS the assessment frequencies for each security control are defined within the CMS ARS 5.0.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent Driven Triggers \u003c/strong\u003e are defined by the organization. Examples include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIncrease in defects from ISCM\u003c/li\u003e\u003cli\u003eChange in risk assessment findings\u003c/li\u003e\u003cli\u003eNew threat/vulnerability information\u003c/li\u003e\u003cli\u003eSignificant changes\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eCMS OA Initiative\u003c/h3\u003e\u003cp\u003eCMS is transitioning from the traditional static (i.e. point in time) authorization process to ongoing authorization which will enable a dynamic near real-time understanding of security and privacy risks and will facilitate the prioritization of mitigating and remedial actions. With the implementation of a robust Cyber Risk Management Program, supported by the strategy defined within this plan, systems participating in the OA program would remain in perpetual state of authorization as long as the risks to the system do not exceed the thresholds established in the CMS Ongoing Authorization Framework.\u003c/p\u003e\u003cp\u003eCurrently, the CMS OA program is by invitation only and Business Owners and ISSOs will be notified by email if their system has been selected to participate in the program. To be selected for ongoing authorization systems must meet the following requirements:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHave been granted initial \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eATO\u003c/a\u003e;\u003c/li\u003e\u003cli\u003eBe fully OIT AWS cloud hosted - no hybrids;\u003c/li\u003e\u003cli\u003eHave Security Hub enabled;\u003c/li\u003e\u003cli\u003eKey CDM data feeds must be integrated into CDM architecture (currently HWAM and VUL);\u003c/li\u003e\u003cli\u003eData needs to be integrated into requisite reporting mechanisms and made visible; and\u003c/li\u003e\u003cli\u003eMeet \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\"\u003eOA metrics baseline requirements.\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eOnce placed into the OA program, systems are tracked against defined metrics each with an establish risk tolerance (i.e. threshold). Systems that comply with the requirements of the OA program as long as each metric remains below the established threshold. The CMS OA Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires). Each OA trigger has been assigned a severity level which corresponds to a unique workflow which dictates how the system should respond to the trigger. The CMS Ongoing Authorization Program Guide provides more detailed information on the OA Framework including the metrics, trigger, severity levels, and workflows.\u003c/p\u003e\u003ch2\u003eCMS Risk Management Program - Implementing the Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Program aligns the processes, data, technologies, capabilities, and services to effectively manage risk across the enterprise and implement the strategy defined in this plan. This program enables a shift to data-driven risk management enabling prioritized investments in cybersecurity by focusing mitigating/remedial efforts where they will reduce the most risk. In addition, a shift to continuous monitoring by leveraging the services and capabilities identified in this plan will enable a near-real time assessment of risk across the lifecycle of a system and will allow CMS to combat a dynamic threat environment.\u003c/p\u003e\u003cp\u003eTo support the Risk Management Program CMS has implemented data storage using an Enterprise Data Warehouse. The Data Warehouse aggregates relevant security data into repositories that provides consumers the tools to access security data and provide the means to understand their data in a\u0026nbsp;security context. Refer to Figure 1 to overview of the CMS Risk Management Program.\u003c/p\u003e\u003ch2\u003eAuthoritative Sources and References\u003c/h2\u003e\u003cp\u003eFederal agencies must proactively manage risk through implementing effective security and privacy capabilities mandated in Office of Management and Budget (OMB) Circulars and Memoranda as well as National Institute of Standards and Technology (NIST) publications, Emergency Directives (ED), Binding Operational Directives (BOD), and the \u003ca href=\"https://www.nist.gov/cyberframework\"\u003eNIST Cyber Security Framework (CSF)\u003c/a\u003e. This Plan incorporates guidance from authoritative sources and initiatives including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDepartment of Health \u0026amp; Human Services (HHS) Information Systems Security and Privacy Policy (IS2P) and \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/cms-security-and-privacy-handbooks\"\u003eRisk Management Handbooks (RMH)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act\"\u003eFederal Information Security Modernization Act of 2014\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\"\u003eOMB Circular A-130, Managing Information as a Strategic Resource\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2019/11/M-20-04.pdf\"\u003eOMB Memorandum M-20-04, Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf\"\u003eOMB M-19-03, Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/news-events/directives/binding-operational-directive-22-01\"\u003eBinding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf\"\u003eOMB M-21-31, Improving the Federal Governments Investigative and Remediation Capabilities Related to Cybersecurity Incidents\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/10/M-22-01.pdf\"\u003eOMB\u0026nbsp;M-22-01, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1d:{\"self\":\"$1e\"}\n21:[\"menu_ui\",\"scheduler\"]\n20:{\"module\":\"$21\"}\n24:[]\n23:{\"available_menus\":\"$24\",\"parent\":\"\"}\n25:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n22:{\"menu_ui\":\"$23\",\"scheduler\":\"$25\"}\n1f:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$20\",\"third_party_settings\":\"$22\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1c:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1d\",\"attributes\":\"$1f\"}\n28:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/7e79c546-d123-46dd-9480-b7f2e7d81691\"}\n27:{\"self\":\"$28\"}\n29:{\"display_name\":\"gollange\"}\n26:{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"links\":\"$27\",\"attributes\":\"$29\"}\n2c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n2b:{\"self\":\"$2c\"}\n2d:{\"display_name\":\"meg - retired\"}\n2a:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$2b\",\"attributes\":\"$2d\"}\n30:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4?resourceVersion=id%3A121\"}\n2f:{\"self\":\"$30\"}\n32:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n31:{\"drupal_internal__tid\":121,\"drupal_internal__revision_id\":121,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:12+00:00\",\"status\":true,\"name\":\"Tools / Services\",\"description\":null,\"weight\":5,\"changed\":\"2023-06-14T19:04:09+00:00\",\""])</script><script>self.__next_f.push([1,"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$32\"}\n36:{\"drupal_internal__target_id\":\"resource_type\"}\n35:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$36\"}\n38:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/vid?resourceVersion=id%3A121\"}\n39:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/vid?resourceVersion=id%3A121\"}\n37:{\"related\":\"$38\",\"self\":\"$39\"}\n34:{\"data\":\"$35\",\"links\":\"$37\"}\n3c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/revision_user?resourceVersion=id%3A121\"}\n3d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/revision_user?resourceVersion=id%3A121\"}\n3b:{\"related\":\"$3c\",\"self\":\"$3d\"}\n3a:{\"data\":null,\"links\":\"$3b\"}\n44:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n43:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$44\"}\n42:{\"help\":\"$43\"}\n41:{\"links\":\"$42\"}\n40:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$41\"}\n3f:[\"$40\"]\n46:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/parent?resourceVersion=id%3A121\"}\n47:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/parent?resourceVersion=id%3A121\"}\n45:{\"related\":\"$46\",\"self\":\"$47\"}\n3e:{\"data\":\"$3f\",\"links\":\"$45\"}\n33:{\"vid\":\"$34\",\"revision_user\":\"$3a\",\"parent\":\"$3e\"}\n2e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"links\":\"$2f\",\"attributes\":\"$31\",\"relationships\":\"$33\"}\n4a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n49:{\"self\":\"$4a\"}\n4c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4b:{\"drupal_internal_"])</script><script>self.__next_f.push([1,"_tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4c\"}\n50:{\"drupal_internal__target_id\":\"roles\"}\n4f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$50\"}\n52:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n53:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n51:{\"related\":\"$52\",\"self\":\"$53\"}\n4e:{\"data\":\"$4f\",\"links\":\"$51\"}\n56:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n57:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n55:{\"related\":\"$56\",\"self\":\"$57\"}\n54:{\"data\":null,\"links\":\"$55\"}\n5e:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5d:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5e\"}\n5c:{\"help\":\"$5d\"}\n5b:{\"links\":\"$5c\"}\n5a:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$5b\"}\n59:[\"$5a\"]\n60:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n61:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n5f:{\"related\":\"$60\",\"self\":\"$61\"}\n58:{\"data\":\"$59\",\"links\":\"$5f\"}\n4d:{\"vid\":\"$4e\",\"revision_user\":\"$54\",\"parent\":\"$58\"}\n48:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$49\",\"attributes\":\"$4b\",\"relationships\":\"$4d\"}\n64:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a"])</script><script>self.__next_f.push([1,"18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n63:{\"self\":\"$64\"}\n66:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n65:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$66\"}\n6a:{\"drupal_internal__target_id\":\"roles\"}\n69:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$6a\"}\n6c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n6d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n6b:{\"related\":\"$6c\",\"self\":\"$6d\"}\n68:{\"data\":\"$69\",\"links\":\"$6b\"}\n70:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n71:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n6f:{\"related\":\"$70\",\"self\":\"$71\"}\n6e:{\"data\":null,\"links\":\"$6f\"}\n78:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n77:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$78\"}\n76:{\"help\":\"$77\"}\n75:{\"links\":\"$76\"}\n74:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$75\"}\n73:[\"$74\"]\n7a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n7b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n79:{\"related\":\"$7a\",\"self\":\"$7b\"}\n72:{\"data\":\"$73\",\"links\":\"$79\"}\n67:{\"vid\":\"$68\",\"revision_user\":\"$6e\",\"parent\":\"$72\"}\n62:{\"type\":\"taxonomy_term--roles\",\"id\":"])</script><script>self.__next_f.push([1,"\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$63\",\"attributes\":\"$65\",\"relationships\":\"$67\"}\n7e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n7d:{\"self\":\"$7e\"}\n80:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7f:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$80\"}\n84:{\"drupal_internal__target_id\":\"roles\"}\n83:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$84\"}\n86:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n87:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n85:{\"related\":\"$86\",\"self\":\"$87\"}\n82:{\"data\":\"$83\",\"links\":\"$85\"}\n8a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n8b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n89:{\"related\":\"$8a\",\"self\":\"$8b\"}\n88:{\"data\":null,\"links\":\"$89\"}\n92:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n91:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$92\"}\n90:{\"help\":\"$91\"}\n8f:{\"links\":\"$90\"}\n8e:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$8f\"}\n8d:[\"$8e\"]\n94:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n95:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n93:{\"related\":\""])</script><script>self.__next_f.push([1,"$94\",\"self\":\"$95\"}\n8c:{\"data\":\"$8d\",\"links\":\"$93\"}\n81:{\"vid\":\"$82\",\"revision_user\":\"$88\",\"parent\":\"$8c\"}\n7c:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$7d\",\"attributes\":\"$7f\",\"relationships\":\"$81\"}\n98:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\n97:{\"self\":\"$98\"}\n9a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n99:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$9a\"}\n9e:{\"drupal_internal__target_id\":\"roles\"}\n9d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$9e\"}\na0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\na1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\n9f:{\"related\":\"$a0\",\"self\":\"$a1\"}\n9c:{\"data\":\"$9d\",\"links\":\"$9f\"}\na4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\na5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\na3:{\"related\":\"$a4\",\"self\":\"$a5\"}\na2:{\"data\":null,\"links\":\"$a3\"}\nac:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nab:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$ac\"}\naa:{\"help\":\"$ab\"}\na9:{\"links\":\"$aa\"}\na8:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$a9\"}\na7:[\"$a8\"]\nae:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\naf:{\"href\":\"https://cybergeek.cm"])</script><script>self.__next_f.push([1,"s.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\nad:{\"related\":\"$ae\",\"self\":\"$af\"}\na6:{\"data\":\"$a7\",\"links\":\"$ad\"}\n9b:{\"vid\":\"$9c\",\"revision_user\":\"$a2\",\"parent\":\"$a6\"}\n96:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$97\",\"attributes\":\"$99\",\"relationships\":\"$9b\"}\nb2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}\nb1:{\"self\":\"$b2\"}\nb4:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb3:{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b4\"}\nb8:{\"drupal_internal__target_id\":\"topics\"}\nb7:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$b8\"}\nba:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"}\nbb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}\nb9:{\"related\":\"$ba\",\"self\":\"$bb\"}\nb6:{\"data\":\"$b7\",\"links\":\"$b9\"}\nbe:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"}\nbf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}\nbd:{\"related\":\"$be\",\"self\":\"$bf\"}\nbc:{\"data\":null,\"links\":\"$bd\"}\nc6:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc5:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c6\"}\nc4:{\"help\":\"$c5\"}\nc3:{\"links\":\"$c4\"}\nc2:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$c3\"}\nc1:[\"$c2\"]\nc8:{\"href\":\"h"])</script><script>self.__next_f.push([1,"ttps://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"}\nc9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}\nc7:{\"related\":\"$c8\",\"self\":\"$c9\"}\nc0:{\"data\":\"$c1\",\"links\":\"$c7\"}\nb5:{\"vid\":\"$b6\",\"revision_user\":\"$bc\",\"parent\":\"$c0\"}\nb0:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":\"$b1\",\"attributes\":\"$b3\",\"relationships\":\"$b5\"}\ncc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/99eb2a67-6873-48f2-9027-a58a87a1ef43?resourceVersion=id%3A19976\"}\ncb:{\"self\":\"$cc\"}\nce:[]\ncf:{\"value\":\"\u003ch2\u003e\u003cstrong\u003eWhat are Cyber Risk Reports?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCyber Risk Reports are provided monthly by ISPG to communicate cyber risk metrics in a consistent manner across all \u003ca href=\\\"/learn/federal-information-systems-management-act-fisma\\\"\u003eFederal Information Security Management Act (FISMA)\u003c/a\u003e systems. These reports help Business and System Owners make risk-based decisions and prioritize risk remediation activities at the system level.\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2\u003e\u003cstrong\u003eWhat are Cyber Risk Reports?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCyber Risk Reports are provided monthly by ISPG to communicate cyber risk metrics in a consistent manner across all \u003ca href=\\\"/learn/federal-information-systems-management-act-fisma\\\"\u003eFederal Information Security Management Act (FISMA)\u003c/a\u003e systems. These reports help Business and System Owners make risk-based decisions and prioritize risk remediation activities at the system level.\u003c/p\u003e\"}\ncd:{\"drupal_internal__id\":1041,\"drupal_internal__revision_id\":19976,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T15:47:05+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$ce\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$cf\"}\nd3:{\"drupal_internal__target_id\":\"page_section\"}\nd2:{\"type\":\"paragraphs_type--paragraphs"])</script><script>self.__next_f.push([1,"_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$d3\"}\nd5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/99eb2a67-6873-48f2-9027-a58a87a1ef43/paragraph_type?resourceVersion=id%3A19976\"}\nd6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/99eb2a67-6873-48f2-9027-a58a87a1ef43/relationships/paragraph_type?resourceVersion=id%3A19976\"}\nd4:{\"related\":\"$d5\",\"self\":\"$d6\"}\nd1:{\"data\":\"$d2\",\"links\":\"$d4\"}\nd9:{\"target_revision_id\":19971,\"drupal_internal__target_id\":1036}\nd8:{\"type\":\"paragraph--call_out_box\",\"id\":\"04fa58c5-1639-4b2c-bc43-d4624d84d942\",\"meta\":\"$d9\"}\ndb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/99eb2a67-6873-48f2-9027-a58a87a1ef43/field_specialty_item?resourceVersion=id%3A19976\"}\ndc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/99eb2a67-6873-48f2-9027-a58a87a1ef43/relationships/field_specialty_item?resourceVersion=id%3A19976\"}\nda:{\"related\":\"$db\",\"self\":\"$dc\"}\nd7:{\"data\":\"$d8\",\"links\":\"$da\"}\nd0:{\"paragraph_type\":\"$d1\",\"field_specialty_item\":\"$d7\"}\nca:{\"type\":\"paragraph--page_section\",\"id\":\"99eb2a67-6873-48f2-9027-a58a87a1ef43\",\"links\":\"$cb\",\"attributes\":\"$cd\",\"relationships\":\"$d0\"}\ndf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/55411c7e-d16e-4e24-9ec0-e61d07f1aaab?resourceVersion=id%3A19981\"}\nde:{\"self\":\"$df\"}\ne1:[]\ne2:{\"value\":\"\u003ch3\u003e\u003cstrong\u003eWho can access the reports?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Cyber Risk Reports are sent to all component leadership, including Business Owners (such as ISSOs and CRAs) and to CMS Senior Leadership (such as the COO, CISO, and CIO). Additionally, in compliance with FISMA reporting, this data is also shared with HHS and DHS.\u003c/p\u003e\u003cp\u003eContractor ISSOs and contractor Business Owners working with CMS FISMA systems can also access the reports, using a CFACTS job code. You will also need to be assigned a role and as a stakeholder to a specific FISMA package(s). Contact the CRM PMO team at \u003ca href=\\\"mailto:CDMPMO@cms.hhs.gov\\\"\u003eCDMPMO@cms.hhs.gov\u003c/a\u003e to obtain the SOP for Tableau Access t"])</script><script>self.__next_f.push([1,"hat will include the appropriate job codes for access.\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch3\u003e\u003cstrong\u003eWho can access the reports?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Cyber Risk Reports are sent to all component leadership, including Business Owners (such as ISSOs and CRAs) and to CMS Senior Leadership (such as the COO, CISO, and CIO). Additionally, in compliance with FISMA reporting, this data is also shared with HHS and DHS.\u003c/p\u003e\u003cp\u003eContractor ISSOs and contractor Business Owners working with CMS FISMA systems can also access the reports, using a CFACTS job code. You will also need to be assigned a role and as a stakeholder to a specific FISMA package(s). Contact the CRM PMO team at \u003ca href=\\\"mailto:CDMPMO@cms.hhs.gov\\\"\u003eCDMPMO@cms.hhs.gov\u003c/a\u003e to obtain the SOP for Tableau Access that will include the appropriate job codes for access.\u003c/p\u003e\"}\ne0:{\"drupal_internal__id\":1051,\"drupal_internal__revision_id\":19981,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T15:51:20+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$e1\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$e2\"}\ne6:{\"drupal_internal__target_id\":\"page_section\"}\ne5:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$e6\"}\ne8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/55411c7e-d16e-4e24-9ec0-e61d07f1aaab/paragraph_type?resourceVersion=id%3A19981\"}\ne9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/55411c7e-d16e-4e24-9ec0-e61d07f1aaab/relationships/paragraph_type?resourceVersion=id%3A19981\"}\ne7:{\"related\":\"$e8\",\"self\":\"$e9\"}\ne4:{\"data\":\"$e5\",\"links\":\"$e7\"}\nec:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/55411c7e-d16e-4e24-9ec0-e61d07f1aaab/field_specialty_item?resourceVersion=id%3A19981\"}\ned:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/55411c7e-d16e-4e24-9ec0-e61d07f1aaab/relationships/field_specialty_item?resourceVersion=id%3A19981\"}\neb:{\"related\":\"$ec\",\""])</script><script>self.__next_f.push([1,"self\":\"$ed\"}\nea:{\"data\":null,\"links\":\"$eb\"}\ne3:{\"paragraph_type\":\"$e4\",\"field_specialty_item\":\"$ea\"}\ndd:{\"type\":\"paragraph--page_section\",\"id\":\"55411c7e-d16e-4e24-9ec0-e61d07f1aaab\",\"links\":\"$de\",\"attributes\":\"$e0\",\"relationships\":\"$e3\"}\nf0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/1ed92f8d-8be4-41a2-bc9c-e012801a98bf?resourceVersion=id%3A19986\"}\nef:{\"self\":\"$f0\"}\nf2:[]\nf3:{\"value\":\"\u003ch3\u003e\u003cstrong\u003eISSO Reports\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eISSO Reports are a specific kind of Cyber Risk Report that help ISSOs identify security and privacy risks (along with ways to mitigate them) for their systems. These reports make it easier to spot things like overdue POA\u0026amp;Ms, expiring Contingency Plans, and other areas where ISSOs need to take action. You can access ISSO reports from the \u003ca href=\\\"https://tableau.bi.cms.gov/#/site/CEDE/projects/51?:origin=card_share_link\\\" target=\\\"_blank\\\"\u003eCyber Risk Dashboards\u003c/a\u003e (CMS internal link).\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch3\u003e\u003cstrong\u003eISSO Reports\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eISSO Reports are a specific kind of Cyber Risk Report that help ISSOs identify security and privacy risks (along with ways to mitigate them) for their systems. These reports make it easier to spot things like overdue POA\u0026amp;Ms, expiring Contingency Plans, and other areas where ISSOs need to take action. You can access ISSO reports from the \u003ca href=\\\"https://tableau.bi.cms.gov/#/site/CEDE/projects/51?:origin=card_share_link\\\" target=\\\"_blank\\\"\u003eCyber Risk Dashboards\u003c/a\u003e (CMS internal link).\u003c/p\u003e\"}\nf1:{\"drupal_internal__id\":1061,\"drupal_internal__revision_id\":19986,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:02:09+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$f2\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$f3\"}\nf7:{\"drupal_internal__target_id\":\"page_section\"}\nf6:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$f7\"}\nf9:{\"href\":\"https://cybergeek.cms.gov/j"])</script><script>self.__next_f.push([1,"sonapi/paragraph/page_section/1ed92f8d-8be4-41a2-bc9c-e012801a98bf/paragraph_type?resourceVersion=id%3A19986\"}\nfa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/1ed92f8d-8be4-41a2-bc9c-e012801a98bf/relationships/paragraph_type?resourceVersion=id%3A19986\"}\nf8:{\"related\":\"$f9\",\"self\":\"$fa\"}\nf5:{\"data\":\"$f6\",\"links\":\"$f8\"}\nfd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/1ed92f8d-8be4-41a2-bc9c-e012801a98bf/field_specialty_item?resourceVersion=id%3A19986\"}\nfe:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/1ed92f8d-8be4-41a2-bc9c-e012801a98bf/relationships/field_specialty_item?resourceVersion=id%3A19986\"}\nfc:{\"related\":\"$fd\",\"self\":\"$fe\"}\nfb:{\"data\":null,\"links\":\"$fc\"}\nf4:{\"paragraph_type\":\"$f5\",\"field_specialty_item\":\"$fb\"}\nee:{\"type\":\"paragraph--page_section\",\"id\":\"1ed92f8d-8be4-41a2-bc9c-e012801a98bf\",\"links\":\"$ef\",\"attributes\":\"$f1\",\"relationships\":\"$f4\"}\n101:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ab563ca-90a0-4ff0-a86c-2b0de01421c2?resourceVersion=id%3A19996\"}\n100:{\"self\":\"$101\"}\n103:[]\n105:Tdfd,"])</script><script>self.__next_f.push([1,"\u003ch3\u003e\u003cstrong\u003eThe future of risk reporting at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS Cyber Risk Management Program lays the foundation to help CMS Components implement better cybersecurity capabilities including the modernization of risk reporting. This is part of the overarching goal at CMS to align our information security and privacy activities with federal standards for a risk-based approach, which are outlined in the \u003ca href=\"https://www.nist.gov/cyberframework\"\u003eNIST Cybersecurity Framework\u003c/a\u003e and the \u003ca href=\"/learn/federal-information-systems-management-act-fisma\"\u003eFederal Information Security Management Act (FISMA)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe initiatives that result from this approach will help us:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBuild security into development pipelines (DevSecOps)\u003c/li\u003e\u003cli\u003eTailor system testing (such as \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eCybersecurity and Risk Assessment Program (CSRAP\u003c/a\u003e) to more specific uses\u003c/li\u003e\u003cli\u003eExpedite the \u003ca href=\"/learn/authorization-operate-ato\"\u003eATO process\u0026nbsp;\u003c/a\u003e\u003c/li\u003e\u003cli\u003eApprove and onboard more systems to \u003ca href=\"/learn/ongoing-authorization\"\u003eOngoing Authorization\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor risk reporting, it means expanding capabilities to give CMS stakeholders accurate and actionable data about their system risks.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eCyber Risk Dashboards\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAs part of the modernization of risk reporting, Cyber Risk Dashboards are provided to help CMS stakeholders view reports, analyze data, and create proactive mitigation strategies. The dashboards give a snapshot of overall risk for specific systems in near-real time, including summaries of key high-risk metrics allowing users to prioritize the most important risk mitigation activities.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCyber Risk Dashboards are helpful to the various CMS stakeholders who are accountable for the security and privacy of information and systems:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation System Security Officers (ISSO)\u003c/li\u003e\u003cli\u003eApplication Development Organizations (ADO)\u003c/li\u003e\u003cli\u003eData Centers\u003c/li\u003e\u003cli\u003eBusiness Owners / System Owners (BO / SO)\u003c/li\u003e\u003cli\u003eSystem Administrators\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAccess to the reporting platform and dashboards requires a Tableau job code. You must also have a CFACTS job code as a prerequisite to accessing the reporting platform. If you need help getting these job codes, please contact the Cyber Risk Management Team: \u003ca href=\"mailto:CDMPMO@cms.hhs.gov\"\u003eCDMPMO@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKnown Exploited Vulnerabilities (KEV) Dashboard\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Known Exploited Vulnerabilities (KEV) Dashboard / Interactive Visualization displays the metrics associated with the Binding Operational Directive (BOD) 22-01. It also provides the current status for:\u003c/p\u003e\u003cul\u003e\u003cli\u003eTop Overdue Common Vulnerabilities and Exposures (CVEs)\u003c/li\u003e\u003cli\u003eTop Products (by Overdue CVEs)\u003c/li\u003e\u003cli\u003eTotal Vulnerabilities (by Data Center)\u003c/li\u003e\u003cli\u003eOverdue Vulnerabilities (by Due Date)\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe dashboard also includes details for specific vendor/products by CVE and the total number of vulnerabilities by CVE.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Known Exploited Vulnerabilities (KEV) Dashboard / List of Filters offers an alternate view of the KEV Dashboard / Interactive Visualization and shows BOD 22-01 data in a list format which users can customize by applying several dynamic filters. These filters include Data Center, BOD Due Date, Overdue CVEs, Vendor/Project, and Product.\u0026nbsp; This dashboard also offers Search by BOD Due Date and Search by CVE, making it even easier to customize the data.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"106:Tdfd,"])</script><script>self.__next_f.push([1,"\u003ch3\u003e\u003cstrong\u003eThe future of risk reporting at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS Cyber Risk Management Program lays the foundation to help CMS Components implement better cybersecurity capabilities including the modernization of risk reporting. This is part of the overarching goal at CMS to align our information security and privacy activities with federal standards for a risk-based approach, which are outlined in the \u003ca href=\"https://www.nist.gov/cyberframework\"\u003eNIST Cybersecurity Framework\u003c/a\u003e and the \u003ca href=\"/learn/federal-information-systems-management-act-fisma\"\u003eFederal Information Security Management Act (FISMA)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe initiatives that result from this approach will help us:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBuild security into development pipelines (DevSecOps)\u003c/li\u003e\u003cli\u003eTailor system testing (such as \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eCybersecurity and Risk Assessment Program (CSRAP\u003c/a\u003e) to more specific uses\u003c/li\u003e\u003cli\u003eExpedite the \u003ca href=\"/learn/authorization-operate-ato\"\u003eATO process\u0026nbsp;\u003c/a\u003e\u003c/li\u003e\u003cli\u003eApprove and onboard more systems to \u003ca href=\"/learn/ongoing-authorization\"\u003eOngoing Authorization\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor risk reporting, it means expanding capabilities to give CMS stakeholders accurate and actionable data about their system risks.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eCyber Risk Dashboards\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAs part of the modernization of risk reporting, Cyber Risk Dashboards are provided to help CMS stakeholders view reports, analyze data, and create proactive mitigation strategies. The dashboards give a snapshot of overall risk for specific systems in near-real time, including summaries of key high-risk metrics allowing users to prioritize the most important risk mitigation activities.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCyber Risk Dashboards are helpful to the various CMS stakeholders who are accountable for the security and privacy of information and systems:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation System Security Officers (ISSO)\u003c/li\u003e\u003cli\u003eApplication Development Organizations (ADO)\u003c/li\u003e\u003cli\u003eData Centers\u003c/li\u003e\u003cli\u003eBusiness Owners / System Owners (BO / SO)\u003c/li\u003e\u003cli\u003eSystem Administrators\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAccess to the reporting platform and dashboards requires a Tableau job code. You must also have a CFACTS job code as a prerequisite to accessing the reporting platform. If you need help getting these job codes, please contact the Cyber Risk Management Team: \u003ca href=\"mailto:CDMPMO@cms.hhs.gov\"\u003eCDMPMO@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKnown Exploited Vulnerabilities (KEV) Dashboard\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Known Exploited Vulnerabilities (KEV) Dashboard / Interactive Visualization displays the metrics associated with the Binding Operational Directive (BOD) 22-01. It also provides the current status for:\u003c/p\u003e\u003cul\u003e\u003cli\u003eTop Overdue Common Vulnerabilities and Exposures (CVEs)\u003c/li\u003e\u003cli\u003eTop Products (by Overdue CVEs)\u003c/li\u003e\u003cli\u003eTotal Vulnerabilities (by Data Center)\u003c/li\u003e\u003cli\u003eOverdue Vulnerabilities (by Due Date)\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe dashboard also includes details for specific vendor/products by CVE and the total number of vulnerabilities by CVE.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Known Exploited Vulnerabilities (KEV) Dashboard / List of Filters offers an alternate view of the KEV Dashboard / Interactive Visualization and shows BOD 22-01 data in a list format which users can customize by applying several dynamic filters. These filters include Data Center, BOD Due Date, Overdue CVEs, Vendor/Project, and Product.\u0026nbsp; This dashboard also offers Search by BOD Due Date and Search by CVE, making it even easier to customize the data.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"104:{\"value\":\"$105\",\"format\":\"body_text\",\"processed\":\"$106\"}\n102:{\"drupal_internal__id\":1071,\"drupal_internal__revision_id\":19996,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:03:09+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$103\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$104\"}\n10a:{\"drupal_internal__target_id\":\"page_section\"}\n109:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$10a\"}\n10c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ab563ca-90a0-4ff0-a86c-2b0de01421c2/paragraph_type?resourceVersion=id%3A19996\"}\n10d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ab563ca-90a0-4ff0-a86c-2b0de01421c2/relationships/paragraph_type?resourceVersion=id%3A19996\"}\n10b:{\"related\":\"$10c\",\"self\":\"$10d\"}\n108:{\"data\":\"$109\",\"links\":\"$10b\"}\n110:{\"target_revision_id\":19991,\"drupal_internal__target_id\":1066}\n10f:{\"type\":\"paragraph--call_out_box\",\"id\":\"54cab91c-d651-4073-87dc-44d440777a1f\",\"meta\":\"$110\"}\n112:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ab563ca-90a0-4ff0-a86c-2b0de01421c2/field_specialty_item?resourceVersion=id%3A19996\"}\n113:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ab563ca-90a0-4ff0-a86c-2b0de01421c2/relationships/field_specialty_item?resourceVersion=id%3A19996\"}\n111:{\"related\":\"$112\",\"self\":\"$113\"}\n10e:{\"data\":\"$10f\",\"links\":\"$111\"}\n107:{\"paragraph_type\":\"$108\",\"field_specialty_item\":\"$10e\"}\nff:{\"type\":\"paragraph--page_section\",\"id\":\"9ab563ca-90a0-4ff0-a86c-2b0de01421c2\",\"links\":\"$100\",\"attributes\":\"$102\",\"relationships\":\"$107\"}\n116:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d2de38a5-dc24-41cd-9344-bb7d2240b7f4?resourceVersion=id%3A20006\"}\n115:{\"self\":\"$116\"}\n118:[]\n119:{\"value\":\"\u003ch3\u003e\u003cstrong\u003eVulnerability Dashboard\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Vulnerability Dashboard provides an overview of vulnerabilities found in the system and helps Business Owners prio"])</script><script>self.__next_f.push([1,"ritize which ones to remediate first.\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch3\u003e\u003cstrong\u003eVulnerability Dashboard\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Vulnerability Dashboard provides an overview of vulnerabilities found in the system and helps Business Owners prioritize which ones to remediate first.\u003c/p\u003e\"}\n117:{\"drupal_internal__id\":1091,\"drupal_internal__revision_id\":20006,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:11:07+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$118\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$119\"}\n11d:{\"drupal_internal__target_id\":\"page_section\"}\n11c:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$11d\"}\n11f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d2de38a5-dc24-41cd-9344-bb7d2240b7f4/paragraph_type?resourceVersion=id%3A20006\"}\n120:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d2de38a5-dc24-41cd-9344-bb7d2240b7f4/relationships/paragraph_type?resourceVersion=id%3A20006\"}\n11e:{\"related\":\"$11f\",\"self\":\"$120\"}\n11b:{\"data\":\"$11c\",\"links\":\"$11e\"}\n123:{\"target_revision_id\":20001,\"drupal_internal__target_id\":1086}\n122:{\"type\":\"paragraph--call_out_box\",\"id\":\"ff05557c-19b2-4cf8-91ed-6cb2b3ceb662\",\"meta\":\"$123\"}\n125:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d2de38a5-dc24-41cd-9344-bb7d2240b7f4/field_specialty_item?resourceVersion=id%3A20006\"}\n126:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d2de38a5-dc24-41cd-9344-bb7d2240b7f4/relationships/field_specialty_item?resourceVersion=id%3A20006\"}\n124:{\"related\":\"$125\",\"self\":\"$126\"}\n121:{\"data\":\"$122\",\"links\":\"$124\"}\n11a:{\"paragraph_type\":\"$11b\",\"field_specialty_item\":\"$121\"}\n114:{\"type\":\"paragraph--page_section\",\"id\":\"d2de38a5-dc24-41cd-9344-bb7d2240b7f4\",\"links\":\"$115\",\"attributes\":\"$117\",\"relationships\":\"$11a\"}\n129:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8383a3b3-7807-40a8-96f7-0197052ff373?resourceV"])</script><script>self.__next_f.push([1,"ersion=id%3A20016\"}\n128:{\"self\":\"$129\"}\n12b:[]\n12c:{\"value\":\"\u003ch3\u003e\u003cstrong\u003eOngoing Authorization Program Dashboard\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003ca href=\\\"/learn/ongoing-authorization\\\"\u003eOngoing Authorization (OA)\u003c/a\u003e is closely tied to CMS goals for a proactive, risk-based approach to system security. Rather than going through the traditional, compliance-focused Authorization to Operate (ATO) process, a system can be approved to operate through OA, which focuses on continuous risk identification and management. The Ongoing Authorization Program Dashboard helps ISSOs and other security professionals to quickly identify what parts of their system meet the requirements for OA, and what steps they need to take (either to achieve or maintain OA).\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch3\u003e\u003cstrong\u003eOngoing Authorization Program Dashboard\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003ca href=\\\"/learn/ongoing-authorization\\\"\u003eOngoing Authorization (OA)\u003c/a\u003e is closely tied to CMS goals for a proactive, risk-based approach to system security. Rather than going through the traditional, compliance-focused Authorization to Operate (ATO) process, a system can be approved to operate through OA, which focuses on continuous risk identification and management. The Ongoing Authorization Program Dashboard helps ISSOs and other security professionals to quickly identify what parts of their system meet the requirements for OA, and what steps they need to take (either to achieve or maintain OA).\u003c/p\u003e\"}\n12a:{\"drupal_internal__id\":1101,\"drupal_internal__revision_id\":20016,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:13:19+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$12b\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$12c\"}\n130:{\"drupal_internal__target_id\":\"page_section\"}\n12f:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$130\"}\n132:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8383a3b3-7807-40a8-96f7-0197"])</script><script>self.__next_f.push([1,"052ff373/paragraph_type?resourceVersion=id%3A20016\"}\n133:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8383a3b3-7807-40a8-96f7-0197052ff373/relationships/paragraph_type?resourceVersion=id%3A20016\"}\n131:{\"related\":\"$132\",\"self\":\"$133\"}\n12e:{\"data\":\"$12f\",\"links\":\"$131\"}\n136:{\"target_revision_id\":20011,\"drupal_internal__target_id\":1096}\n135:{\"type\":\"paragraph--call_out_box\",\"id\":\"9e3ff387-df41-430c-bfd9-394cdef3bf60\",\"meta\":\"$136\"}\n138:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8383a3b3-7807-40a8-96f7-0197052ff373/field_specialty_item?resourceVersion=id%3A20016\"}\n139:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8383a3b3-7807-40a8-96f7-0197052ff373/relationships/field_specialty_item?resourceVersion=id%3A20016\"}\n137:{\"related\":\"$138\",\"self\":\"$139\"}\n134:{\"data\":\"$135\",\"links\":\"$137\"}\n12d:{\"paragraph_type\":\"$12e\",\"field_specialty_item\":\"$134\"}\n127:{\"type\":\"paragraph--page_section\",\"id\":\"8383a3b3-7807-40a8-96f7-0197052ff373\",\"links\":\"$128\",\"attributes\":\"$12a\",\"relationships\":\"$12d\"}\n13c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/04fa58c5-1639-4b2c-bc43-d4624d84d942?resourceVersion=id%3A19971\"}\n13b:{\"self\":\"$13c\"}\n13e:[]\n140:[]\n13f:{\"uri\":\"https://tableau.bi.cms.gov/#/site/CEDE/projects/51?:origin=card_share_link\",\"title\":\"\",\"options\":\"$140\",\"url\":\"https://tableau.bi.cms.gov/#/site/CEDE/projects/51?:origin=card_share_link\"}\n141:{\"value\":\"Ready to dive in? You can jump right to your Cyber Risk Dashboards from here, but you will need to have access to your Tableau and CFACTS (job codes) accounts.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eReady to dive in? You can jump right to your Cyber Risk Dashboards from here, but you will need to have access to your Tableau and CFACTS (job codes) accounts.\u003c/p\u003e\\n\"}\n13d:{\"drupal_internal__id\":1036,\"drupal_internal__revision_id\":19971,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T15:47:51+00:00\",\"parent_id\":\"1041\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_setting"])</script><script>self.__next_f.push([1,"s\":\"$13e\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":\"$13f\",\"field_call_out_link_text\":\"Go to the dashboards\",\"field_call_out_text\":\"$141\",\"field_header\":\"View Cyber Risk Reports\"}\n145:{\"drupal_internal__target_id\":\"call_out_box\"}\n144:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$145\"}\n147:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/04fa58c5-1639-4b2c-bc43-d4624d84d942/paragraph_type?resourceVersion=id%3A19971\"}\n148:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/04fa58c5-1639-4b2c-bc43-d4624d84d942/relationships/paragraph_type?resourceVersion=id%3A19971\"}\n146:{\"related\":\"$147\",\"self\":\"$148\"}\n143:{\"data\":\"$144\",\"links\":\"$146\"}\n142:{\"paragraph_type\":\"$143\"}\n13a:{\"type\":\"paragraph--call_out_box\",\"id\":\"04fa58c5-1639-4b2c-bc43-d4624d84d942\",\"links\":\"$13b\",\"attributes\":\"$13d\",\"relationships\":\"$142\"}\n14b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/54cab91c-d651-4073-87dc-44d440777a1f?resourceVersion=id%3A19991\"}\n14a:{\"self\":\"$14b\"}\n14d:[]\n14f:[]\n14e:{\"uri\":\"https://confluenceent.cms.gov/display/ISPG/Next+Generation+Dashboard+Quick+Look+Guides?preview=/298341730/298341948/Known%20Exploited%20Vulnerabilities%20Dashboard%20-%20Quick%20Start%20Guide.pdf\",\"title\":\"\",\"options\":\"$14f\",\"url\":\"https://confluenceent.cms.gov/display/ISPG/Next+Generation+Dashboard+Quick+Look+Guides?preview=/298341730/298341948/Known%20Exploited%20Vulnerabilities%20Dashboard%20-%20Quick%20Start%20Guide.pdf\"}\n150:{\"value\":\"Learn how to access, customize, and manage the KEV Dashboard. (CMS internal link)\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eLearn how to access, customize, and manage the KEV Dashboard. (CMS internal link)\u003c/p\u003e\\n\"}\n14c:{\"drupal_internal__id\":1066,\"drupal_internal__revision_id\":19991,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:05:47+00:00\",\"parent_id\":\"1071\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$14d\",\"default_langcode\":true"])</script><script>self.__next_f.push([1,",\"revision_translation_affected\":true,\"field_call_out_link\":\"$14e\",\"field_call_out_link_text\":\"See the KEV Dashboard guide\",\"field_call_out_text\":\"$150\",\"field_header\":\"Quick start guide\"}\n154:{\"drupal_internal__target_id\":\"call_out_box\"}\n153:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$154\"}\n156:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/54cab91c-d651-4073-87dc-44d440777a1f/paragraph_type?resourceVersion=id%3A19991\"}\n157:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/54cab91c-d651-4073-87dc-44d440777a1f/relationships/paragraph_type?resourceVersion=id%3A19991\"}\n155:{\"related\":\"$156\",\"self\":\"$157\"}\n152:{\"data\":\"$153\",\"links\":\"$155\"}\n151:{\"paragraph_type\":\"$152\"}\n149:{\"type\":\"paragraph--call_out_box\",\"id\":\"54cab91c-d651-4073-87dc-44d440777a1f\",\"links\":\"$14a\",\"attributes\":\"$14c\",\"relationships\":\"$151\"}\n15a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/ff05557c-19b2-4cf8-91ed-6cb2b3ceb662?resourceVersion=id%3A20001\"}\n159:{\"self\":\"$15a\"}\n15c:[]\n15e:[]\n15d:{\"uri\":\"https://confluenceent.cms.gov/display/ISPG/Next+Generation+Dashboard+Quick+Look+Guides?preview=/298341730/298341950/Vulnerability%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20(1).pdf\",\"title\":\"\",\"options\":\"$15e\",\"url\":\"https://confluenceent.cms.gov/display/ISPG/Next+Generation+Dashboard+Quick+Look+Guides?preview=/298341730/298341950/Vulnerability%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20%281%29.pdf\"}\n15f:{\"value\":\"Learn how to access and use the Vulnerability Dashboard. (CMS internal link)\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eLearn how to access and use the Vulnerability Dashboard. (CMS internal link)\u003c/p\u003e\\n\"}\n15b:{\"drupal_internal__id\":1086,\"drupal_internal__revision_id\":20001,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:11:19+00:00\",\"parent_id\":\"1091\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$15c\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link"])</script><script>self.__next_f.push([1,"\":\"$15d\",\"field_call_out_link_text\":\"See the Vulnerability Dashboard guide\",\"field_call_out_text\":\"$15f\",\"field_header\":\"Quick start guide\"}\n163:{\"drupal_internal__target_id\":\"call_out_box\"}\n162:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$163\"}\n165:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/ff05557c-19b2-4cf8-91ed-6cb2b3ceb662/paragraph_type?resourceVersion=id%3A20001\"}\n166:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/ff05557c-19b2-4cf8-91ed-6cb2b3ceb662/relationships/paragraph_type?resourceVersion=id%3A20001\"}\n164:{\"related\":\"$165\",\"self\":\"$166\"}\n161:{\"data\":\"$162\",\"links\":\"$164\"}\n160:{\"paragraph_type\":\"$161\"}\n158:{\"type\":\"paragraph--call_out_box\",\"id\":\"ff05557c-19b2-4cf8-91ed-6cb2b3ceb662\",\"links\":\"$159\",\"attributes\":\"$15b\",\"relationships\":\"$160\"}\n169:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/9e3ff387-df41-430c-bfd9-394cdef3bf60?resourceVersion=id%3A20011\"}\n168:{\"self\":\"$169\"}\n16b:[]\n16d:[]\n16c:{\"uri\":\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=195122542\u0026preview=/195122542/250712614/OA%20Program%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20102721_Final.pdf\",\"title\":\"\",\"options\":\"$16d\",\"url\":\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=195122542\u0026preview=/195122542/250712614/OA%20Program%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20102721_Final.pdf\"}\n16e:{\"value\":\"Learn how to access and use the Ongoing Authorization Program Dashboard. (CMS internal link)\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eLearn how to access and use the Ongoing Authorization Program Dashboard. (CMS internal link)\u003c/p\u003e\\n\"}\n16a:{\"drupal_internal__id\":1096,\"drupal_internal__revision_id\":20011,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:13:36+00:00\",\"parent_id\":\"1101\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$16b\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":\"$16c\",\"field_call_out_link_text\":\"See"])</script><script>self.__next_f.push([1," the OA Dashboard guide\",\"field_call_out_text\":\"$16e\",\"field_header\":\"Quick start guide\"}\n172:{\"drupal_internal__target_id\":\"call_out_box\"}\n171:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$172\"}\n174:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/9e3ff387-df41-430c-bfd9-394cdef3bf60/paragraph_type?resourceVersion=id%3A20011\"}\n175:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/9e3ff387-df41-430c-bfd9-394cdef3bf60/relationships/paragraph_type?resourceVersion=id%3A20011\"}\n173:{\"related\":\"$174\",\"self\":\"$175\"}\n170:{\"data\":\"$171\",\"links\":\"$173\"}\n16f:{\"paragraph_type\":\"$170\"}\n167:{\"type\":\"paragraph--call_out_box\",\"id\":\"9e3ff387-df41-430c-bfd9-394cdef3bf60\",\"links\":\"$168\",\"attributes\":\"$16a\",\"relationships\":\"$16f\"}\n178:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b0c313be-306b-48cd-b0bf-8a70f2bae7fb?resourceVersion=id%3A20021\"}\n177:{\"self\":\"$178\"}\n17a:[]\n179:{\"drupal_internal__id\":1911,\"drupal_internal__revision_id\":20021,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T20:26:59+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$17a\",\"default_langcode\":true,\"revision_translation_affected\":true}\n17e:{\"drupal_internal__target_id\":\"internal_link\"}\n17d:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$17e\"}\n180:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b0c313be-306b-48cd-b0bf-8a70f2bae7fb/paragraph_type?resourceVersion=id%3A20021\"}\n181:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b0c313be-306b-48cd-b0bf-8a70f2bae7fb/relationships/paragraph_type?resourceVersion=id%3A20021\"}\n17f:{\"related\":\"$180\",\"self\":\"$181\"}\n17c:{\"data\":\"$17d\",\"links\":\"$17f\"}\n184:{\"drupal_internal__target_id\":326}\n183:{\"type\":\"node--explainer\",\"id\":\"a279358b-5b24-49bc-a98e-11681bd7e65c\",\"meta\":\"$184\"}\n186:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b0c313be-306b-48cd-b0"])</script><script>self.__next_f.push([1,"bf-8a70f2bae7fb/field_link?resourceVersion=id%3A20021\"}\n187:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b0c313be-306b-48cd-b0bf-8a70f2bae7fb/relationships/field_link?resourceVersion=id%3A20021\"}\n185:{\"related\":\"$186\",\"self\":\"$187\"}\n182:{\"data\":\"$183\",\"links\":\"$185\"}\n17b:{\"paragraph_type\":\"$17c\",\"field_link\":\"$182\"}\n176:{\"type\":\"paragraph--internal_link\",\"id\":\"b0c313be-306b-48cd-b0bf-8a70f2bae7fb\",\"links\":\"$177\",\"attributes\":\"$179\",\"relationships\":\"$17b\"}\n18a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/32ab944d-d8c2-480b-b01e-85fa1a7eaf17?resourceVersion=id%3A20026\"}\n189:{\"self\":\"$18a\"}\n18c:[]\n18b:{\"drupal_internal__id\":1916,\"drupal_internal__revision_id\":20026,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T20:27:36+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$18c\",\"default_langcode\":true,\"revision_translation_affected\":true}\n190:{\"drupal_internal__target_id\":\"internal_link\"}\n18f:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$190\"}\n192:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/32ab944d-d8c2-480b-b01e-85fa1a7eaf17/paragraph_type?resourceVersion=id%3A20026\"}\n193:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/32ab944d-d8c2-480b-b01e-85fa1a7eaf17/relationships/paragraph_type?resourceVersion=id%3A20026\"}\n191:{\"related\":\"$192\",\"self\":\"$193\"}\n18e:{\"data\":\"$18f\",\"links\":\"$191\"}\n196:{\"drupal_internal__target_id\":676}\n195:{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"meta\":\"$196\"}\n198:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/32ab944d-d8c2-480b-b01e-85fa1a7eaf17/field_link?resourceVersion=id%3A20026\"}\n199:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/32ab944d-d8c2-480b-b01e-85fa1a7eaf17/relationships/field_link?resourceVersion=id%3A20026\"}\n197:{\"related\":\"$198\",\"self\":\"$199\"}\n194:{\"data\":\"$195\",\"links\":\"$197\"}\n18d:{\"paragraph_type\":\"$18e\",\"fie"])</script><script>self.__next_f.push([1,"ld_link\":\"$194\"}\n188:{\"type\":\"paragraph--internal_link\",\"id\":\"32ab944d-d8c2-480b-b01e-85fa1a7eaf17\",\"links\":\"$189\",\"attributes\":\"$18b\",\"relationships\":\"$18d\"}\n19c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/21220e28-a46b-469f-9033-3e3482d07b4e?resourceVersion=id%3A20031\"}\n19b:{\"self\":\"$19c\"}\n19e:[]\n19d:{\"drupal_internal__id\":3386,\"drupal_internal__revision_id\":20031,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-07-08T12:38:09+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$19e\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1a2:{\"drupal_internal__target_id\":\"internal_link\"}\n1a1:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1a2\"}\n1a4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/21220e28-a46b-469f-9033-3e3482d07b4e/paragraph_type?resourceVersion=id%3A20031\"}\n1a5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/21220e28-a46b-469f-9033-3e3482d07b4e/relationships/paragraph_type?resourceVersion=id%3A20031\"}\n1a3:{\"related\":\"$1a4\",\"self\":\"$1a5\"}\n1a0:{\"data\":\"$1a1\",\"links\":\"$1a3\"}\n1a8:{\"drupal_internal__target_id\":771}\n1a7:{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"meta\":\"$1a8\"}\n1aa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/21220e28-a46b-469f-9033-3e3482d07b4e/field_link?resourceVersion=id%3A20031\"}\n1ab:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/21220e28-a46b-469f-9033-3e3482d07b4e/relationships/field_link?resourceVersion=id%3A20031\"}\n1a9:{\"related\":\"$1aa\",\"self\":\"$1ab\"}\n1a6:{\"data\":\"$1a7\",\"links\":\"$1a9\"}\n19f:{\"paragraph_type\":\"$1a0\",\"field_link\":\"$1a6\"}\n19a:{\"type\":\"paragraph--internal_link\",\"id\":\"21220e28-a46b-469f-9033-3e3482d07b4e\",\"links\":\"$19b\",\"attributes\":\"$19d\",\"relationships\":\"$19f\"}\n1ae:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1dc73a64-e5a5-419e-9363-9e91887427be?resourceVersion=id%3A20036\"}\n1ad:{\"self\":\"$1ae\"}\n1b0:[]\n"])</script><script>self.__next_f.push([1,"1af:{\"drupal_internal__id\":3387,\"drupal_internal__revision_id\":20036,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-07-08T12:38:20+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1b0\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1b4:{\"drupal_internal__target_id\":\"internal_link\"}\n1b3:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1b4\"}\n1b6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1dc73a64-e5a5-419e-9363-9e91887427be/paragraph_type?resourceVersion=id%3A20036\"}\n1b7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1dc73a64-e5a5-419e-9363-9e91887427be/relationships/paragraph_type?resourceVersion=id%3A20036\"}\n1b5:{\"related\":\"$1b6\",\"self\":\"$1b7\"}\n1b2:{\"data\":\"$1b3\",\"links\":\"$1b5\"}\n1ba:{\"drupal_internal__target_id\":991}\n1b9:{\"type\":\"node--library\",\"id\":\"ccc8540c-c385-44e3-8788-fcd3b96df2d7\",\"meta\":\"$1ba\"}\n1bc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1dc73a64-e5a5-419e-9363-9e91887427be/field_link?resourceVersion=id%3A20036\"}\n1bd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1dc73a64-e5a5-419e-9363-9e91887427be/relationships/field_link?resourceVersion=id%3A20036\"}\n1bb:{\"related\":\"$1bc\",\"self\":\"$1bd\"}\n1b8:{\"data\":\"$1b9\",\"links\":\"$1bb\"}\n1b1:{\"paragraph_type\":\"$1b2\",\"field_link\":\"$1b8\"}\n1ac:{\"type\":\"paragraph--internal_link\",\"id\":\"1dc73a64-e5a5-419e-9363-9e91887427be\",\"links\":\"$1ad\",\"attributes\":\"$1af\",\"relationships\":\"$1b1\"}\n1c0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c?resourceVersion=id%3A5942\"}\n1bf:{\"self\":\"$1c0\"}\n1c2:{\"alias\":\"/learn/fedramp\",\"pid\":316,\"langcode\":\"en\"}\n1c3:{\"value\":\"Provides a federally-recognized and standardized security framework for all cloud products and services\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProvides a federally-recognized and standardized security framework for all cloud products and services\u003c/p\u003e\\n\"}\n1c4:[\"#fedramp\"]"])</script><script>self.__next_f.push([1,"\n1c1:{\"drupal_internal__nid\":326,\"drupal_internal__vid\":5942,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-17T14:55:23+00:00\",\"status\":true,\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"created\":\"2022-08-29T15:22:00+00:00\",\"changed\":\"2024-10-17T14:55:23+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1c2\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"FedRAMP@cms.hhs.gov\",\"field_contact_name\":\"CMS FedRAMP PMO\",\"field_short_description\":\"$1c3\",\"field_slack_channel\":\"$1c4\"}\n1c8:{\"drupal_internal__target_id\":\"explainer\"}\n1c7:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$1c8\"}\n1ca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/node_type?resourceVersion=id%3A5942\"}\n1cb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/node_type?resourceVersion=id%3A5942\"}\n1c9:{\"related\":\"$1ca\",\"self\":\"$1cb\"}\n1c6:{\"data\":\"$1c7\",\"links\":\"$1c9\"}\n1ce:{\"drupal_internal__target_id\":114}\n1cd:{\"type\":\"user--user\",\"id\":\"d3421e1d-1fda-4bd0-83ab-e404455b0e66\",\"meta\":\"$1ce\"}\n1d0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/revision_uid?resourceVersion=id%3A5942\"}\n1d1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/revision_uid?resourceVersion=id%3A5942\"}\n1cf:{\"related\":\"$1d0\",\"self\":\"$1d1\"}\n1cc:{\"data\":\"$1cd\",\"links\":\"$1cf\"}\n1d4:{\"drupal_internal__target_id\":26}\n1d3:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$1d4\"}\n1d6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/uid?resourceVersion=id%3A5942\"}\n1d7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-1"])</script><script>self.__next_f.push([1,"1681bd7e65c/relationships/uid?resourceVersion=id%3A5942\"}\n1d5:{\"related\":\"$1d6\",\"self\":\"$1d7\"}\n1d2:{\"data\":\"$1d3\",\"links\":\"$1d5\"}\n1db:{\"target_revision_id\":19451,\"drupal_internal__target_id\":1171}\n1da:{\"type\":\"paragraph--page_section\",\"id\":\"2ce39e48-81e4-4bea-a0ff-04f25ddd0041\",\"meta\":\"$1db\"}\n1dd:{\"target_revision_id\":19452,\"drupal_internal__target_id\":1211}\n1dc:{\"type\":\"paragraph--page_section\",\"id\":\"77ea2e89-2433-4815-b869-52b2d900029e\",\"meta\":\"$1dd\"}\n1df:{\"target_revision_id\":19462,\"drupal_internal__target_id\":3431}\n1de:{\"type\":\"paragraph--page_section\",\"id\":\"deedf0fe-44e9-4015-90a1-f86ce6cbaf24\",\"meta\":\"$1df\"}\n1e1:{\"target_revision_id\":19472,\"drupal_internal__target_id\":1261}\n1e0:{\"type\":\"paragraph--page_section\",\"id\":\"2b2216d8-24c3-4940-930f-6e79f68a279a\",\"meta\":\"$1e1\"}\n1e3:{\"target_revision_id\":19474,\"drupal_internal__target_id\":1266}\n1e2:{\"type\":\"paragraph--page_section\",\"id\":\"cbda5c42-489d-4480-85f5-db10db44de3e\",\"meta\":\"$1e3\"}\n1e5:{\"target_revision_id\":19475,\"drupal_internal__target_id\":3433}\n1e4:{\"type\":\"paragraph--page_section\",\"id\":\"37970dd4-a515-4370-a09f-f5177c2f98c2\",\"meta\":\"$1e5\"}\n1e7:{\"target_revision_id\":19476,\"drupal_internal__target_id\":3434}\n1e6:{\"type\":\"paragraph--page_section\",\"id\":\"434b1960-73e8-43fa-9b9e-253ce35fa55a\",\"meta\":\"$1e7\"}\n1d9:[\"$1da\",\"$1dc\",\"$1de\",\"$1e0\",\"$1e2\",\"$1e4\",\"$1e6\"]\n1e9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_page_section?resourceVersion=id%3A5942\"}\n1ea:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_page_section?resourceVersion=id%3A5942\"}\n1e8:{\"related\":\"$1e9\",\"self\":\"$1ea\"}\n1d8:{\"data\":\"$1d9\",\"links\":\"$1e8\"}\n1ee:{\"target_revision_id\":19477,\"drupal_internal__target_id\":1956}\n1ed:{\"type\":\"paragraph--internal_link\",\"id\":\"7a5f06f0-e0ba-4ed2-aade-79b2233ec125\",\"meta\":\"$1ee\"}\n1f0:{\"target_revision_id\":19478,\"drupal_internal__target_id\":1961}\n1ef:{\"type\":\"paragraph--internal_link\",\"id\":\"61509c21-9c9e-48d0-8110-b98574cee727\",\"meta\":\"$1f0\"}\n1f2:{\"t"])</script><script>self.__next_f.push([1,"arget_revision_id\":19479,\"drupal_internal__target_id\":1966}\n1f1:{\"type\":\"paragraph--internal_link\",\"id\":\"c2480fc7-b7c3-49d4-8643-cd42bcd3b56b\",\"meta\":\"$1f2\"}\n1f4:{\"target_revision_id\":19480,\"drupal_internal__target_id\":3435}\n1f3:{\"type\":\"paragraph--internal_link\",\"id\":\"63dffb2c-c587-4991-8523-142b2378a5aa\",\"meta\":\"$1f4\"}\n1ec:[\"$1ed\",\"$1ef\",\"$1f1\",\"$1f3\"]\n1f6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_related_collection?resourceVersion=id%3A5942\"}\n1f7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_related_collection?resourceVersion=id%3A5942\"}\n1f5:{\"related\":\"$1f6\",\"self\":\"$1f7\"}\n1eb:{\"data\":\"$1ec\",\"links\":\"$1f5\"}\n1fa:{\"drupal_internal__target_id\":131}\n1f9:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$1fa\"}\n1fc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_resource_type?resourceVersion=id%3A5942\"}\n1fd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_resource_type?resourceVersion=id%3A5942\"}\n1fb:{\"related\":\"$1fc\",\"self\":\"$1fd\"}\n1f8:{\"data\":\"$1f9\",\"links\":\"$1fb\"}\n201:{\"drupal_internal__target_id\":66}\n200:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$201\"}\n203:{\"drupal_internal__target_id\":61}\n202:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$203\"}\n205:{\"drupal_internal__target_id\":76}\n204:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$205\"}\n1ff:[\"$200\",\"$202\",\"$204\"]\n207:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_roles?resourceVersion=id%3A5942\"}\n208:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_roles?resourceVersion=id%3A5942\"}\n206:{\"related\":\"$207\",\"self\":\"$208\"}\n1fe:{\"data\":\"$1ff\",\"links\":\""])</script><script>self.__next_f.push([1,"$206\"}\n20c:{\"drupal_internal__target_id\":21}\n20b:{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":\"$20c\"}\n20a:[\"$20b\"]\n20e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_topics?resourceVersion=id%3A5942\"}\n20f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_topics?resourceVersion=id%3A5942\"}\n20d:{\"related\":\"$20e\",\"self\":\"$20f\"}\n209:{\"data\":\"$20a\",\"links\":\"$20d\"}\n1c5:{\"node_type\":\"$1c6\",\"revision_uid\":\"$1cc\",\"uid\":\"$1d2\",\"field_page_section\":\"$1d8\",\"field_related_collection\":\"$1eb\",\"field_resource_type\":\"$1f8\",\"field_roles\":\"$1fe\",\"field_topics\":\"$209\"}\n1be:{\"type\":\"node--explainer\",\"id\":\"a279358b-5b24-49bc-a98e-11681bd7e65c\",\"links\":\"$1bf\",\"attributes\":\"$1c1\",\"relationships\":\"$1c5\"}\n212:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08?resourceVersion=id%3A5525\"}\n211:{\"self\":\"$212\"}\n214:{\"alias\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"pid\":666,\"langcode\":\"en\"}\n215:{\"value\":\"Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eAutomated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\u003c/p\u003e\\n\"}\n216:[\"#cyber-risk-management\"]\n213:{\"drupal_internal__nid\":676,\"drupal_internal__vid\":5525,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-04T17:13:19+00:00\",\"status\":true,\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"created\":\"2023-02-04T14:55:07+00:00\",\"changed\":\"2024-06-04T17:13:19+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$214\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CDMPMO@cms.hhs.gov\",\"field_contact_name\":\"CDM team\",\"field_short_description\":\"$215\",\"field_slack_channel\":\""])</script><script>self.__next_f.push([1,"$216\"}\n21a:{\"drupal_internal__target_id\":\"explainer\"}\n219:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$21a\"}\n21c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/node_type?resourceVersion=id%3A5525\"}\n21d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/node_type?resourceVersion=id%3A5525\"}\n21b:{\"related\":\"$21c\",\"self\":\"$21d\"}\n218:{\"data\":\"$219\",\"links\":\"$21b\"}\n220:{\"drupal_internal__target_id\":107}\n21f:{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":\"$220\"}\n222:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/revision_uid?resourceVersion=id%3A5525\"}\n223:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/revision_uid?resourceVersion=id%3A5525\"}\n221:{\"related\":\"$222\",\"self\":\"$223\"}\n21e:{\"data\":\"$21f\",\"links\":\"$221\"}\n226:{\"drupal_internal__target_id\":6}\n225:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$226\"}\n228:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/uid?resourceVersion=id%3A5525\"}\n229:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/uid?resourceVersion=id%3A5525\"}\n227:{\"related\":\"$228\",\"self\":\"$229\"}\n224:{\"data\":\"$225\",\"links\":\"$227\"}\n22d:{\"target_revision_id\":17929,\"drupal_internal__target_id\":546}\n22c:{\"type\":\"paragraph--page_section\",\"id\":\"8b7bda2b-e3dc-4760-9901-27255f14ff41\",\"meta\":\"$22d\"}\n22f:{\"target_revision_id\":17930,\"drupal_internal__target_id\":551}\n22e:{\"type\":\"paragraph--page_section\",\"id\":\"8e76f588-fd94-4439-b7e3-73c8b83e3500\",\"meta\":\"$22f\"}\n22b:[\"$22c\",\"$22e\"]\n231:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_page_section?resourceVersion=id%3A5525\"}\n232:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cec"])</script><script>self.__next_f.push([1,"c9300e08/relationships/field_page_section?resourceVersion=id%3A5525\"}\n230:{\"related\":\"$231\",\"self\":\"$232\"}\n22a:{\"data\":\"$22b\",\"links\":\"$230\"}\n236:{\"target_revision_id\":17931,\"drupal_internal__target_id\":1891}\n235:{\"type\":\"paragraph--internal_link\",\"id\":\"bc285af3-dba7-4a12-8881-a8fed446dded\",\"meta\":\"$236\"}\n238:{\"target_revision_id\":17932,\"drupal_internal__target_id\":1896}\n237:{\"type\":\"paragraph--internal_link\",\"id\":\"1bc4b03f-652f-4fbf-8024-43e830b4b0a3\",\"meta\":\"$238\"}\n23a:{\"target_revision_id\":17933,\"drupal_internal__target_id\":1906}\n239:{\"type\":\"paragraph--internal_link\",\"id\":\"05f865ef-4960-439b-9fca-9e7d70dfbe39\",\"meta\":\"$23a\"}\n234:[\"$235\",\"$237\",\"$239\"]\n23c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_related_collection?resourceVersion=id%3A5525\"}\n23d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_related_collection?resourceVersion=id%3A5525\"}\n23b:{\"related\":\"$23c\",\"self\":\"$23d\"}\n233:{\"data\":\"$234\",\"links\":\"$23b\"}\n240:{\"drupal_internal__target_id\":121}\n23f:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$240\"}\n242:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_resource_type?resourceVersion=id%3A5525\"}\n243:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_resource_type?resourceVersion=id%3A5525\"}\n241:{\"related\":\"$242\",\"self\":\"$243\"}\n23e:{\"data\":\"$23f\",\"links\":\"$241\"}\n247:{\"drupal_internal__target_id\":61}\n246:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$247\"}\n249:{\"drupal_internal__target_id\":76}\n248:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$249\"}\n245:[\"$246\",\"$248\"]\n24b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_roles?resourceVersion=id%3A5525\"}\n24c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/nod"])</script><script>self.__next_f.push([1,"e/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_roles?resourceVersion=id%3A5525\"}\n24a:{\"related\":\"$24b\",\"self\":\"$24c\"}\n244:{\"data\":\"$245\",\"links\":\"$24a\"}\n250:{\"drupal_internal__target_id\":36}\n24f:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$250\"}\n252:{\"drupal_internal__target_id\":11}\n251:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$252\"}\n24e:[\"$24f\",\"$251\"]\n254:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_topics?resourceVersion=id%3A5525\"}\n255:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_topics?resourceVersion=id%3A5525\"}\n253:{\"related\":\"$254\",\"self\":\"$255\"}\n24d:{\"data\":\"$24e\",\"links\":\"$253\"}\n217:{\"node_type\":\"$218\",\"revision_uid\":\"$21e\",\"uid\":\"$224\",\"field_page_section\":\"$22a\",\"field_related_collection\":\"$233\",\"field_resource_type\":\"$23e\",\"field_roles\":\"$244\",\"field_topics\":\"$24d\"}\n210:{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"links\":\"$211\",\"attributes\":\"$213\",\"relationships\":\"$217\"}\n258:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf?resourceVersion=id%3A5861\"}\n257:{\"self\":\"$258\"}\n25a:{\"alias\":\"/learn/ongoing-authorization-oa\",\"pid\":751,\"langcode\":\"en\"}\n25b:{\"value\":\"Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSupporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\u003c/p\u003e\\n\"}\n25c:[\"#oa-onboarding \",\"#security_community \",\"#CMS-CDM\"]\n259:{\"drupal_internal__nid\":771,\"drupal_internal__vid\":5861,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-08T14:51:46+00:00\",\"status\":true,\"title\":\"Ongoing Authorization (OA)\",\"created\":\"2023-03-06T21:09:39+00:00\",\"changed\":\"2024-08-08T14:51:46+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translati"])</script><script>self.__next_f.push([1,"on_affected\":true,\"moderation_state\":\"published\",\"path\":\"$25a\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$25b\",\"field_slack_channel\":\"$25c\"}\n260:{\"drupal_internal__target_id\":\"explainer\"}\n25f:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$260\"}\n262:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/node_type?resourceVersion=id%3A5861\"}\n263:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/node_type?resourceVersion=id%3A5861\"}\n261:{\"related\":\"$262\",\"self\":\"$263\"}\n25e:{\"data\":\"$25f\",\"links\":\"$261\"}\n266:{\"drupal_internal__target_id\":6}\n265:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$266\"}\n268:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/revision_uid?resourceVersion=id%3A5861\"}\n269:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/revision_uid?resourceVersion=id%3A5861\"}\n267:{\"related\":\"$268\",\"self\":\"$269\"}\n264:{\"data\":\"$265\",\"links\":\"$267\"}\n26c:{\"drupal_internal__target_id\":26}\n26b:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$26c\"}\n26e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/uid?resourceVersion=id%3A5861\"}\n26f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/uid?resourceVersion=id%3A5861\"}\n26d:{\"related\":\"$26e\",\"self\":\"$26f\"}\n26a:{\"data\":\"$26b\",\"links\":\"$26d\"}\n273:{\"target_revision_id\":19161,\"drupal_internal__target_id\":2336}\n272:{\"type\":\"paragraph--page_section\",\"id\":\"8e64b2f7-d23c-4782-b0e3-e3b850374054\",\"meta\":\"$273\"}\n275:{\"target_revision_id\":19169,\"drupal_internal__target_id\":2351}\n274"])</script><script>self.__next_f.push([1,":{\"type\":\"paragraph--page_section\",\"id\":\"53ba39d8-a757-47cf-9d7e-e7a23389889e\",\"meta\":\"$275\"}\n277:{\"target_revision_id\":19171,\"drupal_internal__target_id\":2386}\n276:{\"type\":\"paragraph--page_section\",\"id\":\"123ffcec-1914-4725-a582-5c61bd8c9241\",\"meta\":\"$277\"}\n279:{\"target_revision_id\":19172,\"drupal_internal__target_id\":2426}\n278:{\"type\":\"paragraph--page_section\",\"id\":\"e5ef118a-a42b-4cfb-b5a6-cebc127739d3\",\"meta\":\"$279\"}\n271:[\"$272\",\"$274\",\"$276\",\"$278\"]\n27b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_page_section?resourceVersion=id%3A5861\"}\n27c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_page_section?resourceVersion=id%3A5861\"}\n27a:{\"related\":\"$27b\",\"self\":\"$27c\"}\n270:{\"data\":\"$271\",\"links\":\"$27a\"}\n280:{\"target_revision_id\":19173,\"drupal_internal__target_id\":2466}\n27f:{\"type\":\"paragraph--internal_link\",\"id\":\"de5326cf-552a-427c-9781-a4912ad4e45a\",\"meta\":\"$280\"}\n282:{\"target_revision_id\":19174,\"drupal_internal__target_id\":2471}\n281:{\"type\":\"paragraph--internal_link\",\"id\":\"b5f6c429-201a-4f5f-ae6e-05b6e235ddbc\",\"meta\":\"$282\"}\n284:{\"target_revision_id\":19175,\"drupal_internal__target_id\":2476}\n283:{\"type\":\"paragraph--internal_link\",\"id\":\"5a2be300-e6a0-41ff-9db9-5b88b77f18f2\",\"meta\":\"$284\"}\n286:{\"target_revision_id\":19176,\"drupal_internal__target_id\":2481}\n285:{\"type\":\"paragraph--internal_link\",\"id\":\"a7539e73-da37-44b0-ad17-9c481c5e89e9\",\"meta\":\"$286\"}\n288:{\"target_revision_id\":19177,\"drupal_internal__target_id\":2486}\n287:{\"type\":\"paragraph--internal_link\",\"id\":\"4f862230-6bb8-4954-b295-52e00e609ba5\",\"meta\":\"$288\"}\n28a:{\"target_revision_id\":19178,\"drupal_internal__target_id\":2491}\n289:{\"type\":\"paragraph--internal_link\",\"id\":\"8f0f75de-c261-41da-9ef7-06ccd80efb66\",\"meta\":\"$28a\"}\n27e:[\"$27f\",\"$281\",\"$283\",\"$285\",\"$287\",\"$289\"]\n28c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_related_collection?resourceVersion=id%3A5861\"}\n28d:{\"href\":\"https://cyb"])</script><script>self.__next_f.push([1,"ergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_related_collection?resourceVersion=id%3A5861\"}\n28b:{\"related\":\"$28c\",\"self\":\"$28d\"}\n27d:{\"data\":\"$27e\",\"links\":\"$28b\"}\n290:{\"drupal_internal__target_id\":131}\n28f:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$290\"}\n292:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_resource_type?resourceVersion=id%3A5861\"}\n293:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_resource_type?resourceVersion=id%3A5861\"}\n291:{\"related\":\"$292\",\"self\":\"$293\"}\n28e:{\"data\":\"$28f\",\"links\":\"$291\"}\n297:{\"drupal_internal__target_id\":66}\n296:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$297\"}\n299:{\"drupal_internal__target_id\":61}\n298:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$299\"}\n29b:{\"drupal_internal__target_id\":76}\n29a:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$29b\"}\n295:[\"$296\",\"$298\",\"$29a\"]\n29d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_roles?resourceVersion=id%3A5861\"}\n29e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_roles?resourceVersion=id%3A5861\"}\n29c:{\"related\":\"$29d\",\"self\":\"$29e\"}\n294:{\"data\":\"$295\",\"links\":\"$29c\"}\n2a2:{\"drupal_internal__target_id\":36}\n2a1:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$2a2\"}\n2a4:{\"drupal_internal__target_id\":11}\n2a3:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$2a4\"}\n2a0:[\"$2a1\",\"$2a3\"]\n2a6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_topics?resourceVersion=id%3A5861\"}\n2a7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/r"])</script><script>self.__next_f.push([1,"elationships/field_topics?resourceVersion=id%3A5861\"}\n2a5:{\"related\":\"$2a6\",\"self\":\"$2a7\"}\n29f:{\"data\":\"$2a0\",\"links\":\"$2a5\"}\n25d:{\"node_type\":\"$25e\",\"revision_uid\":\"$264\",\"uid\":\"$26a\",\"field_page_section\":\"$270\",\"field_related_collection\":\"$27d\",\"field_resource_type\":\"$28e\",\"field_roles\":\"$294\",\"field_topics\":\"$29f\"}\n256:{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"links\":\"$257\",\"attributes\":\"$259\",\"relationships\":\"$25d\"}\n2aa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7?resourceVersion=id%3A5858\"}\n2a9:{\"self\":\"$2aa\"}\n2ac:{\"alias\":\"/policy-guidance/cms-cyber-risk-management-plan-crmp\",\"pid\":846,\"langcode\":\"en\"}\n2ae:T5768,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u0026nbsp;Introduction\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) operates information technology (IT) systems that process personally identifiable information (PII) of more than 140 million Americans. The CMS Information Security and Privacy Group (ISPG) is responsible for defining the overarching strategy for managing risk associated with the operation of these information systems. This CMS Cyber Risk Management Plan (CRMP) outlines that strategy. The CMS CRMP is primarily owned by the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP), who oversee its management, evolution, and modification. This plan is regularly updated to align with changes in policy, Office of Information Technology (OIT) direction, federal requirements, and the threat landscape.\u003c/p\u003e\u003cp\u003eRisk Management is the process of managing risk to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf\"\u003eoperation of an information system\u003c/a\u003e. Risk Management includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003ethe conduct of a risk assessment;\u003c/li\u003e\u003cli\u003ethe implementation of a risk mitigation strategy; and\u003c/li\u003e\u003cli\u003ethe employment of techniques and procedures for continuous monitoring the security state of the information system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISPG has outlined three objectives that support each of the components of risk management identified above. Together, these objectives form the overarching risk management strategy for CMS information and information systems. The risk management strategy and its associated objectives are described in detail in the Risk Management Strategy section.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Purpose\u003c/h2\u003e\u003cp\u003eThe purpose of the CMS CRMP is to outline the CMS risk management strategy, establish objectives to support that strategy, and establishes a program that aligns the processes, data, programs, technologies, and services with the risk management strategy to accomplish the objectives.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Risk Management Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Strategy establishes the program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation. The strategy includes: assessing risk, responding to risk once determined\u0026nbsp;(i.e. risk mitigation), and monitoring risk over time (i.e. continuous monitoring). To support these components of the risk management strategy CMS has identified three objectives:\u003c/p\u003e\u003col\u003e\u003cli\u003eDevelop and implement capabilities to provide ongoing awareness and visibility into the security posture of CMS information technology assets. (\u003cem\u003eRelates to: Risk Assessment)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eDevelop metrics, dashboards, and reports to inform and prioritize remediation efforts. \u003cem\u003e(Relates to: Risk Mitigation\u003c/em\u003e\u003c/li\u003e\u003cli\u003eImplement capabilities and tools to support continuous assessment and ongoing authorization (OA). \u003cem\u003e(Relates to: Continuous Monitoring)\u003c/em\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe ISPG maintains a pipeline of services and capabilities that support the three objectives identified above. These services and capabilities produce output (i.e. data) that is leveraged to support the CMS risk management strategy and is used to perform ongoing risk management activities. This CRMP establishes a framework to support the implementation of cybersecurity and privacy capabilities to protect CMS information and information systems. The components and services available to support each of the three components of the CMS risk management strategy are identified in the following subsections.\u003c/p\u003e\u003ch2\u003eRisk Assessment\u003c/h2\u003e\u003cp\u003eRisk assessment is part of risk management and incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Through the execution of the risk assessment organizations gain context and a comprehension of the nature of the risk which allows the level of the risk to be determined. Risk assessment is synonymous with risk analysis.\u003c/p\u003e\u003cp\u003eThe following CMS capabilities and services provide ongoing awareness into the security posture of CMS information technology assets and support the risk assessment process:\u003c/p\u003e\u003ch3\u003eThreat Modeling\u003c/h3\u003e\u003cp\u003eThreat Modeling is a form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment.\u003c/p\u003e\u003ch3\u003eVulnerability Analysis Services\u003c/h3\u003e\u003cp\u003eCMS has implemented the following capabilities to support the identification and analysis of information system vulnerabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStatic Code Analysis \u003c/strong\u003e provides tools that analyze source code without executing the code. Static code analyzers are designed to review bodies of source code (at the programming language level) or compiled code (at the machine language level) to identify poor coding practices. Static code analyzers provide feedback to developers during the code development phase on security flaws that might be introduced into code.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNetwork Scanning \u003c/strong\u003e provides tools allowing Users to automatically determine all active devices on the local network.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHost Scanning \u003c/strong\u003e provides tools to automate the identification of vulnerabilities in an operating system.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDatabase Scanning \u003c/strong\u003e provides specialized tool used specifically to identify vulnerabilities in database applications.\u003c/p\u003e\u003ch3\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003eThe Adaptive Capabilities Testing (ACT) Program is now the \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e. This change is a move toward a partnership-based methodology to align with ISPG strategies and the strategic goal of risk-based program management. This change is a holistic approach to assessing risk and will our partners make better data-driven, risk-based decisions by using analytics to help optimize performance, streamline, processes, and reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCSRAP is a security and risk assessment for FISMA systems at CMS. CSRAP assesses a systems security capabilities to ensure that it operates as intended and meets the security requirements for the information system. CSRAP is a critical component of the \u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process and is used to determine the overall system security and privacy posture throughout the system development life cycle (SDLC). For detailed information about CSRAP, see \u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCybersecurity and Risk Assessment Program Handbook\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eRisk Mitigation\u003c/h2\u003e\u003cp\u003eThe act of mitigating a vulnerability or a threat is referred to as risk mitigation. CMS maintains a suite of dashboards and reports to display and aggregate the results of the risk assessment and continuous assessment activities to support the prioritization of mitigating/remedial actions. The following dashboards and reports support the risk mitigation process.\u003c/p\u003e\u003ch3\u003eOngoing Authorization (OA) Program Dashboard\u003c/h3\u003e\u003cp\u003eThe CMS \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires).\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM) Dashboards\u003c/h3\u003e\u003cp\u003eCMS maintains the following dashboards which support the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM\u003c/a\u003e Vulnerability Management (VULN) and Hardware Asset Management (HWAM) capabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVULN\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVulnerability Monitoring Dashboard Provides vulnerability data across systems with breakdowns of Open, Reopened, and Remediated items\u003c/li\u003e\u003cli\u003eKnown Exploited Vulnerabilities Dashboard Provides key metrics associated with the BOD 22-01 requirements including the monthly CISA CVE catalog feed applied to CMS systems and vulnerabilities by data center\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eHWAM\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAsset Details Dashboard Provides comprehensive HWAM details for CMS System assets by datacenter\u003c/li\u003e\u003cli\u003eMaster Device Record Provides high level overview of CMS assets\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eThe terms continuous and ongoing in this context means security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk- based security decisions to adequately protect organization information.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003eCyber Risk Report\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cyber-risk-reports\"\u003eCMS Cyber Risk Report\u003c/a\u003e communicates cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) Systems. ISPG generates Cyber Risk Reports monthly to help Business Owners (BO) and System Owners make risk-based decisions including prioritizing risk remediation activities at the system level.\u003c/p\u003e\u003ch3\u003eHigh Risk Summary\u003c/h3\u003e\u003cp\u003eThe CMS High Risk Summary is a report delivered monthly to the CMS Chief Information Officer, Chief Information Security Officer, and Office of Information Technology (OIT) management. This report aggregates risk across the entire CMS enterprise and is reviewed at the Security Operations Center (SOC) debrief.\u003c/p\u003e\u003ch3\u003eCFACTS POA\u0026amp;M\u003c/h3\u003e\u003cp\u003eStakeholders must use \u003ca href=\"https://security.cms.gov/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e to identify, track, and manage all IT system weaknesses and associated \u003ca href=\"https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"\u003ePlans of Action and Milestones (POA\u0026amp;Ms) \u003c/a\u003eto closure for CMS information systems. The CFACTS POA\u0026amp;M User Guide provides detailed instructions for processing POA\u0026amp;M actions in the CFACTS tracking system.\u003c/p\u003e\u003ch3\u003eContinuous Monitoring\u003c/h3\u003e\u003cp\u003eContinuous Monitoring, which is synonymous with Information Security Continuous Monitoring (ISCM), is maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.\u003c/p\u003e\u003cp\u003eThe Department of Health and Human Services maintains an overarching strategy for ISCM. This HHS strategy defines the assessment frequencies for each required security control. CMS complies with the HHS ISCM strategy and further defines the CMS specific assessment frequencies within the CMS Acceptable Risk Safeguards (ARS). Security controls are assessed at their defined frequencies by leveraging a variety of capabilities and services available to CMS information systems. The following CMS capabilities and services support the continuous monitoring process.\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM Program\u003c/a\u003e provides a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program delivers cybersecurity tools, integration services, and dashboards that help participating agencies improve their security posture by:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReducing agency threat surface\u003c/li\u003e\u003cli\u003eIncreasing visibility into the federal cybersecurity posture\u003c/li\u003e\u003cli\u003eImproving federal cybersecurity response capabilities\u003c/li\u003e\u003cli\u003eStreamlining Federal Information Security Modernization Act (FISMA) reporting The CDM Program delivers capabilities in four areas:\u003cul\u003e\u003cli\u003eAsset Management | What is on the network?\u003c/li\u003e\u003cli\u003eIdentity and Access Management | Who is on the network?\u003c/li\u003e\u003cli\u003eNetwork Security Management | What is happening on the network? How is the network protected?\u003c/li\u003e\u003cli\u003eData Protection Management | How is data protected?\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CDM program aligns with the CDM program outlined by the DHS and is currently focused on implementing the following functional areas related to the asset management capability:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHardware Asset Management (HWAM)\u003c/li\u003e\u003cli\u003eSoftware Asset Management (SWAM)\u003c/li\u003e\u003cli\u003eSoftware Vulnerability Management (VUL)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003ePenetration Testing\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003ePenetration Testing \u003c/a\u003eis security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.\u003c/p\u003e\u003cp\u003eThe CMC Cybersecurity Integration Center (CCIC) maintains penetration testing teams that performs testing on a rolling basis. A systems ISSO can request an intake form for a penetration test via email to the Pen Test mailbox.\u003c/p\u003e\u003ch3\u003ebatCAVE\u003c/h3\u003e\u003cp\u003e\u003ca href=\"http://security.cms.gov/learn/batcave-infrastructure-service\"\u003ebatCAVE\u003c/a\u003e incorporates enterprise Kubernetes and continuous integration to take software from ideation to production faster. By decreasing the time dedicated to audits and alleviating fears associated with updating production code, batCAVE will incentivize faster innovation at CMS.\u003c/p\u003e\u003cp\u003eKey aspects of the batCAVE initiative:\u003c/p\u003e\u003col\u003e\u003cli\u003eReduce burden and obligations to Users\u003c/li\u003e\u003cli\u003eGive Users the knowledge necessary to make better security decisions\u003c/li\u003e\u003cli\u003eIncentivize behavior that strengthens the security posture of applications and CMS as a whole\u003c/li\u003e\u003cli\u003eIncrease transparency and empower distributed decision-making\u003c/li\u003e\u003cli\u003eMeasure, report, and champion the positive behavior rather than punish negative actions\u003c/li\u003e\u003c/ol\u003e\u003ch3\u003eCMS Security Automation Framework (SAF)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/security-automation-framework-saf\"\u003eCMS Security Automation Framework (SAF)\u003c/a\u003e brings together applications, techniques, libraries, and tools developed by the CMS Information Security and Privacy Group (ISPG) and the security community to streamline security automation for systems and DevOps pipelines. Benefits of using this framework include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ACT team will accept security testing data from this framework.\u003c/li\u003e\u003cli\u003eDevelopers can harden and run validation security early and often in their environments, using their own orchestration, functional and unit testing systems, to keep security defects as low as possible.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u0026nbsp;Ongoing Authorization\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e is the continuous evaluation of the effectiveness of security control implementations which supports risk determinations and risk acceptance decisions taken at agreed upon and documented frequencies subsequent to the initial authorization (i.e., during ops phase). OA decisions are time-driven and may also be event-driven. OA is not separate from ISCM but in fact is a subset of ISCM activities.\u003c/p\u003e\u003cp\u003eThere are two conditions for a system to participate in OA:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe system must have been granted an initial Authority to Operate (ATO) and must be in the operational phase.\u003c/li\u003e\u003cli\u003eA robust ISCM program is in place that monitors all implemented controls:\u003cul\u003e\u003cli\u003eAt the appropriate frequencies,\u003c/li\u003e\u003cli\u003eWith the appropriate degree of rigor, and\u003c/li\u003e\u003cli\u003eIn accordance with the organizations ISCM strategy.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eTime Driven Triggers \u003c/strong\u003e controls are assessed at a discrete frequency as defined by the organizations ISCM strategy. At CMS the assessment frequencies for each security control are defined within the CMS ARS 5.0.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent Driven Triggers \u003c/strong\u003e are defined by the organization. Examples include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIncrease in defects from ISCM\u003c/li\u003e\u003cli\u003eChange in risk assessment findings\u003c/li\u003e\u003cli\u003eNew threat/vulnerability information\u003c/li\u003e\u003cli\u003eSignificant changes\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eCMS OA Initiative\u003c/h3\u003e\u003cp\u003eCMS is transitioning from the traditional static (i.e. point in time) authorization process to ongoing authorization which will enable a dynamic near real-time understanding of security and privacy risks and will facilitate the prioritization of mitigating and remedial actions. With the implementation of a robust Cyber Risk Management Program, supported by the strategy defined within this plan, systems participating in the OA program would remain in perpetual state of authorization as long as the risks to the system do not exceed the thresholds established in the CMS Ongoing Authorization Framework.\u003c/p\u003e\u003cp\u003eCurrently, the CMS OA program is by invitation only and Business Owners and ISSOs will be notified by email if their system has been selected to participate in the program. To be selected for ongoing authorization systems must meet the following requirements:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHave been granted initial \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eATO\u003c/a\u003e;\u003c/li\u003e\u003cli\u003eBe fully OIT AWS cloud hosted - no hybrids;\u003c/li\u003e\u003cli\u003eHave Security Hub enabled;\u003c/li\u003e\u003cli\u003eKey CDM data feeds must be integrated into CDM architecture (currently HWAM and VUL);\u003c/li\u003e\u003cli\u003eData needs to be integrated into requisite reporting mechanisms and made visible; and\u003c/li\u003e\u003cli\u003eMeet \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\"\u003eOA metrics baseline requirements.\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eOnce placed into the OA program, systems are tracked against defined metrics each with an establish risk tolerance (i.e. threshold). Systems that comply with the requirements of the OA program as long as each metric remains below the established threshold. The CMS OA Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires). Each OA trigger has been assigned a severity level which corresponds to a unique workflow which dictates how the system should respond to the trigger. The CMS Ongoing Authorization Program Guide provides more detailed information on the OA Framework including the metrics, trigger, severity levels, and workflows.\u003c/p\u003e\u003ch2\u003eCMS Risk Management Program - Implementing the Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Program aligns the processes, data, technologies, capabilities, and services to effectively manage risk across the enterprise and implement the strategy defined in this plan. This program enables a shift to data-driven risk management enabling prioritized investments in cybersecurity by focusing mitigating/remedial efforts where they will reduce the most risk. In addition, a shift to continuous monitoring by leveraging the services and capabilities identified in this plan will enable a near-real time assessment of risk across the lifecycle of a system and will allow CMS to combat a dynamic threat environment.\u003c/p\u003e\u003cp\u003eTo support the Risk Management Program CMS has implemented data storage using an Enterprise Data Warehouse. The Data Warehouse aggregates relevant security data into repositories that provides consumers the tools to access security data and provide the means to understand their data in a\u0026nbsp;security context. Refer to Figure 1 to overview of the CMS Risk Management Program.\u003c/p\u003e\u003ch2\u003eAuthoritative Sources and References\u003c/h2\u003e\u003cp\u003eFederal agencies must proactively manage risk through implementing effective security and privacy capabilities mandated in Office of Management and Budget (OMB) Circulars and Memoranda as well as National Institute of Standards and Technology (NIST) publications, Emergency Directives (ED), Binding Operational Directives (BOD), and the \u003ca href=\"https://www.nist.gov/cyberframework\"\u003eNIST Cyber Security Framework (CSF)\u003c/a\u003e. This Plan incorporates guidance from authoritative sources and initiatives including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDepartment of Health \u0026amp; Human Services (HHS) Information Systems Security and Privacy Policy (IS2P) and \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/cms-security-and-privacy-handbooks\"\u003eRisk Management Handbooks (RMH)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act\"\u003eFederal Information Security Modernization Act of 2014\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\"\u003eOMB Circular A-130, Managing Information as a Strategic Resource\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2019/11/M-20-04.pdf\"\u003eOMB Memorandum M-20-04, Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf\"\u003eOMB M-19-03, Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/news-events/directives/binding-operational-directive-22-01\"\u003eBinding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf\"\u003eOMB M-21-31, Improving the Federal Governments Investigative and Remediation Capabilities Related to Cybersecurity Incidents\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/10/M-22-01.pdf\"\u003eOMB\u0026nbsp;M-22-01, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"2af:T5768,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u0026nbsp;Introduction\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) operates information technology (IT) systems that process personally identifiable information (PII) of more than 140 million Americans. The CMS Information Security and Privacy Group (ISPG) is responsible for defining the overarching strategy for managing risk associated with the operation of these information systems. This CMS Cyber Risk Management Plan (CRMP) outlines that strategy. The CMS CRMP is primarily owned by the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP), who oversee its management, evolution, and modification. This plan is regularly updated to align with changes in policy, Office of Information Technology (OIT) direction, federal requirements, and the threat landscape.\u003c/p\u003e\u003cp\u003eRisk Management is the process of managing risk to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf\"\u003eoperation of an information system\u003c/a\u003e. Risk Management includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003ethe conduct of a risk assessment;\u003c/li\u003e\u003cli\u003ethe implementation of a risk mitigation strategy; and\u003c/li\u003e\u003cli\u003ethe employment of techniques and procedures for continuous monitoring the security state of the information system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISPG has outlined three objectives that support each of the components of risk management identified above. Together, these objectives form the overarching risk management strategy for CMS information and information systems. The risk management strategy and its associated objectives are described in detail in the Risk Management Strategy section.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Purpose\u003c/h2\u003e\u003cp\u003eThe purpose of the CMS CRMP is to outline the CMS risk management strategy, establish objectives to support that strategy, and establishes a program that aligns the processes, data, programs, technologies, and services with the risk management strategy to accomplish the objectives.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Risk Management Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Strategy establishes the program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation. The strategy includes: assessing risk, responding to risk once determined\u0026nbsp;(i.e. risk mitigation), and monitoring risk over time (i.e. continuous monitoring). To support these components of the risk management strategy CMS has identified three objectives:\u003c/p\u003e\u003col\u003e\u003cli\u003eDevelop and implement capabilities to provide ongoing awareness and visibility into the security posture of CMS information technology assets. (\u003cem\u003eRelates to: Risk Assessment)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eDevelop metrics, dashboards, and reports to inform and prioritize remediation efforts. \u003cem\u003e(Relates to: Risk Mitigation\u003c/em\u003e\u003c/li\u003e\u003cli\u003eImplement capabilities and tools to support continuous assessment and ongoing authorization (OA). \u003cem\u003e(Relates to: Continuous Monitoring)\u003c/em\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe ISPG maintains a pipeline of services and capabilities that support the three objectives identified above. These services and capabilities produce output (i.e. data) that is leveraged to support the CMS risk management strategy and is used to perform ongoing risk management activities. This CRMP establishes a framework to support the implementation of cybersecurity and privacy capabilities to protect CMS information and information systems. The components and services available to support each of the three components of the CMS risk management strategy are identified in the following subsections.\u003c/p\u003e\u003ch2\u003eRisk Assessment\u003c/h2\u003e\u003cp\u003eRisk assessment is part of risk management and incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Through the execution of the risk assessment organizations gain context and a comprehension of the nature of the risk which allows the level of the risk to be determined. Risk assessment is synonymous with risk analysis.\u003c/p\u003e\u003cp\u003eThe following CMS capabilities and services provide ongoing awareness into the security posture of CMS information technology assets and support the risk assessment process:\u003c/p\u003e\u003ch3\u003eThreat Modeling\u003c/h3\u003e\u003cp\u003eThreat Modeling is a form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment.\u003c/p\u003e\u003ch3\u003eVulnerability Analysis Services\u003c/h3\u003e\u003cp\u003eCMS has implemented the following capabilities to support the identification and analysis of information system vulnerabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStatic Code Analysis \u003c/strong\u003e provides tools that analyze source code without executing the code. Static code analyzers are designed to review bodies of source code (at the programming language level) or compiled code (at the machine language level) to identify poor coding practices. Static code analyzers provide feedback to developers during the code development phase on security flaws that might be introduced into code.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNetwork Scanning \u003c/strong\u003e provides tools allowing Users to automatically determine all active devices on the local network.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHost Scanning \u003c/strong\u003e provides tools to automate the identification of vulnerabilities in an operating system.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDatabase Scanning \u003c/strong\u003e provides specialized tool used specifically to identify vulnerabilities in database applications.\u003c/p\u003e\u003ch3\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003eThe Adaptive Capabilities Testing (ACT) Program is now the \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e. This change is a move toward a partnership-based methodology to align with ISPG strategies and the strategic goal of risk-based program management. This change is a holistic approach to assessing risk and will our partners make better data-driven, risk-based decisions by using analytics to help optimize performance, streamline, processes, and reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCSRAP is a security and risk assessment for FISMA systems at CMS. CSRAP assesses a systems security capabilities to ensure that it operates as intended and meets the security requirements for the information system. CSRAP is a critical component of the \u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process and is used to determine the overall system security and privacy posture throughout the system development life cycle (SDLC). For detailed information about CSRAP, see \u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCybersecurity and Risk Assessment Program Handbook\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eRisk Mitigation\u003c/h2\u003e\u003cp\u003eThe act of mitigating a vulnerability or a threat is referred to as risk mitigation. CMS maintains a suite of dashboards and reports to display and aggregate the results of the risk assessment and continuous assessment activities to support the prioritization of mitigating/remedial actions. The following dashboards and reports support the risk mitigation process.\u003c/p\u003e\u003ch3\u003eOngoing Authorization (OA) Program Dashboard\u003c/h3\u003e\u003cp\u003eThe CMS \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires).\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM) Dashboards\u003c/h3\u003e\u003cp\u003eCMS maintains the following dashboards which support the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM\u003c/a\u003e Vulnerability Management (VULN) and Hardware Asset Management (HWAM) capabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVULN\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVulnerability Monitoring Dashboard Provides vulnerability data across systems with breakdowns of Open, Reopened, and Remediated items\u003c/li\u003e\u003cli\u003eKnown Exploited Vulnerabilities Dashboard Provides key metrics associated with the BOD 22-01 requirements including the monthly CISA CVE catalog feed applied to CMS systems and vulnerabilities by data center\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eHWAM\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAsset Details Dashboard Provides comprehensive HWAM details for CMS System assets by datacenter\u003c/li\u003e\u003cli\u003eMaster Device Record Provides high level overview of CMS assets\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eThe terms continuous and ongoing in this context means security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk- based security decisions to adequately protect organization information.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003eCyber Risk Report\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cyber-risk-reports\"\u003eCMS Cyber Risk Report\u003c/a\u003e communicates cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) Systems. ISPG generates Cyber Risk Reports monthly to help Business Owners (BO) and System Owners make risk-based decisions including prioritizing risk remediation activities at the system level.\u003c/p\u003e\u003ch3\u003eHigh Risk Summary\u003c/h3\u003e\u003cp\u003eThe CMS High Risk Summary is a report delivered monthly to the CMS Chief Information Officer, Chief Information Security Officer, and Office of Information Technology (OIT) management. This report aggregates risk across the entire CMS enterprise and is reviewed at the Security Operations Center (SOC) debrief.\u003c/p\u003e\u003ch3\u003eCFACTS POA\u0026amp;M\u003c/h3\u003e\u003cp\u003eStakeholders must use \u003ca href=\"https://security.cms.gov/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e to identify, track, and manage all IT system weaknesses and associated \u003ca href=\"https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"\u003ePlans of Action and Milestones (POA\u0026amp;Ms) \u003c/a\u003eto closure for CMS information systems. The CFACTS POA\u0026amp;M User Guide provides detailed instructions for processing POA\u0026amp;M actions in the CFACTS tracking system.\u003c/p\u003e\u003ch3\u003eContinuous Monitoring\u003c/h3\u003e\u003cp\u003eContinuous Monitoring, which is synonymous with Information Security Continuous Monitoring (ISCM), is maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.\u003c/p\u003e\u003cp\u003eThe Department of Health and Human Services maintains an overarching strategy for ISCM. This HHS strategy defines the assessment frequencies for each required security control. CMS complies with the HHS ISCM strategy and further defines the CMS specific assessment frequencies within the CMS Acceptable Risk Safeguards (ARS). Security controls are assessed at their defined frequencies by leveraging a variety of capabilities and services available to CMS information systems. The following CMS capabilities and services support the continuous monitoring process.\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM Program\u003c/a\u003e provides a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program delivers cybersecurity tools, integration services, and dashboards that help participating agencies improve their security posture by:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReducing agency threat surface\u003c/li\u003e\u003cli\u003eIncreasing visibility into the federal cybersecurity posture\u003c/li\u003e\u003cli\u003eImproving federal cybersecurity response capabilities\u003c/li\u003e\u003cli\u003eStreamlining Federal Information Security Modernization Act (FISMA) reporting The CDM Program delivers capabilities in four areas:\u003cul\u003e\u003cli\u003eAsset Management | What is on the network?\u003c/li\u003e\u003cli\u003eIdentity and Access Management | Who is on the network?\u003c/li\u003e\u003cli\u003eNetwork Security Management | What is happening on the network? How is the network protected?\u003c/li\u003e\u003cli\u003eData Protection Management | How is data protected?\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CDM program aligns with the CDM program outlined by the DHS and is currently focused on implementing the following functional areas related to the asset management capability:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHardware Asset Management (HWAM)\u003c/li\u003e\u003cli\u003eSoftware Asset Management (SWAM)\u003c/li\u003e\u003cli\u003eSoftware Vulnerability Management (VUL)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003ePenetration Testing\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003ePenetration Testing \u003c/a\u003eis security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.\u003c/p\u003e\u003cp\u003eThe CMC Cybersecurity Integration Center (CCIC) maintains penetration testing teams that performs testing on a rolling basis. A systems ISSO can request an intake form for a penetration test via email to the Pen Test mailbox.\u003c/p\u003e\u003ch3\u003ebatCAVE\u003c/h3\u003e\u003cp\u003e\u003ca href=\"http://security.cms.gov/learn/batcave-infrastructure-service\"\u003ebatCAVE\u003c/a\u003e incorporates enterprise Kubernetes and continuous integration to take software from ideation to production faster. By decreasing the time dedicated to audits and alleviating fears associated with updating production code, batCAVE will incentivize faster innovation at CMS.\u003c/p\u003e\u003cp\u003eKey aspects of the batCAVE initiative:\u003c/p\u003e\u003col\u003e\u003cli\u003eReduce burden and obligations to Users\u003c/li\u003e\u003cli\u003eGive Users the knowledge necessary to make better security decisions\u003c/li\u003e\u003cli\u003eIncentivize behavior that strengthens the security posture of applications and CMS as a whole\u003c/li\u003e\u003cli\u003eIncrease transparency and empower distributed decision-making\u003c/li\u003e\u003cli\u003eMeasure, report, and champion the positive behavior rather than punish negative actions\u003c/li\u003e\u003c/ol\u003e\u003ch3\u003eCMS Security Automation Framework (SAF)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/security-automation-framework-saf\"\u003eCMS Security Automation Framework (SAF)\u003c/a\u003e brings together applications, techniques, libraries, and tools developed by the CMS Information Security and Privacy Group (ISPG) and the security community to streamline security automation for systems and DevOps pipelines. Benefits of using this framework include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ACT team will accept security testing data from this framework.\u003c/li\u003e\u003cli\u003eDevelopers can harden and run validation security early and often in their environments, using their own orchestration, functional and unit testing systems, to keep security defects as low as possible.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u0026nbsp;Ongoing Authorization\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e is the continuous evaluation of the effectiveness of security control implementations which supports risk determinations and risk acceptance decisions taken at agreed upon and documented frequencies subsequent to the initial authorization (i.e., during ops phase). OA decisions are time-driven and may also be event-driven. OA is not separate from ISCM but in fact is a subset of ISCM activities.\u003c/p\u003e\u003cp\u003eThere are two conditions for a system to participate in OA:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe system must have been granted an initial Authority to Operate (ATO) and must be in the operational phase.\u003c/li\u003e\u003cli\u003eA robust ISCM program is in place that monitors all implemented controls:\u003cul\u003e\u003cli\u003eAt the appropriate frequencies,\u003c/li\u003e\u003cli\u003eWith the appropriate degree of rigor, and\u003c/li\u003e\u003cli\u003eIn accordance with the organizations ISCM strategy.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eTime Driven Triggers \u003c/strong\u003e controls are assessed at a discrete frequency as defined by the organizations ISCM strategy. At CMS the assessment frequencies for each security control are defined within the CMS ARS 5.0.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent Driven Triggers \u003c/strong\u003e are defined by the organization. Examples include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIncrease in defects from ISCM\u003c/li\u003e\u003cli\u003eChange in risk assessment findings\u003c/li\u003e\u003cli\u003eNew threat/vulnerability information\u003c/li\u003e\u003cli\u003eSignificant changes\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eCMS OA Initiative\u003c/h3\u003e\u003cp\u003eCMS is transitioning from the traditional static (i.e. point in time) authorization process to ongoing authorization which will enable a dynamic near real-time understanding of security and privacy risks and will facilitate the prioritization of mitigating and remedial actions. With the implementation of a robust Cyber Risk Management Program, supported by the strategy defined within this plan, systems participating in the OA program would remain in perpetual state of authorization as long as the risks to the system do not exceed the thresholds established in the CMS Ongoing Authorization Framework.\u003c/p\u003e\u003cp\u003eCurrently, the CMS OA program is by invitation only and Business Owners and ISSOs will be notified by email if their system has been selected to participate in the program. To be selected for ongoing authorization systems must meet the following requirements:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHave been granted initial \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eATO\u003c/a\u003e;\u003c/li\u003e\u003cli\u003eBe fully OIT AWS cloud hosted - no hybrids;\u003c/li\u003e\u003cli\u003eHave Security Hub enabled;\u003c/li\u003e\u003cli\u003eKey CDM data feeds must be integrated into CDM architecture (currently HWAM and VUL);\u003c/li\u003e\u003cli\u003eData needs to be integrated into requisite reporting mechanisms and made visible; and\u003c/li\u003e\u003cli\u003eMeet \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\"\u003eOA metrics baseline requirements.\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eOnce placed into the OA program, systems are tracked against defined metrics each with an establish risk tolerance (i.e. threshold). Systems that comply with the requirements of the OA program as long as each metric remains below the established threshold. The CMS OA Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires). Each OA trigger has been assigned a severity level which corresponds to a unique workflow which dictates how the system should respond to the trigger. The CMS Ongoing Authorization Program Guide provides more detailed information on the OA Framework including the metrics, trigger, severity levels, and workflows.\u003c/p\u003e\u003ch2\u003eCMS Risk Management Program - Implementing the Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Program aligns the processes, data, technologies, capabilities, and services to effectively manage risk across the enterprise and implement the strategy defined in this plan. This program enables a shift to data-driven risk management enabling prioritized investments in cybersecurity by focusing mitigating/remedial efforts where they will reduce the most risk. In addition, a shift to continuous monitoring by leveraging the services and capabilities identified in this plan will enable a near-real time assessment of risk across the lifecycle of a system and will allow CMS to combat a dynamic threat environment.\u003c/p\u003e\u003cp\u003eTo support the Risk Management Program CMS has implemented data storage using an Enterprise Data Warehouse. The Data Warehouse aggregates relevant security data into repositories that provides consumers the tools to access security data and provide the means to understand their data in a\u0026nbsp;security context. Refer to Figure 1 to overview of the CMS Risk Management Program.\u003c/p\u003e\u003ch2\u003eAuthoritative Sources and References\u003c/h2\u003e\u003cp\u003eFederal agencies must proactively manage risk through implementing effective security and privacy capabilities mandated in Office of Management and Budget (OMB) Circulars and Memoranda as well as National Institute of Standards and Technology (NIST) publications, Emergency Directives (ED), Binding Operational Directives (BOD), and the \u003ca href=\"https://www.nist.gov/cyberframework\"\u003eNIST Cyber Security Framework (CSF)\u003c/a\u003e. This Plan incorporates guidance from authoritative sources and initiatives including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDepartment of Health \u0026amp; Human Services (HHS) Information Systems Security and Privacy Policy (IS2P) and \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/cms-security-and-privacy-handbooks\"\u003eRisk Management Handbooks (RMH)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act\"\u003eFederal Information Security Modernization Act of 2014\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\"\u003eOMB Circular A-130, Managing Information as a Strategic Resource\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2019/11/M-20-04.pdf\"\u003eOMB Memorandum M-20-04, Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf\"\u003eOMB M-19-03, Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/news-events/directives/binding-operational-directive-22-01\"\u003eBinding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf\"\u003eOMB M-21-31, Improving the Federal Governments Investigative and Remediation Capabilities Related to Cybersecurity Incidents\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/10/M-22-01.pdf\"\u003eOMB\u0026nbsp;M-22-01, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"2ad:{\"value\":\"$2ae\",\"format\":\"body_text\",\"processed\":\"$2af\",\"summary\":\"\"}\n2b2:[]\n2b1:{\"uri\":\"entity:node/676\",\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"options\":\"$2b2\",\"url\":\"/learn/continuous-diagnostics-and-mitigation-cdm\"}\n2b4:[]\n2b3:{\"uri\":\"entity:node/771\",\"title\":\"Ongoing Authorization (OA)\",\"options\":\"$2b4\",\"url\":\"/learn/ongoing-authorization-oa\"}\n2b6:[]\n2b5:{\"uri\":\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026modificationDate=1711993052415\u0026api=v2\",\"title\":\" Cybersecurity and Risk Assessment Program Handbook\",\"options\":\"$2b6\",\"url\":\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026modificationDate=1711993052415\u0026api=v2\"}\n2b0:[\"$2b1\",\"$2b3\",\"$2b5\"]\n2b7:{\"value\":\"A plan that defines the overarching strategy for managing risk associated with the operation of CMS FISMA systems. \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA plan that defines the overarching strategy for managing risk associated with the operation of CMS FISMA systems.\u003c/p\u003e\\n\"}\n2ab:{\"drupal_internal__nid\":991,\"drupal_internal__vid\":5858,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-07T17:01:12+00:00\",\"status\":true,\"title\":\"CMS Cyber Risk Management Plan (CRMP)\",\"created\":\"2023-05-26T13:14:59+00:00\",\"changed\":\"2024-06-04T15:18:21+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$2ac\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$2ad\",\"field_contact_email\":\"CRMPMO@cms.hhs.gov\",\"field_contact_name\":\"CRM Team\",\"field_last_reviewed\":\"2023-03-27\",\"field_related_resources\":\"$2b0\",\"field_short_description\":\"$2b7\"}\n2bb:{\"drupal_internal__target_id\":\"library\"}\n2ba:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":\"$2bb\"}\n2bd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-"])</script><script>self.__next_f.push([1,"fcd3b96df2d7/node_type?resourceVersion=id%3A5858\"}\n2be:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/node_type?resourceVersion=id%3A5858\"}\n2bc:{\"related\":\"$2bd\",\"self\":\"$2be\"}\n2b9:{\"data\":\"$2ba\",\"links\":\"$2bc\"}\n2c1:{\"drupal_internal__target_id\":107}\n2c0:{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":\"$2c1\"}\n2c3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/revision_uid?resourceVersion=id%3A5858\"}\n2c4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/revision_uid?resourceVersion=id%3A5858\"}\n2c2:{\"related\":\"$2c3\",\"self\":\"$2c4\"}\n2bf:{\"data\":\"$2c0\",\"links\":\"$2c2\"}\n2c7:{\"drupal_internal__target_id\":26}\n2c6:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$2c7\"}\n2c9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/uid?resourceVersion=id%3A5858\"}\n2ca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/uid?resourceVersion=id%3A5858\"}\n2c8:{\"related\":\"$2c9\",\"self\":\"$2ca\"}\n2c5:{\"data\":\"$2c6\",\"links\":\"$2c8\"}\n2cd:{\"drupal_internal__target_id\":96}\n2cc:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"meta\":\"$2cd\"}\n2cf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/field_resource_type?resourceVersion=id%3A5858\"}\n2d0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/field_resource_type?resourceVersion=id%3A5858\"}\n2ce:{\"related\":\"$2cf\",\"self\":\"$2d0\"}\n2cb:{\"data\":\"$2cc\",\"links\":\"$2ce\"}\n2d4:{\"drupal_internal__target_id\":66}\n2d3:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$2d4\"}\n2d6:{\"drupal_internal__target_id\":81}\n2d5:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\"$2d6\"}\n2d8:{\"drupal_internal__target_id\":61}\n2d7:{\"t"])</script><script>self.__next_f.push([1,"ype\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$2d8\"}\n2da:{\"drupal_internal__target_id\":76}\n2d9:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$2da\"}\n2d2:[\"$2d3\",\"$2d5\",\"$2d7\",\"$2d9\"]\n2dc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/field_roles?resourceVersion=id%3A5858\"}\n2dd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/field_roles?resourceVersion=id%3A5858\"}\n2db:{\"related\":\"$2dc\",\"self\":\"$2dd\"}\n2d1:{\"data\":\"$2d2\",\"links\":\"$2db\"}\n2e1:{\"drupal_internal__target_id\":16}\n2e0:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$2e1\"}\n2e3:{\"drupal_internal__target_id\":36}\n2e2:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$2e3\"}\n2df:[\"$2e0\",\"$2e2\"]\n2e5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/field_topics?resourceVersion=id%3A5858\"}\n2e6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/field_topics?resourceVersion=id%3A5858\"}\n2e4:{\"related\":\"$2e5\",\"self\":\"$2e6\"}\n2de:{\"data\":\"$2df\",\"links\":\"$2e4\"}\n2b8:{\"node_type\":\"$2b9\",\"revision_uid\":\"$2bf\",\"uid\":\"$2c5\",\"field_resource_type\":\"$2cb\",\"field_roles\":\"$2d1\",\"field_topics\":\"$2de\"}\n2a8:{\"type\":\"node--library\",\"id\":\"ccc8540c-c385-44e3-8788-fcd3b96df2d7\",\"links\":\"$2a9\",\"attributes\":\"$2ab\",\"relationships\":\"$2b8\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"2bfd3478-c381-432c-a7ec-53fa803668ee\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee?resourceVersion=id%3A6081\"}},\"attributes\":{\"drupal_internal__nid\":276,\"drupal_internal__vid\":6081,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-15T19:24:02+00:00\",\"status\":true,\"title\":\"Cyber Risk Reports (CRR)\",\"created\":\"2022-08-26T15:05:42+00:00\",\"changed\":\"2025-01-14T20:34:25+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cyber-risk-reports\",\"pid\":266,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CRMPMO@cms.hhs.gov\",\"field_contact_name\":\"CRM Team\",\"field_short_description\":{\"value\":\"Reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eReports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cyber-risk-management\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/node_type?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/node_type?resourceVersion=id%3A6081\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":{\"drupal_internal__target_id\":107}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/revision_uid?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/revision_uid?resourceVersion=id%3A6081\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/uid?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/uid?resourceVersion=id%3A6081\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"99eb2a67-6873-48f2-9027-a58a87a1ef43\",\"meta\":{\"target_revision_id\":19976,\"drupal_internal__target_id\":1041}},{\"type\":\"paragraph--page_section\",\"id\":\"55411c7e-d16e-4e24-9ec0-e61d07f1aaab\",\"meta\":{\"target_revision_id\":19981,\"drupal_internal__target_id\":1051}},{\"type\":\"paragraph--page_section\",\"id\":\"1ed92f8d-8be4-41a2-bc9c-e012801a98bf\",\"meta\":{\"target_revision_id\":19986,\"drupal_internal__target_id\":1061}},{\"type\":\"paragraph--page_section\",\"id\":\"9ab563ca-90a0-4ff0-a86c-2b0de01421c2\",\"meta\":{\"target_revision_id\":19996,\"drupal_internal__target_id\":1071}},{\"type\":\"paragraph--page_section\",\"id\":\"d2de38a5-dc24-41cd-9344-bb7d2240b7f4\",\"meta\":{\"target_revision_id\":20006,\"drupal_internal__target_id\":1091}},{\"type\":\"paragraph--page_section\",\"id\":\"8383a3b3-7807-40a8-96f7-0197052ff373\",\"meta\":{\"target_revision_id\":20016,\"drupal_internal__target_id\":1101}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_page_section?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_page_section?resourceVersion=id%3A6081\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"b0c313be-306b-48cd-b0bf-8a70f2bae7fb\",\"meta\":{\"target_revision_id\":20021,\"drupal_internal__target_id\":1911}},{\"type\":\"paragraph--internal_link\",\"id\":\"32ab944d-d8c2-480b-b01e-85fa1a7eaf17\",\"meta\":{\"target_revision_id\":20026,\"drupal_internal__target_id\":1916}},{\"type\":\"paragraph--internal_link\",\"id\":\"21220e28-a46b-469f-9033-3e3482d07b4e\",\"meta\":{\"target_revision_id\":20031,\"drupal_internal__target_id\":3386}},{\"type\":\"paragraph--internal_link\",\"id\":\"1dc73a64-e5a5-419e-9363-9e91887427be\",\"meta\":{\"target_revision_id\":20036,\"drupal_internal__target_id\":3387}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_related_collection?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_related_collection?resourceVersion=id%3A6081\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_resource_type?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_resource_type?resourceVersion=id%3A6081\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_roles?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_roles?resourceVersion=id%3A6081\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_topics?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_topics?resourceVersion=id%3A6081\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/7e79c546-d123-46dd-9480-b7f2e7d81691\"}},\"attributes\":{\"display_name\":\"gollange\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4?resourceVersion=id%3A121\"}},\"attributes\":{\"drupal_internal__tid\":121,\"drupal_internal__revision_id\":121,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:12+00:00\",\"status\":true,\"name\":\"Tools / Services\",\"description\":null,\"weight\":5,\"changed\":\"2023-06-14T19:04:09+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/vid?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/vid?resourceVersion=id%3A121\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/revision_user?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/revision_user?resourceVersion=id%3A121\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/parent?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/parent?resourceVersion=id%3A121\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}},\"attributes\":{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"99eb2a67-6873-48f2-9027-a58a87a1ef43\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/99eb2a67-6873-48f2-9027-a58a87a1ef43?resourceVersion=id%3A19976\"}},\"attributes\":{\"drupal_internal__id\":1041,\"drupal_internal__revision_id\":19976,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T15:47:05+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"\u003ch2\u003e\u003cstrong\u003eWhat are Cyber Risk Reports?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCyber Risk Reports are provided monthly by ISPG to communicate cyber risk metrics in a consistent manner across all \u003ca href=\\\"/learn/federal-information-systems-management-act-fisma\\\"\u003eFederal Information Security Management Act (FISMA)\u003c/a\u003e systems. These reports help Business and System Owners make risk-based decisions and prioritize risk remediation activities at the system level.\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2\u003e\u003cstrong\u003eWhat are Cyber Risk Reports?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCyber Risk Reports are provided monthly by ISPG to communicate cyber risk metrics in a consistent manner across all \u003ca href=\\\"/learn/federal-information-systems-management-act-fisma\\\"\u003eFederal Information Security Management Act (FISMA)\u003c/a\u003e systems. These reports help Business and System Owners make risk-based decisions and prioritize risk remediation activities at the system level.\u003c/p\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/99eb2a67-6873-48f2-9027-a58a87a1ef43/paragraph_type?resourceVersion=id%3A19976\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/99eb2a67-6873-48f2-9027-a58a87a1ef43/relationships/paragraph_type?resourceVersion=id%3A19976\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"04fa58c5-1639-4b2c-bc43-d4624d84d942\",\"meta\":{\"target_revision_id\":19971,\"drupal_internal__target_id\":1036}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/99eb2a67-6873-48f2-9027-a58a87a1ef43/field_specialty_item?resourceVersion=id%3A19976\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/99eb2a67-6873-48f2-9027-a58a87a1ef43/relationships/field_specialty_item?resourceVersion=id%3A19976\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"55411c7e-d16e-4e24-9ec0-e61d07f1aaab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/55411c7e-d16e-4e24-9ec0-e61d07f1aaab?resourceVersion=id%3A19981\"}},\"attributes\":{\"drupal_internal__id\":1051,\"drupal_internal__revision_id\":19981,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T15:51:20+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"\u003ch3\u003e\u003cstrong\u003eWho can access the reports?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Cyber Risk Reports are sent to all component leadership, including Business Owners (such as ISSOs and CRAs) and to CMS Senior Leadership (such as the COO, CISO, and CIO). Additionally, in compliance with FISMA reporting, this data is also shared with HHS and DHS.\u003c/p\u003e\u003cp\u003eContractor ISSOs and contractor Business Owners working with CMS FISMA systems can also access the reports, using a CFACTS job code. You will also need to be assigned a role and as a stakeholder to a specific FISMA package(s). Contact the CRM PMO team at \u003ca href=\\\"mailto:CDMPMO@cms.hhs.gov\\\"\u003eCDMPMO@cms.hhs.gov\u003c/a\u003e to obtain the SOP for Tableau Access that will include the appropriate job codes for access.\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch3\u003e\u003cstrong\u003eWho can access the reports?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Cyber Risk Reports are sent to all component leadership, including Business Owners (such as ISSOs and CRAs) and to CMS Senior Leadership (such as the COO, CISO, and CIO). Additionally, in compliance with FISMA reporting, this data is also shared with HHS and DHS.\u003c/p\u003e\u003cp\u003eContractor ISSOs and contractor Business Owners working with CMS FISMA systems can also access the reports, using a CFACTS job code. You will also need to be assigned a role and as a stakeholder to a specific FISMA package(s). Contact the CRM PMO team at \u003ca href=\\\"mailto:CDMPMO@cms.hhs.gov\\\"\u003eCDMPMO@cms.hhs.gov\u003c/a\u003e to obtain the SOP for Tableau Access that will include the appropriate job codes for access.\u003c/p\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/55411c7e-d16e-4e24-9ec0-e61d07f1aaab/paragraph_type?resourceVersion=id%3A19981\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/55411c7e-d16e-4e24-9ec0-e61d07f1aaab/relationships/paragraph_type?resourceVersion=id%3A19981\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/55411c7e-d16e-4e24-9ec0-e61d07f1aaab/field_specialty_item?resourceVersion=id%3A19981\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/55411c7e-d16e-4e24-9ec0-e61d07f1aaab/relationships/field_specialty_item?resourceVersion=id%3A19981\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"1ed92f8d-8be4-41a2-bc9c-e012801a98bf\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/1ed92f8d-8be4-41a2-bc9c-e012801a98bf?resourceVersion=id%3A19986\"}},\"attributes\":{\"drupal_internal__id\":1061,\"drupal_internal__revision_id\":19986,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:02:09+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"\u003ch3\u003e\u003cstrong\u003eISSO Reports\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eISSO Reports are a specific kind of Cyber Risk Report that help ISSOs identify security and privacy risks (along with ways to mitigate them) for their systems. These reports make it easier to spot things like overdue POA\u0026amp;Ms, expiring Contingency Plans, and other areas where ISSOs need to take action. You can access ISSO reports from the \u003ca href=\\\"https://tableau.bi.cms.gov/#/site/CEDE/projects/51?:origin=card_share_link\\\" target=\\\"_blank\\\"\u003eCyber Risk Dashboards\u003c/a\u003e (CMS internal link).\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch3\u003e\u003cstrong\u003eISSO Reports\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eISSO Reports are a specific kind of Cyber Risk Report that help ISSOs identify security and privacy risks (along with ways to mitigate them) for their systems. These reports make it easier to spot things like overdue POA\u0026amp;Ms, expiring Contingency Plans, and other areas where ISSOs need to take action. You can access ISSO reports from the \u003ca href=\\\"https://tableau.bi.cms.gov/#/site/CEDE/projects/51?:origin=card_share_link\\\" target=\\\"_blank\\\"\u003eCyber Risk Dashboards\u003c/a\u003e (CMS internal link).\u003c/p\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/1ed92f8d-8be4-41a2-bc9c-e012801a98bf/paragraph_type?resourceVersion=id%3A19986\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/1ed92f8d-8be4-41a2-bc9c-e012801a98bf/relationships/paragraph_type?resourceVersion=id%3A19986\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/1ed92f8d-8be4-41a2-bc9c-e012801a98bf/field_specialty_item?resourceVersion=id%3A19986\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/1ed92f8d-8be4-41a2-bc9c-e012801a98bf/relationships/field_specialty_item?resourceVersion=id%3A19986\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"9ab563ca-90a0-4ff0-a86c-2b0de01421c2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ab563ca-90a0-4ff0-a86c-2b0de01421c2?resourceVersion=id%3A19996\"}},\"attributes\":{\"drupal_internal__id\":1071,\"drupal_internal__revision_id\":19996,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:03:09+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ab563ca-90a0-4ff0-a86c-2b0de01421c2/paragraph_type?resourceVersion=id%3A19996\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ab563ca-90a0-4ff0-a86c-2b0de01421c2/relationships/paragraph_type?resourceVersion=id%3A19996\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"54cab91c-d651-4073-87dc-44d440777a1f\",\"meta\":{\"target_revision_id\":19991,\"drupal_internal__target_id\":1066}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ab563ca-90a0-4ff0-a86c-2b0de01421c2/field_specialty_item?resourceVersion=id%3A19996\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/9ab563ca-90a0-4ff0-a86c-2b0de01421c2/relationships/field_specialty_item?resourceVersion=id%3A19996\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"d2de38a5-dc24-41cd-9344-bb7d2240b7f4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d2de38a5-dc24-41cd-9344-bb7d2240b7f4?resourceVersion=id%3A20006\"}},\"attributes\":{\"drupal_internal__id\":1091,\"drupal_internal__revision_id\":20006,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:11:07+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"\u003ch3\u003e\u003cstrong\u003eVulnerability Dashboard\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Vulnerability Dashboard provides an overview of vulnerabilities found in the system and helps Business Owners prioritize which ones to remediate first.\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch3\u003e\u003cstrong\u003eVulnerability Dashboard\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Vulnerability Dashboard provides an overview of vulnerabilities found in the system and helps Business Owners prioritize which ones to remediate first.\u003c/p\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d2de38a5-dc24-41cd-9344-bb7d2240b7f4/paragraph_type?resourceVersion=id%3A20006\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d2de38a5-dc24-41cd-9344-bb7d2240b7f4/relationships/paragraph_type?resourceVersion=id%3A20006\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"ff05557c-19b2-4cf8-91ed-6cb2b3ceb662\",\"meta\":{\"target_revision_id\":20001,\"drupal_internal__target_id\":1086}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d2de38a5-dc24-41cd-9344-bb7d2240b7f4/field_specialty_item?resourceVersion=id%3A20006\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d2de38a5-dc24-41cd-9344-bb7d2240b7f4/relationships/field_specialty_item?resourceVersion=id%3A20006\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"8383a3b3-7807-40a8-96f7-0197052ff373\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8383a3b3-7807-40a8-96f7-0197052ff373?resourceVersion=id%3A20016\"}},\"attributes\":{\"drupal_internal__id\":1101,\"drupal_internal__revision_id\":20016,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:13:19+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"\u003ch3\u003e\u003cstrong\u003eOngoing Authorization Program Dashboard\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003ca href=\\\"/learn/ongoing-authorization\\\"\u003eOngoing Authorization (OA)\u003c/a\u003e is closely tied to CMS goals for a proactive, risk-based approach to system security. Rather than going through the traditional, compliance-focused Authorization to Operate (ATO) process, a system can be approved to operate through OA, which focuses on continuous risk identification and management. The Ongoing Authorization Program Dashboard helps ISSOs and other security professionals to quickly identify what parts of their system meet the requirements for OA, and what steps they need to take (either to achieve or maintain OA).\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch3\u003e\u003cstrong\u003eOngoing Authorization Program Dashboard\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003ca href=\\\"/learn/ongoing-authorization\\\"\u003eOngoing Authorization (OA)\u003c/a\u003e is closely tied to CMS goals for a proactive, risk-based approach to system security. Rather than going through the traditional, compliance-focused Authorization to Operate (ATO) process, a system can be approved to operate through OA, which focuses on continuous risk identification and management. The Ongoing Authorization Program Dashboard helps ISSOs and other security professionals to quickly identify what parts of their system meet the requirements for OA, and what steps they need to take (either to achieve or maintain OA).\u003c/p\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8383a3b3-7807-40a8-96f7-0197052ff373/paragraph_type?resourceVersion=id%3A20016\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8383a3b3-7807-40a8-96f7-0197052ff373/relationships/paragraph_type?resourceVersion=id%3A20016\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"9e3ff387-df41-430c-bfd9-394cdef3bf60\",\"meta\":{\"target_revision_id\":20011,\"drupal_internal__target_id\":1096}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8383a3b3-7807-40a8-96f7-0197052ff373/field_specialty_item?resourceVersion=id%3A20016\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/8383a3b3-7807-40a8-96f7-0197052ff373/relationships/field_specialty_item?resourceVersion=id%3A20016\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"04fa58c5-1639-4b2c-bc43-d4624d84d942\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/04fa58c5-1639-4b2c-bc43-d4624d84d942?resourceVersion=id%3A19971\"}},\"attributes\":{\"drupal_internal__id\":1036,\"drupal_internal__revision_id\":19971,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T15:47:51+00:00\",\"parent_id\":\"1041\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":{\"uri\":\"https://tableau.bi.cms.gov/#/site/CEDE/projects/51?:origin=card_share_link\",\"title\":\"\",\"options\":[],\"url\":\"https://tableau.bi.cms.gov/#/site/CEDE/projects/51?:origin=card_share_link\"},\"field_call_out_link_text\":\"Go to the dashboards\",\"field_call_out_text\":{\"value\":\"Ready to dive in? You can jump right to your Cyber Risk Dashboards from here, but you will need to have access to your Tableau and CFACTS (job codes) accounts.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eReady to dive in? You can jump right to your Cyber Risk Dashboards from here, but you will need to have access to your Tableau and CFACTS (job codes) accounts.\u003c/p\u003e\\n\"},\"field_header\":\"View Cyber Risk Reports\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/04fa58c5-1639-4b2c-bc43-d4624d84d942/paragraph_type?resourceVersion=id%3A19971\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/04fa58c5-1639-4b2c-bc43-d4624d84d942/relationships/paragraph_type?resourceVersion=id%3A19971\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"54cab91c-d651-4073-87dc-44d440777a1f\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/54cab91c-d651-4073-87dc-44d440777a1f?resourceVersion=id%3A19991\"}},\"attributes\":{\"drupal_internal__id\":1066,\"drupal_internal__revision_id\":19991,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:05:47+00:00\",\"parent_id\":\"1071\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":{\"uri\":\"https://confluenceent.cms.gov/display/ISPG/Next+Generation+Dashboard+Quick+Look+Guides?preview=/298341730/298341948/Known%20Exploited%20Vulnerabilities%20Dashboard%20-%20Quick%20Start%20Guide.pdf\",\"title\":\"\",\"options\":[],\"url\":\"https://confluenceent.cms.gov/display/ISPG/Next+Generation+Dashboard+Quick+Look+Guides?preview=/298341730/298341948/Known%20Exploited%20Vulnerabilities%20Dashboard%20-%20Quick%20Start%20Guide.pdf\"},\"field_call_out_link_text\":\"See the KEV Dashboard guide\",\"field_call_out_text\":{\"value\":\"Learn how to access, customize, and manage the KEV Dashboard. (CMS internal link)\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eLearn how to access, customize, and manage the KEV Dashboard. (CMS internal link)\u003c/p\u003e\\n\"},\"field_header\":\"Quick start guide\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/54cab91c-d651-4073-87dc-44d440777a1f/paragraph_type?resourceVersion=id%3A19991\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/54cab91c-d651-4073-87dc-44d440777a1f/relationships/paragraph_type?resourceVersion=id%3A19991\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"ff05557c-19b2-4cf8-91ed-6cb2b3ceb662\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/ff05557c-19b2-4cf8-91ed-6cb2b3ceb662?resourceVersion=id%3A20001\"}},\"attributes\":{\"drupal_internal__id\":1086,\"drupal_internal__revision_id\":20001,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:11:19+00:00\",\"parent_id\":\"1091\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":{\"uri\":\"https://confluenceent.cms.gov/display/ISPG/Next+Generation+Dashboard+Quick+Look+Guides?preview=/298341730/298341950/Vulnerability%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20(1).pdf\",\"title\":\"\",\"options\":[],\"url\":\"https://confluenceent.cms.gov/display/ISPG/Next+Generation+Dashboard+Quick+Look+Guides?preview=/298341730/298341950/Vulnerability%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20%281%29.pdf\"},\"field_call_out_link_text\":\"See the Vulnerability Dashboard guide\",\"field_call_out_text\":{\"value\":\"Learn how to access and use the Vulnerability Dashboard. (CMS internal link)\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eLearn how to access and use the Vulnerability Dashboard. (CMS internal link)\u003c/p\u003e\\n\"},\"field_header\":\"Quick start guide\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/ff05557c-19b2-4cf8-91ed-6cb2b3ceb662/paragraph_type?resourceVersion=id%3A20001\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/ff05557c-19b2-4cf8-91ed-6cb2b3ceb662/relationships/paragraph_type?resourceVersion=id%3A20001\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"9e3ff387-df41-430c-bfd9-394cdef3bf60\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/9e3ff387-df41-430c-bfd9-394cdef3bf60?resourceVersion=id%3A20011\"}},\"attributes\":{\"drupal_internal__id\":1096,\"drupal_internal__revision_id\":20011,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:13:36+00:00\",\"parent_id\":\"1101\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":{\"uri\":\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=195122542\u0026preview=/195122542/250712614/OA%20Program%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20102721_Final.pdf\",\"title\":\"\",\"options\":[],\"url\":\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=195122542\u0026preview=/195122542/250712614/OA%20Program%20Dashboard%20-%20Quick%20Start%20Guide%201.0%20102721_Final.pdf\"},\"field_call_out_link_text\":\"See the OA Dashboard guide\",\"field_call_out_text\":{\"value\":\"Learn how to access and use the Ongoing Authorization Program Dashboard. (CMS internal link)\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eLearn how to access and use the Ongoing Authorization Program Dashboard. (CMS internal link)\u003c/p\u003e\\n\"},\"field_header\":\"Quick start guide\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/9e3ff387-df41-430c-bfd9-394cdef3bf60/paragraph_type?resourceVersion=id%3A20011\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/9e3ff387-df41-430c-bfd9-394cdef3bf60/relationships/paragraph_type?resourceVersion=id%3A20011\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"b0c313be-306b-48cd-b0bf-8a70f2bae7fb\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b0c313be-306b-48cd-b0bf-8a70f2bae7fb?resourceVersion=id%3A20021\"}},\"attributes\":{\"drupal_internal__id\":1911,\"drupal_internal__revision_id\":20021,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T20:26:59+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b0c313be-306b-48cd-b0bf-8a70f2bae7fb/paragraph_type?resourceVersion=id%3A20021\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b0c313be-306b-48cd-b0bf-8a70f2bae7fb/relationships/paragraph_type?resourceVersion=id%3A20021\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"a279358b-5b24-49bc-a98e-11681bd7e65c\",\"meta\":{\"drupal_internal__target_id\":326}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b0c313be-306b-48cd-b0bf-8a70f2bae7fb/field_link?resourceVersion=id%3A20021\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b0c313be-306b-48cd-b0bf-8a70f2bae7fb/relationships/field_link?resourceVersion=id%3A20021\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"32ab944d-d8c2-480b-b01e-85fa1a7eaf17\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/32ab944d-d8c2-480b-b01e-85fa1a7eaf17?resourceVersion=id%3A20026\"}},\"attributes\":{\"drupal_internal__id\":1916,\"drupal_internal__revision_id\":20026,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T20:27:36+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/32ab944d-d8c2-480b-b01e-85fa1a7eaf17/paragraph_type?resourceVersion=id%3A20026\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/32ab944d-d8c2-480b-b01e-85fa1a7eaf17/relationships/paragraph_type?resourceVersion=id%3A20026\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"meta\":{\"drupal_internal__target_id\":676}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/32ab944d-d8c2-480b-b01e-85fa1a7eaf17/field_link?resourceVersion=id%3A20026\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/32ab944d-d8c2-480b-b01e-85fa1a7eaf17/relationships/field_link?resourceVersion=id%3A20026\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"21220e28-a46b-469f-9033-3e3482d07b4e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/21220e28-a46b-469f-9033-3e3482d07b4e?resourceVersion=id%3A20031\"}},\"attributes\":{\"drupal_internal__id\":3386,\"drupal_internal__revision_id\":20031,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-07-08T12:38:09+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/21220e28-a46b-469f-9033-3e3482d07b4e/paragraph_type?resourceVersion=id%3A20031\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/21220e28-a46b-469f-9033-3e3482d07b4e/relationships/paragraph_type?resourceVersion=id%3A20031\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"meta\":{\"drupal_internal__target_id\":771}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/21220e28-a46b-469f-9033-3e3482d07b4e/field_link?resourceVersion=id%3A20031\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/21220e28-a46b-469f-9033-3e3482d07b4e/relationships/field_link?resourceVersion=id%3A20031\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"1dc73a64-e5a5-419e-9363-9e91887427be\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1dc73a64-e5a5-419e-9363-9e91887427be?resourceVersion=id%3A20036\"}},\"attributes\":{\"drupal_internal__id\":3387,\"drupal_internal__revision_id\":20036,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-07-08T12:38:20+00:00\",\"parent_id\":\"276\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1dc73a64-e5a5-419e-9363-9e91887427be/paragraph_type?resourceVersion=id%3A20036\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1dc73a64-e5a5-419e-9363-9e91887427be/relationships/paragraph_type?resourceVersion=id%3A20036\"}}},\"field_link\":{\"data\":{\"type\":\"node--library\",\"id\":\"ccc8540c-c385-44e3-8788-fcd3b96df2d7\",\"meta\":{\"drupal_internal__target_id\":991}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1dc73a64-e5a5-419e-9363-9e91887427be/field_link?resourceVersion=id%3A20036\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1dc73a64-e5a5-419e-9363-9e91887427be/relationships/field_link?resourceVersion=id%3A20036\"}}}}},{\"type\":\"node--explainer\",\"id\":\"a279358b-5b24-49bc-a98e-11681bd7e65c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c?resourceVersion=id%3A5942\"}},\"attributes\":{\"drupal_internal__nid\":326,\"drupal_internal__vid\":5942,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-17T14:55:23+00:00\",\"status\":true,\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"created\":\"2022-08-29T15:22:00+00:00\",\"changed\":\"2024-10-17T14:55:23+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/fedramp\",\"pid\":316,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"FedRAMP@cms.hhs.gov\",\"field_contact_name\":\"CMS FedRAMP PMO\",\"field_short_description\":{\"value\":\"Provides a federally-recognized and standardized security framework for all cloud products and services\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProvides a federally-recognized and standardized security framework for all cloud products and services\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#fedramp\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/node_type?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/node_type?resourceVersion=id%3A5942\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"d3421e1d-1fda-4bd0-83ab-e404455b0e66\",\"meta\":{\"drupal_internal__target_id\":114}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/revision_uid?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/revision_uid?resourceVersion=id%3A5942\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/uid?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/uid?resourceVersion=id%3A5942\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"2ce39e48-81e4-4bea-a0ff-04f25ddd0041\",\"meta\":{\"target_revision_id\":19451,\"drupal_internal__target_id\":1171}},{\"type\":\"paragraph--page_section\",\"id\":\"77ea2e89-2433-4815-b869-52b2d900029e\",\"meta\":{\"target_revision_id\":19452,\"drupal_internal__target_id\":1211}},{\"type\":\"paragraph--page_section\",\"id\":\"deedf0fe-44e9-4015-90a1-f86ce6cbaf24\",\"meta\":{\"target_revision_id\":19462,\"drupal_internal__target_id\":3431}},{\"type\":\"paragraph--page_section\",\"id\":\"2b2216d8-24c3-4940-930f-6e79f68a279a\",\"meta\":{\"target_revision_id\":19472,\"drupal_internal__target_id\":1261}},{\"type\":\"paragraph--page_section\",\"id\":\"cbda5c42-489d-4480-85f5-db10db44de3e\",\"meta\":{\"target_revision_id\":19474,\"drupal_internal__target_id\":1266}},{\"type\":\"paragraph--page_section\",\"id\":\"37970dd4-a515-4370-a09f-f5177c2f98c2\",\"meta\":{\"target_revision_id\":19475,\"drupal_internal__target_id\":3433}},{\"type\":\"paragraph--page_section\",\"id\":\"434b1960-73e8-43fa-9b9e-253ce35fa55a\",\"meta\":{\"target_revision_id\":19476,\"drupal_internal__target_id\":3434}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_page_section?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_page_section?resourceVersion=id%3A5942\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"7a5f06f0-e0ba-4ed2-aade-79b2233ec125\",\"meta\":{\"target_revision_id\":19477,\"drupal_internal__target_id\":1956}},{\"type\":\"paragraph--internal_link\",\"id\":\"61509c21-9c9e-48d0-8110-b98574cee727\",\"meta\":{\"target_revision_id\":19478,\"drupal_internal__target_id\":1961}},{\"type\":\"paragraph--internal_link\",\"id\":\"c2480fc7-b7c3-49d4-8643-cd42bcd3b56b\",\"meta\":{\"target_revision_id\":19479,\"drupal_internal__target_id\":1966}},{\"type\":\"paragraph--internal_link\",\"id\":\"63dffb2c-c587-4991-8523-142b2378a5aa\",\"meta\":{\"target_revision_id\":19480,\"drupal_internal__target_id\":3435}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_related_collection?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_related_collection?resourceVersion=id%3A5942\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_resource_type?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_resource_type?resourceVersion=id%3A5942\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_roles?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_roles?resourceVersion=id%3A5942\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":{\"drupal_internal__target_id\":21}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_topics?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_topics?resourceVersion=id%3A5942\"}}}}},{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08?resourceVersion=id%3A5525\"}},\"attributes\":{\"drupal_internal__nid\":676,\"drupal_internal__vid\":5525,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-04T17:13:19+00:00\",\"status\":true,\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"created\":\"2023-02-04T14:55:07+00:00\",\"changed\":\"2024-06-04T17:13:19+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"pid\":666,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CDMPMO@cms.hhs.gov\",\"field_contact_name\":\"CDM team\",\"field_short_description\":{\"value\":\"Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eAutomated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cyber-risk-management\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/node_type?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/node_type?resourceVersion=id%3A5525\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":{\"drupal_internal__target_id\":107}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/revision_uid?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/revision_uid?resourceVersion=id%3A5525\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/uid?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/uid?resourceVersion=id%3A5525\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"8b7bda2b-e3dc-4760-9901-27255f14ff41\",\"meta\":{\"target_revision_id\":17929,\"drupal_internal__target_id\":546}},{\"type\":\"paragraph--page_section\",\"id\":\"8e76f588-fd94-4439-b7e3-73c8b83e3500\",\"meta\":{\"target_revision_id\":17930,\"drupal_internal__target_id\":551}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_page_section?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_page_section?resourceVersion=id%3A5525\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"bc285af3-dba7-4a12-8881-a8fed446dded\",\"meta\":{\"target_revision_id\":17931,\"drupal_internal__target_id\":1891}},{\"type\":\"paragraph--internal_link\",\"id\":\"1bc4b03f-652f-4fbf-8024-43e830b4b0a3\",\"meta\":{\"target_revision_id\":17932,\"drupal_internal__target_id\":1896}},{\"type\":\"paragraph--internal_link\",\"id\":\"05f865ef-4960-439b-9fca-9e7d70dfbe39\",\"meta\":{\"target_revision_id\":17933,\"drupal_internal__target_id\":1906}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_related_collection?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_related_collection?resourceVersion=id%3A5525\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_resource_type?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_resource_type?resourceVersion=id%3A5525\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_roles?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_roles?resourceVersion=id%3A5525\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_topics?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_topics?resourceVersion=id%3A5525\"}}}}},{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf?resourceVersion=id%3A5861\"}},\"attributes\":{\"drupal_internal__nid\":771,\"drupal_internal__vid\":5861,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-08T14:51:46+00:00\",\"status\":true,\"title\":\"Ongoing Authorization (OA)\",\"created\":\"2023-03-06T21:09:39+00:00\",\"changed\":\"2024-08-08T14:51:46+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/ongoing-authorization-oa\",\"pid\":751,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSupporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#oa-onboarding \",\"#security_community \",\"#CMS-CDM\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/node_type?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/node_type?resourceVersion=id%3A5861\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/revision_uid?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/revision_uid?resourceVersion=id%3A5861\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/uid?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/uid?resourceVersion=id%3A5861\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"8e64b2f7-d23c-4782-b0e3-e3b850374054\",\"meta\":{\"target_revision_id\":19161,\"drupal_internal__target_id\":2336}},{\"type\":\"paragraph--page_section\",\"id\":\"53ba39d8-a757-47cf-9d7e-e7a23389889e\",\"meta\":{\"target_revision_id\":19169,\"drupal_internal__target_id\":2351}},{\"type\":\"paragraph--page_section\",\"id\":\"123ffcec-1914-4725-a582-5c61bd8c9241\",\"meta\":{\"target_revision_id\":19171,\"drupal_internal__target_id\":2386}},{\"type\":\"paragraph--page_section\",\"id\":\"e5ef118a-a42b-4cfb-b5a6-cebc127739d3\",\"meta\":{\"target_revision_id\":19172,\"drupal_internal__target_id\":2426}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_page_section?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_page_section?resourceVersion=id%3A5861\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"de5326cf-552a-427c-9781-a4912ad4e45a\",\"meta\":{\"target_revision_id\":19173,\"drupal_internal__target_id\":2466}},{\"type\":\"paragraph--internal_link\",\"id\":\"b5f6c429-201a-4f5f-ae6e-05b6e235ddbc\",\"meta\":{\"target_revision_id\":19174,\"drupal_internal__target_id\":2471}},{\"type\":\"paragraph--internal_link\",\"id\":\"5a2be300-e6a0-41ff-9db9-5b88b77f18f2\",\"meta\":{\"target_revision_id\":19175,\"drupal_internal__target_id\":2476}},{\"type\":\"paragraph--internal_link\",\"id\":\"a7539e73-da37-44b0-ad17-9c481c5e89e9\",\"meta\":{\"target_revision_id\":19176,\"drupal_internal__target_id\":2481}},{\"type\":\"paragraph--internal_link\",\"id\":\"4f862230-6bb8-4954-b295-52e00e609ba5\",\"meta\":{\"target_revision_id\":19177,\"drupal_internal__target_id\":2486}},{\"type\":\"paragraph--internal_link\",\"id\":\"8f0f75de-c261-41da-9ef7-06ccd80efb66\",\"meta\":{\"target_revision_id\":19178,\"drupal_internal__target_id\":2491}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_related_collection?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_related_collection?resourceVersion=id%3A5861\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_resource_type?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_resource_type?resourceVersion=id%3A5861\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_roles?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_roles?resourceVersion=id%3A5861\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_topics?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_topics?resourceVersion=id%3A5861\"}}}}},{\"type\":\"node--library\",\"id\":\"ccc8540c-c385-44e3-8788-fcd3b96df2d7\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7?resourceVersion=id%3A5858\"}},\"attributes\":{\"drupal_internal__nid\":991,\"drupal_internal__vid\":5858,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-07T17:01:12+00:00\",\"status\":true,\"title\":\"CMS Cyber Risk Management Plan (CRMP)\",\"created\":\"2023-05-26T13:14:59+00:00\",\"changed\":\"2024-06-04T15:18:21+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-cyber-risk-management-plan-crmp\",\"pid\":846,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\",\"summary\":\"\"},\"field_contact_email\":\"CRMPMO@cms.hhs.gov\",\"field_contact_name\":\"CRM Team\",\"field_last_reviewed\":\"2023-03-27\",\"field_related_resources\":[{\"uri\":\"entity:node/676\",\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"options\":[],\"url\":\"/learn/continuous-diagnostics-and-mitigation-cdm\"},{\"uri\":\"entity:node/771\",\"title\":\"Ongoing Authorization (OA)\",\"options\":[],\"url\":\"/learn/ongoing-authorization-oa\"},{\"uri\":\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026modificationDate=1711993052415\u0026api=v2\",\"title\":\" Cybersecurity and Risk Assessment Program Handbook\",\"options\":[],\"url\":\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026modificationDate=1711993052415\u0026api=v2\"}],\"field_short_description\":{\"value\":\"A plan that defines the overarching strategy for managing risk associated with the operation of CMS FISMA systems. \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA plan that defines the overarching strategy for managing risk associated with the operation of CMS FISMA systems.\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/node_type?resourceVersion=id%3A5858\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/node_type?resourceVersion=id%3A5858\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":{\"drupal_internal__target_id\":107}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/revision_uid?resourceVersion=id%3A5858\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/revision_uid?resourceVersion=id%3A5858\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/uid?resourceVersion=id%3A5858\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/uid?resourceVersion=id%3A5858\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"meta\":{\"drupal_internal__target_id\":96}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/field_resource_type?resourceVersion=id%3A5858\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/field_resource_type?resourceVersion=id%3A5858\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/field_roles?resourceVersion=id%3A5858\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/field_roles?resourceVersion=id%3A5858\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/field_topics?resourceVersion=id%3A5858\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/field_topics?resourceVersion=id%3A5858\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1c\",\"7e79c546-d123-46dd-9480-b7f2e7d81691\":\"$26\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$2a\",\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\":\"$2e\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$48\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$62\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$7c\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$96\",\"65ef6410-4066-4db4-be03-c8eb26b63305\":\"$b0\",\"99eb2a67-6873-48f2-9027-a58a87a1ef43\":\"$ca\",\"55411c7e-d16e-4e24-9ec0-e61d07f1aaab\":\"$dd\",\"1ed92f8d-8be4-41a2-bc9c-e012801a98bf\":\"$ee\",\"9ab563ca-90a0-4ff0-a86c-2b0de01421c2\":\"$ff\",\"d2de38a5-dc24-41cd-9344-bb7d2240b7f4\":\"$114\",\"8383a3b3-7807-40a8-96f7-0197052ff373\":\"$127\",\"04fa58c5-1639-4b2c-bc43-d4624d84d942\":\"$13a\",\"54cab91c-d651-4073-87dc-44d440777a1f\":\"$149\",\"ff05557c-19b2-4cf8-91ed-6cb2b3ceb662\":\"$158\",\"9e3ff387-df41-430c-bfd9-394cdef3bf60\":\"$167\",\"b0c313be-306b-48cd-b0bf-8a70f2bae7fb\":\"$176\",\"32ab944d-d8c2-480b-b01e-85fa1a7eaf17\":\"$188\",\"21220e28-a46b-469f-9033-3e3482d07b4e\":\"$19a\",\"1dc73a64-e5a5-419e-9363-9e91887427be\":\"$1ac\",\"a279358b-5b24-49bc-a98e-11681bd7e65c\":\"$1be\",\"1f32f891-d557-40ae-84b5-2cecc9300e08\":\"$210\",\"dfeef1d1-c536-4496-97ad-5488a965a6cf\":\"$256\",\"ccc8540c-c385-44e3-8788-fcd3b96df2d7\":\"$2a8\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Cyber Risk Reports (CRR) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/cyber-risk-reports\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"Cyber Risk Reports (CRR) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/cyber-risk-reports\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/cyber-risk-reports/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"Cyber Risk Reports (CRR) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/cyber-risk-reports/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink