publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/plan-action-and-milestones-poam
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
519 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>Plan of Action and Milestones (POA&amp;M) | CMS Information Security &amp; Privacy Group</title><meta name="description" content="A corrective action plan roadmap to address system weaknesses and the resources required to fix them"/><link rel="canonical" href="https://security.cms.gov/learn/plan-action-and-milestones-poam"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="Plan of Action and Milestones (POA&amp;M) | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="A corrective action plan roadmap to address system weaknesses and the resources required to fix them"/><meta property="og:url" content="https://security.cms.gov/learn/plan-action-and-milestones-poam"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/plan-action-and-milestones-poam/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Plan of Action and Milestones (POA&amp;M) | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="A corrective action plan roadmap to address system weaknesses and the resources required to fix them"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/plan-action-and-milestones-poam/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">Plan of Action and Milestones (POA&amp;M)</h1><p class="hero__description">A corrective action plan roadmap to address system weaknesses and the resources required to fix them</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#cra-help</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What is a POA&amp;M?</h2><p>When regular audits are conducted to assess the security posture of CMS information systems (and when new systems are being developed) there will inevitably be times that improvements or adjustments are needed. This isnt a negative reflection on the Business Owner, ISSO, or system builder its just a result of the fact that security is never “done”. Cyber threats are always evolving, and changes to systems or how they operate can also introduce new risks.&nbsp;</p><p>The process to mitigate risks and weaknesses in CMS systems is called a Plan of Action and Milestones (POA&amp;M). A POA&amp;M is created whenever audits reveal an area of weakness in security controls. This is an opportunity to strengthen or “harden” your system through carefully planned improvements which boosts the overall resilience of our agencys cyber infrastructure. The CMS security staff and your integrated team are ready to help you along the way.</p></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>Learn more about POA&amp;Ms</h1><p>The POA&amp;M Handbook provides an in-depth look at the POA&amp;M process from start to finish.</p><p><a href="/policy-guidance/cms-plan-action-and-milestones-poam-handbook">Read the Handbook</a></p></section><div class="text-block text-block--theme-explainer"><h2>What is the POA&amp;M process?</h2><p>POA&amp;Ms are created and tracked in the <a href="https://cfacts.cms.gov/apps/ArcherApp/Home.aspx">CMS FISMA Controls Tracking System (CFACTS)</a>. The process is briefly summarized below. You can find detailed information about POA&amp;Ms in the CMS Plan of Action and Milestones (POA&amp;M) Handbook.</p><h3>Receive audit reports</h3><p>Throughout the year, ongoing assessments and audits are conducted on systems to help improve overall security stature at CMS. Sometimes these activities result in “findings” — threats and vulnerabilities that exist in our programs or security systems which require attention.</p><p>After an assessment or audit, youll receive a report that shows potential areas of concern. Risks are always present and always changing, and audit findings help us uncover them. There are various methods and time frames for resolving these findings, but all findings must follow a distinct remediation process. We look carefully at the finding source (how and where the weakness was identified) to determine what template to use to report the finding to you.</p><h3>Find opportunities to improve security</h3><p>If a potential threat or vulnerability is found in your system, start by discussing it with your integrated project team to make sure you fully understand its implications. Whoever conducted the audit or assessment will document the finding using the CMS Assessment and Audit Template (CAAT). It will explain where the system is performing as expected and where it could be strengthened.&nbsp;</p><p>Auditors and assessors use the term "weakness" in their reports to describe threats and vulnerabilities. Sometimes the risk can be fixed right away, and sometimes a POA&amp;M is needed. Occasionally, some of these threats and vulnerabilities may be addressed to some degree through an existing, compensating control, and your team may decide that the risk is acceptable.</p><h3>Analyze risks and options</h3><p>If your program or system is at risk, you will need to consider the Risk Level and Severity Level. A Risk Level is calculated based on the likelihood of the risk being exploited, and the potential resulting impact on the system and users. The Severity Level considers the significance that the weakness(s) poses to your system and the agencys overall security and privacy posture.&nbsp;</p><p>Analyzing threats and vulnerabilities requires an impact assessment, and consultation with your integrated project team and vendor supports. Several methodologies may be used during this phase, including a <strong>Root Cause Analysis</strong> which helps you uncover the actual cause(s) and not just a symptom of the finding.&nbsp;</p><p>Using the results of these analyses, you and your team will consider options for how to address the findings and associated risks. Ultimately there are two choices:</p><ul><li>Deem the risk “acceptable” and develop a <strong>Risk-Based Decision (RBD)</strong> to explain your justification for accepting the risk</li><li>Deem the risk “unacceptable” and move on to develop a mitigation strategy</li></ul><h3>Develop a corrective action plan</h3><p>The Corrective Action Plan forms the foundation of the POA&amp;M. It describes the identified weaknesses, any associated milestones, and necessary resources required. Developing this plan should be a collaborative process, with input from your integrated project team and other stakeholders.</p><p>The milestones in your plan must provide specific descriptions of the steps your team will take to mitigate the finding. Each finding must have at least one corresponding milestone with an estimated completion date and resource requirements to remediate the finding.</p><p>Once the plan is formally documented, it is entered into CFACTS as a series of milestone records. The status of the POA&amp;M will automatically be moved from “draft” to “ongoing” 30 days after the creation date.</p><h3>Put the plan into action</h3><p>Once your POA&amp;M is approved, possibly with additional recommendations from ISPG support staff, you will take steps to put the plan into action. You need to determine the specific funding and personnel resources needed to mitigate each finding on the POA&amp;M. In most cases, the existing resources allocated to a program or system will be sufficient, but occasionally you may need to request additional funding or personnel.&nbsp;&nbsp;</p><p>Next, you will work with your vendor(s) to create and test the appropriate safeguard(s) and countermeasures that mitigate the risks. This can take a few weeks or several months depending on the complexity of the change. In some cases, a third party software vendor may need to issue a patch or fix.</p><p>The steps and timeline to complete your POA&amp;M may need to be adjusted along the way. A POA&amp;M is a living document that should be continually updated as circumstances evolve.</p><h3>Report on progress</h3><p>POA&amp;Ms should be reviewed and updated in CFACTS on a continuing basis to show that they are on track for completion. CMS requires that all information in the POA&amp;M should at minimum be updated monthly and be accurate on the first day of each month for tracking and reporting purposes.<br><br>Regular POA&amp;M reporting helps to ensure that:</p><ul><li>Vulnerabilities or "weaknesses" are properly identified and prioritized</li><li>Adequate resources have been allocated and assigned</li><li>Timeline to mitigate vulnerabilities is achievable</li></ul><p>A vulnerability must have a milestone entered with it that identifies specific actions of mitigation and a completion date to denote progress. Identifying the status of a corrective action demonstrates that the POA&amp;M is a part of an ongoing monitoring process.</p><h3>Confirm POA&amp;M completion</h3><p>When your new safeguard(s) are tested and approved for release, you are almost across the finish line! Youll need to confirm the successful resolution of vulnerabilities and provide artifacts related to the POA&amp;M completion. Examples of such artifacts may include control text results, a policy or procedure document, a screenshot of a patch applied, or other new system documentation.&nbsp;</p><p>Cyber Risk Advisors at ISPG will review certain POA&amp;M findings. Based on a risk determination and the evidence provided, they will decide if the finding has been adequately addressed and corrected. The initial findings that prompted the creation of a POA&amp;M should not be marked “completed” until they are proven to be fully resolved. When completion is confirmed, the ISSO will mark the POA&amp;M closed in CFACTS.</p><p>Completed POA&amp;Ms must remain on the monthly POA&amp;M report for one year after their completion date. The artifacts are stored in CFACTS and retained for at least one year with the completed POA&amp;M.</p><h2>POA&amp;Ms and continuous monitoring</h2><p>Besides requiring corrective actions to mitigate weaknesses, CMS continuously monitors risk across all systems so that resources can be allocated effectively. Its important to understand how this continuous monitoring affects the POA&amp;M process.</p><h4>POA&amp;M reporting</h4><p>CMS submits POA&amp;M reports to HHS at least once a month to show the status of mitigation activities. The information within a POA&amp;M must be <strong>maintained continuously</strong> so that CMS reports are reflective of the current state. The reports to HHS also include:</p><ul><li>Completed POA&amp;Ms, for a year after their completion</li><li>Delayed POA&amp;Ms, along with an explanation for their delay and a revised estimated completion date</li></ul><h4>Risk Based Decisions (RBD)</h4><p>Sometimes a Business Owner and their project team may decide to accept potential risk(s) identified by assessment findings. They must create a Risk Based Decision (RBD) to explain the reasoning and the accepted risk. As part of <strong>continuous monitoring</strong> across CMS, all RBDs are reviewed annually to ensure the risk remains acceptable. Risk Based Decisions may be updated as events occur and information changes. RBDs are managed in CFACTS under the "RBD" tab.</p><h4>Risk evaluation and prioritization</h4><p>As POA&amp;Ms are being worked on across all CMS systems, risk evaluation, and prioritization continue through <strong>ongoing assessments and </strong><a href="/learn/system-audits"><strong>audits</strong></a>. When a new, critical weakness is discovered, resources may need to be shifted to remediate it appropriately. Weaknesses that were once deemed a high priority may not continue to receive the same level of consideration as risks and threats evolve.</p><p>POA&amp;Ms are an essential part of CMS ongoing efforts to maintain a resilient cyber infrastructure and to protect the sensitive information of our beneficiaries. Each new safeguard or countermeasure implemented helps to reduce risk and improve our security and privacy posture.</p></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cybersecurity-risk-assessment-program-csrap">Cybersecurity and Risk Assessment Program (CSRAP)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>A streamlined risk-based control(s) testing methodology designed to relieve operational burden.</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/penetration-testing-pentesting">Penetration Testing (PenTesting)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/policy-guidance/cms-plan-action-and-milestones-poam-handbook">CMS Plan of Action and Milestones (POA&amp;M) Handbook</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>A complete guide to creating, managing, and closing your systems POA&amp;M</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/system-audits">System Audits</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Independent review and examination of records and activities to assess the adequacy of system controls for compliance with established policies and procedures</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/security-controls-assessment-sca">Security Controls Assessment (SCA)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>A compliance-based assessment to determine if a system&#x27;s security and privacy controls are implemented correctly</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Mitigation (CDM)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"plan-action-and-milestones-poam\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"plan-action-and-milestones-poam\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"plan-action-and-milestones-poam\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"plan-action-and-milestones-poam\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:T2408,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the POA\u0026amp;M process?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePOA\u0026amp;Ms are created and tracked in the \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Controls Tracking System (CFACTS)\u003c/a\u003e. The process is briefly summarized below. You can find detailed information about POA\u0026amp;Ms in the CMS Plan of Action and Milestones (POA\u0026amp;M) Handbook.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eReceive audit reports\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThroughout the year, ongoing assessments and audits are conducted on systems to help improve overall security stature at CMS. Sometimes these activities result in “findings” — threats and vulnerabilities that exist in our programs or security systems which require attention.\u003c/p\u003e\u003cp\u003eAfter an assessment or audit, youll receive a report that shows potential areas of concern. Risks are always present and always changing, and audit findings help us uncover them. There are various methods and time frames for resolving these findings, but all findings must follow a distinct remediation process. We look carefully at the finding source (how and where the weakness was identified) to determine what template to use to report the finding to you.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFind opportunities to improve security\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf a potential threat or vulnerability is found in your system, start by discussing it with your integrated project team to make sure you fully understand its implications. Whoever conducted the audit or assessment will document the finding using the CMS Assessment and Audit Template (CAAT). It will explain where the system is performing as expected and where it could be strengthened.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAuditors and assessors use the term \"weakness\" in their reports to describe threats and vulnerabilities. Sometimes the risk can be fixed right away, and sometimes a POA\u0026amp;M is needed. Occasionally, some of these threats and vulnerabilities may be addressed to some degree through an existing, compensating control, and your team may decide that the risk is acceptable.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAnalyze risks and options\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf your program or system is at risk, you will need to consider the Risk Level and Severity Level. A Risk Level is calculated based on the likelihood of the risk being exploited, and the potential resulting impact on the system and users. The Severity Level considers the significance that the weakness(s) poses to your system and the agencys overall security and privacy posture.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAnalyzing threats and vulnerabilities requires an impact assessment, and consultation with your integrated project team and vendor supports. Several methodologies may be used during this phase, including a \u003cstrong\u003eRoot Cause Analysis\u003c/strong\u003e which helps you uncover the actual cause(s) and not just a symptom of the finding.\u0026nbsp;\u003c/p\u003e\u003cp\u003eUsing the results of these analyses, you and your team will consider options for how to address the findings and associated risks. Ultimately there are two choices:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDeem the risk “acceptable” and develop a \u003cstrong\u003eRisk-Based Decision (RBD)\u003c/strong\u003e to explain your justification for accepting the risk\u003c/li\u003e\u003cli\u003eDeem the risk “unacceptable” and move on to develop a mitigation strategy\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eDevelop a corrective action plan\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Corrective Action Plan forms the foundation of the POA\u0026amp;M. It describes the identified weaknesses, any associated milestones, and necessary resources required. Developing this plan should be a collaborative process, with input from your integrated project team and other stakeholders.\u003c/p\u003e\u003cp\u003eThe milestones in your plan must provide specific descriptions of the steps your team will take to mitigate the finding. Each finding must have at least one corresponding milestone with an estimated completion date and resource requirements to remediate the finding.\u003c/p\u003e\u003cp\u003eOnce the plan is formally documented, it is entered into CFACTS as a series of milestone records. The status of the POA\u0026amp;M will automatically be moved from “draft” to “ongoing” 30 days after the creation date.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePut the plan into action\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOnce your POA\u0026amp;M is approved, possibly with additional recommendations from ISPG support staff, you will take steps to put the plan into action. You need to determine the specific funding and personnel resources needed to mitigate each finding on the POA\u0026amp;M. In most cases, the existing resources allocated to a program or system will be sufficient, but occasionally you may need to request additional funding or personnel.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eNext, you will work with your vendor(s) to create and test the appropriate safeguard(s) and countermeasures that mitigate the risks. This can take a few weeks or several months depending on the complexity of the change. In some cases, a third party software vendor may need to issue a patch or fix.\u003c/p\u003e\u003cp\u003eThe steps and timeline to complete your POA\u0026amp;M may need to be adjusted along the way. A POA\u0026amp;M is a living document that should be continually updated as circumstances evolve.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eReport on progress\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePOA\u0026amp;Ms should be reviewed and updated in CFACTS on a continuing basis to show that they are on track for completion. CMS requires that all information in the POA\u0026amp;M should at minimum be updated monthly and be accurate on the first day of each month for tracking and reporting purposes.\u003cbr\u003e\u003cbr\u003eRegular POA\u0026amp;M reporting helps to ensure that:\u003c/p\u003e\u003cul\u003e\u003cli\u003eVulnerabilities or \"weaknesses\" are properly identified and prioritized\u003c/li\u003e\u003cli\u003eAdequate resources have been allocated and assigned\u003c/li\u003e\u003cli\u003eTimeline to mitigate vulnerabilities is achievable\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eA vulnerability must have a milestone entered with it that identifies specific actions of mitigation and a completion date to denote progress. Identifying the status of a corrective action demonstrates that the POA\u0026amp;M is a part of an ongoing monitoring process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConfirm POA\u0026amp;M completion\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWhen your new safeguard(s) are tested and approved for release, you are almost across the finish line! Youll need to confirm the successful resolution of vulnerabilities and provide artifacts related to the POA\u0026amp;M completion. Examples of such artifacts may include control text results, a policy or procedure document, a screenshot of a patch applied, or other new system documentation.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCyber Risk Advisors at ISPG will review certain POA\u0026amp;M findings. Based on a risk determination and the evidence provided, they will decide if the finding has been adequately addressed and corrected. The initial findings that prompted the creation of a POA\u0026amp;M should not be marked “completed” until they are proven to be fully resolved. When completion is confirmed, the ISSO will mark the POA\u0026amp;M closed in CFACTS.\u003c/p\u003e\u003cp\u003eCompleted POA\u0026amp;Ms must remain on the monthly POA\u0026amp;M report for one year after their completion date. The artifacts are stored in CFACTS and retained for at least one year with the completed POA\u0026amp;M.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePOA\u0026amp;Ms and continuous monitoring\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBesides requiring corrective actions to mitigate weaknesses, CMS continuously monitors risk across all systems so that resources can be allocated effectively. Its important to understand how this continuous monitoring affects the POA\u0026amp;M process.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePOA\u0026amp;M reporting\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS submits POA\u0026amp;M reports to HHS at least once a month to show the status of mitigation activities. The information within a POA\u0026amp;M must be \u003cstrong\u003emaintained continuously\u003c/strong\u003e so that CMS reports are reflective of the current state. The reports to HHS also include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCompleted POA\u0026amp;Ms, for a year after their completion\u003c/li\u003e\u003cli\u003eDelayed POA\u0026amp;Ms, along with an explanation for their delay and a revised estimated completion date\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eRisk Based Decisions (RBD)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSometimes a Business Owner and their project team may decide to accept potential risk(s) identified by assessment findings. They must create a Risk Based Decision (RBD) to explain the reasoning and the accepted risk. As part of \u003cstrong\u003econtinuous monitoring\u003c/strong\u003e across CMS, all RBDs are reviewed annually to ensure the risk remains acceptable. Risk Based Decisions may be updated as events occur and information changes. RBDs are managed in CFACTS under the \"RBD\" tab.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eRisk evaluation and prioritization\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs POA\u0026amp;Ms are being worked on across all CMS systems, risk evaluation, and prioritization continue through \u003cstrong\u003eongoing assessments and \u003c/strong\u003e\u003ca href=\"/learn/system-audits\"\u003e\u003cstrong\u003eaudits\u003c/strong\u003e\u003c/a\u003e. When a new, critical weakness is discovered, resources may need to be shifted to remediate it appropriately. Weaknesses that were once deemed a high priority may not continue to receive the same level of consideration as risks and threats evolve.\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms are an essential part of CMS ongoing efforts to maintain a resilient cyber infrastructure and to protect the sensitive information of our beneficiaries. Each new safeguard or countermeasure implemented helps to reduce risk and improve our security and privacy posture.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:T2408,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the POA\u0026amp;M process?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePOA\u0026amp;Ms are created and tracked in the \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Controls Tracking System (CFACTS)\u003c/a\u003e. The process is briefly summarized below. You can find detailed information about POA\u0026amp;Ms in the CMS Plan of Action and Milestones (POA\u0026amp;M) Handbook.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eReceive audit reports\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThroughout the year, ongoing assessments and audits are conducted on systems to help improve overall security stature at CMS. Sometimes these activities result in “findings” — threats and vulnerabilities that exist in our programs or security systems which require attention.\u003c/p\u003e\u003cp\u003eAfter an assessment or audit, youll receive a report that shows potential areas of concern. Risks are always present and always changing, and audit findings help us uncover them. There are various methods and time frames for resolving these findings, but all findings must follow a distinct remediation process. We look carefully at the finding source (how and where the weakness was identified) to determine what template to use to report the finding to you.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFind opportunities to improve security\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf a potential threat or vulnerability is found in your system, start by discussing it with your integrated project team to make sure you fully understand its implications. Whoever conducted the audit or assessment will document the finding using the CMS Assessment and Audit Template (CAAT). It will explain where the system is performing as expected and where it could be strengthened.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAuditors and assessors use the term \"weakness\" in their reports to describe threats and vulnerabilities. Sometimes the risk can be fixed right away, and sometimes a POA\u0026amp;M is needed. Occasionally, some of these threats and vulnerabilities may be addressed to some degree through an existing, compensating control, and your team may decide that the risk is acceptable.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAnalyze risks and options\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf your program or system is at risk, you will need to consider the Risk Level and Severity Level. A Risk Level is calculated based on the likelihood of the risk being exploited, and the potential resulting impact on the system and users. The Severity Level considers the significance that the weakness(s) poses to your system and the agencys overall security and privacy posture.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAnalyzing threats and vulnerabilities requires an impact assessment, and consultation with your integrated project team and vendor supports. Several methodologies may be used during this phase, including a \u003cstrong\u003eRoot Cause Analysis\u003c/strong\u003e which helps you uncover the actual cause(s) and not just a symptom of the finding.\u0026nbsp;\u003c/p\u003e\u003cp\u003eUsing the results of these analyses, you and your team will consider options for how to address the findings and associated risks. Ultimately there are two choices:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDeem the risk “acceptable” and develop a \u003cstrong\u003eRisk-Based Decision (RBD)\u003c/strong\u003e to explain your justification for accepting the risk\u003c/li\u003e\u003cli\u003eDeem the risk “unacceptable” and move on to develop a mitigation strategy\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eDevelop a corrective action plan\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Corrective Action Plan forms the foundation of the POA\u0026amp;M. It describes the identified weaknesses, any associated milestones, and necessary resources required. Developing this plan should be a collaborative process, with input from your integrated project team and other stakeholders.\u003c/p\u003e\u003cp\u003eThe milestones in your plan must provide specific descriptions of the steps your team will take to mitigate the finding. Each finding must have at least one corresponding milestone with an estimated completion date and resource requirements to remediate the finding.\u003c/p\u003e\u003cp\u003eOnce the plan is formally documented, it is entered into CFACTS as a series of milestone records. The status of the POA\u0026amp;M will automatically be moved from “draft” to “ongoing” 30 days after the creation date.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePut the plan into action\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOnce your POA\u0026amp;M is approved, possibly with additional recommendations from ISPG support staff, you will take steps to put the plan into action. You need to determine the specific funding and personnel resources needed to mitigate each finding on the POA\u0026amp;M. In most cases, the existing resources allocated to a program or system will be sufficient, but occasionally you may need to request additional funding or personnel.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eNext, you will work with your vendor(s) to create and test the appropriate safeguard(s) and countermeasures that mitigate the risks. This can take a few weeks or several months depending on the complexity of the change. In some cases, a third party software vendor may need to issue a patch or fix.\u003c/p\u003e\u003cp\u003eThe steps and timeline to complete your POA\u0026amp;M may need to be adjusted along the way. A POA\u0026amp;M is a living document that should be continually updated as circumstances evolve.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eReport on progress\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePOA\u0026amp;Ms should be reviewed and updated in CFACTS on a continuing basis to show that they are on track for completion. CMS requires that all information in the POA\u0026amp;M should at minimum be updated monthly and be accurate on the first day of each month for tracking and reporting purposes.\u003cbr\u003e\u003cbr\u003eRegular POA\u0026amp;M reporting helps to ensure that:\u003c/p\u003e\u003cul\u003e\u003cli\u003eVulnerabilities or \"weaknesses\" are properly identified and prioritized\u003c/li\u003e\u003cli\u003eAdequate resources have been allocated and assigned\u003c/li\u003e\u003cli\u003eTimeline to mitigate vulnerabilities is achievable\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eA vulnerability must have a milestone entered with it that identifies specific actions of mitigation and a completion date to denote progress. Identifying the status of a corrective action demonstrates that the POA\u0026amp;M is a part of an ongoing monitoring process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConfirm POA\u0026amp;M completion\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWhen your new safeguard(s) are tested and approved for release, you are almost across the finish line! Youll need to confirm the successful resolution of vulnerabilities and provide artifacts related to the POA\u0026amp;M completion. Examples of such artifacts may include control text results, a policy or procedure document, a screenshot of a patch applied, or other new system documentation.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCyber Risk Advisors at ISPG will review certain POA\u0026amp;M findings. Based on a risk determination and the evidence provided, they will decide if the finding has been adequately addressed and corrected. The initial findings that prompted the creation of a POA\u0026amp;M should not be marked “completed” until they are proven to be fully resolved. When completion is confirmed, the ISSO will mark the POA\u0026amp;M closed in CFACTS.\u003c/p\u003e\u003cp\u003eCompleted POA\u0026amp;Ms must remain on the monthly POA\u0026amp;M report for one year after their completion date. The artifacts are stored in CFACTS and retained for at least one year with the completed POA\u0026amp;M.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePOA\u0026amp;Ms and continuous monitoring\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBesides requiring corrective actions to mitigate weaknesses, CMS continuously monitors risk across all systems so that resources can be allocated effectively. Its important to understand how this continuous monitoring affects the POA\u0026amp;M process.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePOA\u0026amp;M reporting\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS submits POA\u0026amp;M reports to HHS at least once a month to show the status of mitigation activities. The information within a POA\u0026amp;M must be \u003cstrong\u003emaintained continuously\u003c/strong\u003e so that CMS reports are reflective of the current state. The reports to HHS also include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCompleted POA\u0026amp;Ms, for a year after their completion\u003c/li\u003e\u003cli\u003eDelayed POA\u0026amp;Ms, along with an explanation for their delay and a revised estimated completion date\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eRisk Based Decisions (RBD)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSometimes a Business Owner and their project team may decide to accept potential risk(s) identified by assessment findings. They must create a Risk Based Decision (RBD) to explain the reasoning and the accepted risk. As part of \u003cstrong\u003econtinuous monitoring\u003c/strong\u003e across CMS, all RBDs are reviewed annually to ensure the risk remains acceptable. Risk Based Decisions may be updated as events occur and information changes. RBDs are managed in CFACTS under the \"RBD\" tab.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eRisk evaluation and prioritization\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs POA\u0026amp;Ms are being worked on across all CMS systems, risk evaluation, and prioritization continue through \u003cstrong\u003eongoing assessments and \u003c/strong\u003e\u003ca href=\"/learn/system-audits\"\u003e\u003cstrong\u003eaudits\u003c/strong\u003e\u003c/a\u003e. When a new, critical weakness is discovered, resources may need to be shifted to remediate it appropriately. Weaknesses that were once deemed a high priority may not continue to receive the same level of consideration as risks and threats evolve.\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms are an essential part of CMS ongoing efforts to maintain a resilient cyber infrastructure and to protect the sensitive information of our beneficiaries. Each new safeguard or countermeasure implemented helps to reduce risk and improve our security and privacy posture.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1a:T9cb3,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is a POA\u0026amp;M?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA Plan of Action and Milestones (POA\u0026amp;M) is a corrective action plan that tracks system weakness and allows System Owners and ISSOs to create a plan to resolve the identified weaknesses over time. A POA\u0026amp;M provides details about the personnel, technology, and funding required to accomplish the elements of the plan, milestones for correcting the weaknesses, and scheduled completion dates for the milestones.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePOA\u0026amp;M process overview\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe POA\u0026amp;M process begins when a weakness is identified in a CMS FISMA system. Working together, the System/Business Owner and the Authorizing Official (AO) are responsible for mitigating the risk posed by the weakness, with support from the Information System Security Officer (ISSO) and Cyber Risk Advisor (CRA). The steps to the POA\u0026amp;M process are outlined below, and will be described in greater detail throughout the remainder of this guide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify weaknesses\u003c/li\u003e\u003cli\u003eDevelop a Corrective Action Plan (CAP)\u003c/li\u003e\u003cli\u003eDetermine resource and funding availability\u003c/li\u003e\u003cli\u003eAssign a completion date\u003c/li\u003e\u003cli\u003eExecute the Corrective Action Plan (CAP)\u003c/li\u003e\u003cli\u003eVerify weakness completion\u003c/li\u003e\u003cli\u003eAccept risk when applicable\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIdentifying weaknesses\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe term “weakness” represents any information security or privacy vulnerability that could be exploited as a result of a specific control deficiency. Weaknesses can compromise a systems confidentiality, integrity, or availability. All weaknesses that represent risk to the security or privacy of a system must be corrected and the required mitigation efforts captured in a POA\u0026amp;M.\u0026nbsp;For the purpose of this document, the term “weakness” as defined in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST SP 800-53, rev. 5 \u003c/a\u003ewill be synonymous with the terms finding and vulnerability. These terms are defined below:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFinding\u003c/strong\u003e During an assessment or audit, the security and privacy controls of a system are tested, or exercised. A system either satisfies the requirements or a control or does not satisfy it.\u0026nbsp; Findings are the result of the assessment or audit. Findings that do not satisfy a control must be addressed with a POA\u0026amp;M.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVulnerability\u003c/strong\u003e A vulnerability is a weakness in a system, a systems security procedures, its internal controls, or its implementation that could be exploited or triggered by a threat source.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFinding weaknesses\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWeaknesses may be found during an internal or external audit, review, or through Continuous Diagnostics and Mitigation (CDM) efforts. There are a number of specific sources that help system teams identify weaknesses:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eHHS OIG Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003eGovernment Accountability Office (GAO) Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003eChief Financial Officer (CFO) Reviews\u0026nbsp;\u003c/li\u003e\u003cli\u003eOMB A-123 Internal Control Reviews\u0026nbsp;\u003c/li\u003e\u003cli\u003eAnnual Assessments\u003c/li\u003e\u003cli\u003eFISMA Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e or Security Control Assessments (SCA)\u0026nbsp;\u003c/li\u003e\u003cli\u003eMedicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) Section 912 Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003eInternal Revenue Service (IRS) Safeguard Reviews\u0026nbsp;\u003c/li\u003e\u003cli\u003eDepartment of Homeland Security (DHS) Risk Vulnerability Assessments (RVA)\u0026nbsp;\u003c/li\u003e\u003cli\u003eDHS Cyber Hygiene\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/penetration-testing\"\u003ePenetration Testing\u0026nbsp;\u003c/a\u003e\u003c/li\u003e\u003cli\u003eVulnerability Scanning\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDuring these assessments, reviews, and audits, weaknesses can be found either proactively or reactively.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eProactive - \u003c/strong\u003eProactive weakness identification occurs during regular system reviews conducted by CMS.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eReactive - \u003c/strong\u003eReactive weakness determination indicates that the weakness was identified during an audit or external review, like a penetration test.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWeaknesses are always documented by the source that identified them, and its important to indicate the identification source as you create your POA\u0026amp;M.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWeakness severity levels\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThere are three severity levels for all weaknesses discovered during assessments, audits, and tests. The risk the weakness poses to the agencys overall security and privacy posture determines a weakness severity level . There are three levels of severity as defined by OMB: significant deficiency, reportable condition, and weakness.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eWeakness severity levels\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSignificant deficiency\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eA weakness is considered a \u003cstrong\u003esignificant deficiency\u003c/strong\u003e if it drastically restricts the capability of the agency to carry out its mission or if it compromises the security or privacy of its information, information systems, personnel, or other resources, operations, or assets.\u0026nbsp;\u003c/p\u003e\u003cp\u003eSenior management must be notified and immediate or near immediate corrective action must be taken.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eReportable Condition\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eA \u003cstrong\u003ereportable condition\u003c/strong\u003e is a weakness that affects the efficiency and effectiveness of agency operations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eDue to its lower associated risk, corrective actions for a reportable condition may be scheduled over a longer period of time. The control auditor or assessor will make the determination that a weakness is a reportable condition.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eWeakness\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAll other weaknesses that do not rise to the level of a significant deficiency or reportable condition must be categorized as a weakness.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThey must be mitigated in a timely and efficient manner, as resources permit.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe weakness severity level can be obtained from the source or the audit report. Most findings will generally be categorized as a “weakness”. In the event that a weakness is designated as a “significant deficiency”, then contact the \u003ca href=\"mailto:ciso@cms.hhs.gov\"\u003eCISO mailbox \u003c/a\u003efor further guidance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWeakness risk level\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final\"\u003eNIST SP 800-30 \u003c/a\u003econtains the definitions and the practical guidance necessary for assessing and mitigating identified risks to IT systems. Risk level is dependent on multiple factors, such as \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFederal Information Processing Standard (FIPS) 199 \u003c/a\u003ecategory, operating environment, compensating controls, nature of the vulnerability, and impact if a system is compromised.\u003c/p\u003e\u003cp\u003eRisk can be evaluated either qualitatively or quantitatively and is typically expressed in its simplified form as:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRISK = THREAT x IMPACT x LIKELIHOOD\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe result of the analysis of the risk(s) from following the NIST SP 800-30 guide will recommend the overall risk level assigned to FISMA system of record.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRoot Cause Analysis (RCA)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll weaknesses must be examined to determine their root cause prior to documentation in the\u003c/p\u003e\u003cp\u003ePOA\u0026amp;M. \u003cstrong\u003eRoot Cause Analysis (RCA)\u003c/strong\u003e is an important and effective methodology used to correct information security or privacy weaknesses by eliminating the underlying cause. Various factors are reviewed to determine if they are the underlying cause of the weakness. Proper evaluation ensures the cause, not the symptom, is treated and prevents resources from being expended unnecessarily on addressing the same weakness.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePrioritizing weaknesses\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS takes a risk management approach to ensure that critical and high-impact weaknesses\u0026nbsp;\u003c/p\u003e\u003cp\u003etake precedence over lower security weaknesses. The following chart will help CMS System/Business Owners and ISSOs prioritize weaknesses on an ongoing basis to ensure that high-priority weaknesses receive the funding and the resources necessary to remediate or mitigate the most significant risks.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePrioritization factor\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDescription\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk level/severity\u003c/td\u003e\u003ctd\u003e\u003cp\u003eWeaknesses on a High or Moderate system or weaknesses that contribute to a material weakness, significant deficiency or reportable condition will normally require more immediate resolution.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis prioritization factor must consider the following elements:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eSensitivity and criticality of information on the system, such as personally identifiable information (PII).\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe estimated likelihood of the weakness occurring and/or being exploited.\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe cost of a potential occurrence or exploitation in terms of dollars, resources,, and/or reputation\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAnalysis\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe weakness must be analyzed to determine if there are any other processes or system relationships that it may affect.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDoes the weakness fall within the system authorization boundary?\u0026nbsp;\u003c/li\u003e\u003cli\u003eIs it a potential program weakness?\u0026nbsp;\u003c/li\u003e\u003cli\u003eIs the weakness a systemic issue (across the enterprise) or is it an isolated event?\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSystemic issues represent much greater risk and may be a higher priority.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSource\u003c/td\u003e\u003ctd\u003eWhat is the source of the weakness? For example, if the weakness resulted from an audit and is considered a significant deficiency, then greater attention should be focused on this weakness.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVisibility\u003c/td\u003e\u003ctd\u003eHas the weakness drawn a high level of visibility external to the system or program? In some cases, a lower level weakness is a higher priority due to visibility. There are times when senior management or outside organizations focus on a specific weakness. Such weaknesses may take priority.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eRegardless of how the weakness is found and how severe it is,\u0026nbsp;its critical that system teams work together to create a Corrective Action Plan (CAP) to address it.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eDevelop a Corrective Action Plan (CAP)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAfter weaknesses have been identified and the root cause has been determined, a \u003cstrong\u003eCorrective Action Plan (CAP)\u003c/strong\u003e must be developed. The CAP identifies:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe specific tasks, or “milestones”, that need to be accomplished to reduce or eliminate weakness\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe resources required to accomplish the plan\u003c/li\u003e\u003cli\u003eA timeline for correcting the weakness including a completion date\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe milestones in the CAP must provide specific, action-oriented descriptions of the tasks/steps that the stakeholder will take to mitigate the weakness. When creating your milestones, be sure that they are:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSpecific\u003c/strong\u003e target a specific area for improvement\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMeasurable\u003c/strong\u003e quantify or at least suggest an indicator of progress\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAssignable\u003c/strong\u003e specify who will do it\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRealistic\u003c/strong\u003e state what results can realistically be achieved, given available resources\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTime-related\u003c/strong\u003e specify when the result(s) can be achieved.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe number of milestones written per weakness must directly correspond to the number of steps or corrective actions necessary to fully address and resolve the weakness. Each weakness must have at least one corresponding milestone with an estimated completion date and resource requirements to remediate the weakness. The chart below provides samples of compliant and non-compliant milestones that system teams can use when writing their CAP.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eExamples of appropriate milestones\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePOA\u0026amp;M description\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eExample\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eMilestones with completion dates\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVulnerability scanning does not incorporate the entire environment as documented in the System Security and Privacy Plan (SSPP)\u003c/td\u003e\u003ctd\u003eInappropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eEnsure vulnerability scanning covers the entire environment; (11/15/2018)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVulnerability scanning does not incorporate the entire environment as documented in the System Security and Privacy Plan (SSPP)\u003c/td\u003e\u003ctd\u003eAppropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eSchedule a review of the environment inventory; (11/15/2018)\u003c/li\u003e\u003cli\u003eUpdate the SSPP and the vulnerability scanner to reflect the updated inventory; (1/31/2019)\u003c/li\u003e\u003cli\u003eConduct a vulnerability scan to check that the entire inventory is included; (2/15/2019)\u003c/li\u003e\u003cli\u003eImplement an ongoing process to evaluate and update the inventory, the SSPP, and the vulnerability scans on a regular basis; (3/15/2019)\u003c/li\u003e\u003cli\u003ePerform a vulnerability scan and cross check the output with the updated inventory list to verify that the entire environment is included; (4/15/2019)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAudit logs are not periodically reviewed\u003c/td\u003e\u003ctd\u003eInappropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eEnsure that audit logs are periodically reviewed; (12/15/2018)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAudit logs are not periodically reviewed\u003c/td\u003e\u003ctd\u003eAppropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eReview policy to ensure that audit log review is required; (12/15/2018)\u003c/li\u003e\u003cli\u003eIdentify the SO; (12/16/2018)\u003c/li\u003e\u003cli\u003eEstablish communication and training to convey the requirement of audit log review; (2/28/2019)\u003c/li\u003e\u003cli\u003eSchedule a follow-up review with the SO to ensure that audit log review is taking place. (3/31/2019)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe CAP should be a collaborative effort with stakeholders including the CISO, System/Business Owners, System Developers and Maintainers, ISSOs, and others as needed. These stakeholders ensure that the CAP is created, executed, monitored, and worked to closure or risk-based acceptance.\u003c/p\u003e\u003cp\u003eOMB provides a standard POA\u0026amp;M format which is utilized at CMS. This structure improves the stakeholders ability to easily locate information and organize details for analysis. The CAP format includes a location for the identified program weakness, any associated milestones, and the necessary resources required.\u0026nbsp;\u003c/p\u003e\u003cp\u003eOnce the CAP is documented, the plan must be entered into \u003ca href=\"https://cfacts.cms.gov/\"\u003eCFACTS\u003c/a\u003e in the form of a series of milestone records. The status of the POA\u0026amp;M will automatically be moved from “draft” to “ongoing” 30 days after the weakness creation date. Once a milestone has been accepted/approved and closed, the record must be retained for one year.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eDetermine resource and funding availability\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eMaking funding decisions is often a collaborative exercise that involves multiple system personnel and stakeholders. Examples of questions to ask to determine if your team has the resources to appropriately respond to a weakness are:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eIs one team or person enough or will the participation of a larger team be needed?\u0026nbsp;\u003c/li\u003e\u003cli\u003eCan the task be accomplished within a week or will it take several months?\u0026nbsp;\u003c/li\u003e\u003cli\u003eHow serious is the weakness?\u0026nbsp;\u003c/li\u003e\u003cli\u003eWhat is this weakness risk level?\u0026nbsp;\u003c/li\u003e\u003cli\u003eHow complex is the CAP?\u0026nbsp;\u003c/li\u003e\u003cli\u003eDo we need to purchase equipment?\u003c/li\u003e\u003cli\u003eCan the weakness be addressed with existing funding or will we require new allocation from an existing budget source?\u0026nbsp;\u003c/li\u003e\u003cli\u003eWill my addressing this milestone require changes to existing policy or code?\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe System/Business Owner, ISSOs, and other stakeholders must ensure that adequate resources are allocated to mitigate or remediate weaknesses. They must also work together to determine the funding stream required to address the weakness, and any full-time equivalent (FTE) resources required to remediate or mitigate each weakness on the POA\u0026amp;M. The resources required for weakness remediation must fall into one of the following three categories:\u003c/p\u003e\u003col\u003e\u003cli\u003eUsing current resources allocated for the security and/or management of a program or system to complete remediation activities\u003c/li\u003e\u003cli\u003eReallocating existing funds that are appropriated and available for the remediation, or redirecting existing personnel\u003c/li\u003e\u003cli\u003eRequesting additional funding or personnel\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eDuplicate or similar weaknesses shall be documented in one POA\u0026amp;M, existing or new, to avoid inconsistencies. If a related POA\u0026amp;M already exists, the additional weakness shall be noted in the comment field.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAssign a completion date\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSystem/Business Owners, ISSOs, and other stakeholders must determine the scheduled completion date for each weakness using the criteria established by the remediation and mitigation timeline, the risk level, and the severity level. The milestone(s) completion date must not exceed the scheduled completion date assigned to the weakness.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIt is also a good practice to first determine the milestones with completion dates, as this will help determine a more accurate overall scheduled completion date for the weakness. The weakness schedule completion date is a calculated date. It is determined by the identified date and the risk level. The scheduled completion date established at the creation of the weakness must not be modified after the weakness is reported to OMB. POA\u0026amp;Ms become reportable once the status changes from “Draft” to “Ongoing” in CFACTS.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf a weakness is not remediated within the scheduled completion date, a new estimated completion date must be determined and documented in the Changes to Milestones and Comment fields in the POA\u0026amp;M in CFACTS.\u003c/p\u003e\u003cp\u003e\u003cem\u003eNOTE: In use cases where a responsive and timely POA\u0026amp;M cannot be developed, the ISSO can choose to consider the Risk Based Decision (RBD) process to request the Authorizing Official (AO) to consider a risk acceptance until such time the vulnerability can be remediated.\u003c/em\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eExecute the Corrective Action Plan (CAP)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA designated Point of Contact (POC), responsible for ensuring proper execution of the CAP, must be identified for each weakness and its milestones. Individual(s) responsible for the execution of the CAP vary widely depending on the organization, system, milestones, and weakness.\u003c/p\u003e\u003cp\u003eThis POC resource will be key to identifying an “owner” of the milestone and ensuring the milestone is worked to the eventual remediation of the weakness or acceptable mitigation of the weakness. Once the planning of the necessary corrective action is complete and adequate resources have been made available, remediation or mitigation activities will proceed in accordance with the plan.\u003c/p\u003e\u003cp\u003eIf the completion of a milestone extends past its original estimated completion date, an update to the milestone and the completion date of the milestone must be captured in the “Changes to Milestone” field of CFACTS. If the scheduled completion date has passed before the weakness is remediated or mitigated, the weakness must default to “Delayed” status and a justification with a new estimated completion date must be documented in the “Comment” field and the “Changes to Milestone” field of the relevant weakness in CFACTS.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eVerify weakness completion\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS requires that all information in the POA\u0026amp;M be updated at least quarterly, ensuring accuracy for efficient tracking and reporting. As part of the review process, the ISSO will:\u003c/p\u003e\u003cul\u003e\u003cli\u003eValidate that the weakness is properly identified and prioritized\u003c/li\u003e\u003cli\u003eEnsure that appropriate resources have been made available to resolve the weakness\u003c/li\u003e\u003cli\u003eEnsure that the schedule for resolving the weakness is both appropriate and achievable\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eAccept risk when applicable\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA POA\u0026amp;M is a plan to resolve unacceptable risks. In rare cases, the Business Owner can present a case for accepting the risk to the AO or CIO, who may make the decision to accept the risk at their discretion. This is part of the Risk Based Decision (RBD) process. After approval, RBDs shall be reviewed at least annually to ensure the risk remains acceptable and updated as events occur and information changes. RBDs are managed in CFACTS under the \"RBD\" tab.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eClosing a POA\u0026amp;M\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePOA\u0026amp;Ms designated as Low and Moderate are closed by the ISSO and spot audited by a CRA.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms designed as Critical and High are closed by the CRA.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms generated from audits should be reviewed by the auditor prior to closure.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms resulting from a Penetration Test (PenTest) are closed by the PenTest team after the re-test has been performed.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eReports\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eReporting is a critical component of POA\u0026amp;M management, and CMS reports its remediation efforts on a monthly basis. The information in the POA\u0026amp;M must be maintained continuously to communicate overall progress. CMS must submit POA\u0026amp;M updates at least once a month (by the 3rd business day of each month) to HHS to demonstrate the status of POA\u0026amp;M mitigation or remediation activities.\u003c/p\u003e\u003cp\u003eCMS must submit the following information in accordance with the Department POA\u0026amp;M reporting requirements:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAll POA\u0026amp;Ms associated with a program, system and/or component that are within an authorization boundary. POA\u0026amp;Ms must be tied to the individual system and/or component and not the authorization boundary.\u003c/li\u003e\u003cli\u003eAn explanation associated with each delayed POA\u0026amp;M and a revised estimated completion date.\u003c/li\u003e\u003cli\u003eCompleted POA\u0026amp;Ms for up to one year from the date of completion.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWeakness remediation and mitigation timeline\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAfter positive identification of scan findings or approval of security assessment and/or audit report, all findings/weaknesses shall be documented in a POA\u0026amp;M, reported to HHS, and remediated/mitigated within the following remediation timelines.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eCritical within 15 days\u003c/li\u003e\u003cli\u003e\u0026nbsp;High within 30 days\u003c/li\u003e\u003cli\u003eModerate within 90 days\u003c/li\u003e\u003cli\u003eLow within 365 days\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eBusiness Owners, ISSOs, and/or other POA\u0026amp;M stakeholders must work together to determine the scheduled completion date for each POA\u0026amp;M within the specified remediation timelines. These timelines are based on the date the weakness is identified, not the date the POA\u0026amp;M is created. Stakeholders should complete and submit their CAAT templates in a timely manner to allow for the maximum time to complete the remediation/mitigation.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf it is determined that additional time is needed to remediate or mitigate a weakness, the justification with a modified estimated completion date shall be documented in the POA\u0026amp;M in the Changes to Milestones and Comment fields in CFACTS. If weaknesses are not remediated within the scheduled completion date, the status shall change to “Delayed”.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWeaknesses discovered during a government audit\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWeaknesses identified during a government audit (i.e., Inspector General or GAO audit) shall be documented in the POA\u0026amp;M after the audit draft report is produced, regardless of CMS acceptance of the identified weakness(es). Disagreements on findings that cannot be resolved between CMS and the auditing office shall be elevated to the Department for resolution. Systems must review and update POA\u0026amp;Ms at least quarterly. In addition, compensating controls must be in place and documented until weaknesses are remediated or mitigated to an acceptable level of risk.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eCFACTS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eStakeholders must use\u0026nbsp;\u003ca href=\"https://cfacts.cms.gov/\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eCFACTS\u003c/a\u003e, the CMS GRC tool, to identify, track, and manage all system weaknesses and associated POA\u0026amp;Ms to closure for CMS information systems. Users who need access to CFACTS may request an account and appropriate privileges through the Enterprise User Administration (EUA). The job code is \u003cstrong\u003eCFACTS_User_P\u003c/strong\u003e. Once the job code is assigned, the user must email the CISO mailbox at \u003ca href=\"mailto:ciso@cms.hhs.gov\"\u003eciso@cms.hhs.gov\u003c/a\u003e to notify the CISO of the users role (ISSO, System Developer, or System/Business Owner).\u003c/p\u003e\u003cp\u003eThe \u003cstrong\u003eCFACTS User Manual\u003c/strong\u003e provides detailed instructions for processing POA\u0026amp;M actions in the CFACTS tracking system. The User Manual can be accessed under the \u003cstrong\u003eCFACTS Documents\u003c/strong\u003e section on the \u003cstrong\u003eCFACTS Artifacts\u003c/strong\u003e page which can be accessed by clicking on the CFACTS Artifacts icon on the welcome page.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePOA\u0026amp;M Glossary\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe following glossary will help system teams understand the language of the POA\u0026amp;M process.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTerm\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDefinition\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAnnual Assessment\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe process of validating the effective implementation of security and privacy controls in the information system and its environment of operation within every three hundred sixty-five (365) days in accordance with the CMS Information Security (IS) Acceptable Risk Safeguards (ARS) Including CMS Minimum Security Requirements (CMSR) Standard, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAudit\u003c/td\u003e\u003ctd\u003eAn independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCapital Planning and Investment Control\u003c/td\u003e\u003ctd\u003eA decision-making process for ensuring that investments integrate strategic planning, budgeting, procurement, and the management of or in support of Agency missions and business needs. [OMB Circular No. A-11]. The term comes from the Clinger-Cohen Act of 1996; while originally focused on IT, it now applies also to non-IT investments.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCommon Control\u003c/td\u003e\u003ctd\u003eA security or privacy control that is inherited by one or more organizational information systems. See Security Control Inheritance.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompleted\u003c/td\u003e\u003ctd\u003eA status assigned when all corrective actions have been completed or closed for a weakness and the weakness has been verified as successfully mitigated. Documentation is required to demonstrate the weakness has been adequately resolved. When assigning the status of Completed, the date of completion must also be included.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompletion date\u003c/td\u003e\u003ctd\u003eThe action date when all weaknesses have been fully resolved and the corrective action plan has been tested.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl activities\u003c/td\u003e\u003ctd\u003eThe policies and procedures that help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entitys objectives. Control activities, whether automated or manual, help achieve control objectives and are applied at various organizational and functional levels.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl deficiency\u003c/td\u003e\u003ctd\u003eA deficiency that exists when the design or operation of a control does not allow management or employees to, in the normal course of performing their assigned functions, prevent or detect breaches of confidentiality, integrity, or availability on a timely basis. (See also design deficiency or operations deficiency)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCorrective Action Plan (CAP)\u003c/td\u003e\u003ctd\u003eThe plan management formulates to document the procedures and milestones identified to correct control deficiencies.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCriteria\u003c/td\u003e\u003ctd\u003e\u003cp\u003eA context for evaluating evidence and understanding the findings, conclusions, and recommendations included in the report. Criteria represent the laws, regulations, contracts, grant agreements, standards, specific requirements, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated.\u003c/p\u003e\u003cp\u003eCriteria identify the required or desired state or expectation with respect to the program or operation.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDelayed\u003c/td\u003e\u003ctd\u003eA status assigned when a weakness continues to be mitigated after the original scheduled completion date has passed. When assigning the status of Delayed, an explanation must be provided in the milestone as to why the delay is occurring, as well as the revised completion date.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDesign deficiency\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA deficiency that exists when a control necessary to meet the control objective is missing or an existing control is not properly designed, so that even if the control operates as designed the control objective is not always met.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDraft\u003c/td\u003e\u003ctd\u003eA status that indicates that a weakness requires review and approval prior to “official” entry in the POA\u0026amp;M. Types of review that may take place while a weakness is in draft status would be: reviewing to determine if the weakness already exists and would be a duplicate; reviewing to determine if the organization will accept the risk, or apply for a waiver; etc.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEvidence\u003c/td\u003e\u003ctd\u003eAny information used by the auditor, tester, or evaluator, to determine whether the information being audited, evaluated, or assessed is stated in accordance with the established criteria.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFISMA Audit\u003c/td\u003e\u003ctd\u003eA FISMA assessment designed to determine areas of compliance and areas requiring remediation to become FISMA compliant.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFederal Information Security Modernization Act (FISMA)\u003c/td\u003e\u003ctd\u003eRequires agencies to integrate information technology (IT) security into their capital planning and enterprise architecture processes at the agency, conduct annual IT security reviews of all programs and systems, and report the results of those reviews to the OMB. [NIST SP 800-65]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFindings\u003c/td\u003e\u003ctd\u003eConclusions based on an evaluation of sufficient, appropriate evidence against criteria.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInformation Security Risk\u003c/td\u003e\u003ctd\u003eThe risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and /or information systems.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePrimary Information System Security Officer (ISSO)\u003c/td\u003e\u003ctd\u003eIndividual with assigned responsibility for maintaining the appropriate operational security and privacy posture for an information system or program.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInitial audit findings\u003c/td\u003e\u003ctd\u003eAny type of audit conducted on a financial system or a non-financial system.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInternal control\u003c/td\u003e\u003ctd\u003eAn integral component of an organizations management systems that provides reasonable assurance that the following objectives are being achieved: effectiveness and efficiency of operations, reliability of financial reporting, or compliance with applicable laws and regulations.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eManagement controls\u003c/td\u003e\u003ctd\u003eThe security or privacy controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security and privacy.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMaterial weakness\u003c/td\u003e\u003ctd\u003eMaterial weaknesses includes reportable conditions in which the Secretary or Component Head determines to be significant enough to report outside of the Department. Material weakness in internal control over financial reporting is a reportable condition, or combination of reportable conditions, that results in more than a remote likelihood that a material misstatement of the financial statements, or other significant financial reports, will not be prevented or detected.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMetrics\u0026nbsp;\u003c/td\u003e\u003ctd\u003eTools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNon-conformance\u0026nbsp;\u003c/td\u003e\u003ctd\u003eInstances in which financial management systems do not substantially conform to financial systems requirements. Financial management systems include both financial and financially-related (or mixed) systems.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOngoing\u003c/td\u003e\u003ctd\u003eA status assigned when a weakness is in the process of being mitigated and has not yet exceeded the original scheduled completion date.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOperational controls\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe security or privacy controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by people (as opposed to systems).\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOperations deficiency\u003c/td\u003e\u003ctd\u003eA deficiency that exists when a properly designed control does not operate as designed or when the person performing the control is not qualified or properly skilled to perform the control effectively.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePending verification\u003c/td\u003e\u003ctd\u003eA status that indicates that all milestones/corrective actions have been completed but require review and sign-off to ensure effective resolution.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/td\u003e\u003ctd\u003eA FISMA mandated corrective action plan to identify and resolve information security and privacy weaknesses. A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePotential impact\u003c/td\u003e\u003ctd\u003eThe loss of confidentiality, integrity, or availability could be expected to have: (i) a limited adverse effect (FIPS 199 low); (ii) a serious adverse effect (FIPS 199 moderate); or (iii) a severe or catastrophic adverse effect (FIPS 199 high) on organizational operations, organizational assets, or individuals.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eProgram\u003c/td\u003e\u003ctd\u003eAn organized set of activities directed toward a goal or particular set of goals or objectives for which the program is accountable; a distinct set of activities and strategies organized toward achieving a specific purpose. A program is a representation of what is delivered to the public. Programs usually operate for indefinite or continuous periods, but may consist of several projects or initiatives.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eReportable condition\u0026nbsp;\u003c/td\u003e\u003ctd\u003eReportable conditions overall include a control deficiency, or combination of control deficiencies, that in managements judgment, must be communicated because they represent significant weaknesses in the design or operation of an internal control that could adversely affect the organizations ability to meet its internal control objectives.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eResilience\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe ability to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs. [NIST SP 800-39, Adapted]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security and privacy risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk accepted\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA status assigned when the weakness risk has been accepted. When assigning this status, an acceptance of the risk must be certified by the appropriate Authorizing Official and documented accordingly. The weakness and corresponding risk must be monitored periodically to ensure the associated risk remains at an acceptable level.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSafeguards\u0026nbsp;\u003c/td\u003e\u003ctd\u003eProtective measures prescribed to meet the security and privacy requirements specified for an information system. Safeguards may include security and privacy features, management constraints, personnel security, and security of physical structures, areas, and devices; synonymous with security and privacy controls and countermeasures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eScheduled or estimated completion date\u003c/td\u003e\u003ctd\u003eA realistic estimate of the amount of time it will take to complete all associated milestones for a POA\u0026amp;M.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity Control Assessment (SCA)\u003c/td\u003e\u003ctd\u003eThe testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. [NIST SP 800-37]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity Control Inheritance\u003c/td\u003e\u003ctd\u003eA situation in which an information system or application receives protection from security and privacy controls (or portions of security and privacy controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See Common Control.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSignificant deficiency\u003c/td\u003e\u003ctd\u003eA weakness in an agencys overall information systems security and privacy program or management control structure, or within one or more information systems, that significantly restricts the capability of the agency to carry out its mission or compromises the security or privacy of its information, information systems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that the agency head and outside agencies must be notified and immediate or near-immediate corrective action must be taken.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTechnical controls\u003c/td\u003e\u003ctd\u003eSecurity controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. [FIPS 200]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eThreat\u003c/td\u003e\u003ctd\u003eAny potential danger to information or systems. A potential threat event, if realized, would cause an undesirable impact. The undesirable impact can come in many forms, but often results in a financial loss. A threat agent could be an intruder accessing the network through a port on the firewall, a process of accessing data in a way that violates that security or privacy policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information or destroy a files integrity.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVulnerability\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe absence or weakness of a safeguard that could be exploited; the absence or weakness of cumulative controls protecting a particular asset. Vulnerability is a software, hardware, or procedure weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eWaiver\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA status provided when the weakness risk has been accepted and justification has been appropriately documented. Justification of non- compliance must follow the agency's waiver policy and be documented accordingly.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eWeakness\u003c/td\u003e\u003ctd\u003eThe absence of adequate controls.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1b:T9cb3,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is a POA\u0026amp;M?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA Plan of Action and Milestones (POA\u0026amp;M) is a corrective action plan that tracks system weakness and allows System Owners and ISSOs to create a plan to resolve the identified weaknesses over time. A POA\u0026amp;M provides details about the personnel, technology, and funding required to accomplish the elements of the plan, milestones for correcting the weaknesses, and scheduled completion dates for the milestones.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePOA\u0026amp;M process overview\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe POA\u0026amp;M process begins when a weakness is identified in a CMS FISMA system. Working together, the System/Business Owner and the Authorizing Official (AO) are responsible for mitigating the risk posed by the weakness, with support from the Information System Security Officer (ISSO) and Cyber Risk Advisor (CRA). The steps to the POA\u0026amp;M process are outlined below, and will be described in greater detail throughout the remainder of this guide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify weaknesses\u003c/li\u003e\u003cli\u003eDevelop a Corrective Action Plan (CAP)\u003c/li\u003e\u003cli\u003eDetermine resource and funding availability\u003c/li\u003e\u003cli\u003eAssign a completion date\u003c/li\u003e\u003cli\u003eExecute the Corrective Action Plan (CAP)\u003c/li\u003e\u003cli\u003eVerify weakness completion\u003c/li\u003e\u003cli\u003eAccept risk when applicable\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIdentifying weaknesses\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe term “weakness” represents any information security or privacy vulnerability that could be exploited as a result of a specific control deficiency. Weaknesses can compromise a systems confidentiality, integrity, or availability. All weaknesses that represent risk to the security or privacy of a system must be corrected and the required mitigation efforts captured in a POA\u0026amp;M.\u0026nbsp;For the purpose of this document, the term “weakness” as defined in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST SP 800-53, rev. 5 \u003c/a\u003ewill be synonymous with the terms finding and vulnerability. These terms are defined below:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFinding\u003c/strong\u003e During an assessment or audit, the security and privacy controls of a system are tested, or exercised. A system either satisfies the requirements or a control or does not satisfy it.\u0026nbsp; Findings are the result of the assessment or audit. Findings that do not satisfy a control must be addressed with a POA\u0026amp;M.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVulnerability\u003c/strong\u003e A vulnerability is a weakness in a system, a systems security procedures, its internal controls, or its implementation that could be exploited or triggered by a threat source.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFinding weaknesses\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWeaknesses may be found during an internal or external audit, review, or through Continuous Diagnostics and Mitigation (CDM) efforts. There are a number of specific sources that help system teams identify weaknesses:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eHHS OIG Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003eGovernment Accountability Office (GAO) Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003eChief Financial Officer (CFO) Reviews\u0026nbsp;\u003c/li\u003e\u003cli\u003eOMB A-123 Internal Control Reviews\u0026nbsp;\u003c/li\u003e\u003cli\u003eAnnual Assessments\u003c/li\u003e\u003cli\u003eFISMA Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e or Security Control Assessments (SCA)\u0026nbsp;\u003c/li\u003e\u003cli\u003eMedicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) Section 912 Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003eInternal Revenue Service (IRS) Safeguard Reviews\u0026nbsp;\u003c/li\u003e\u003cli\u003eDepartment of Homeland Security (DHS) Risk Vulnerability Assessments (RVA)\u0026nbsp;\u003c/li\u003e\u003cli\u003eDHS Cyber Hygiene\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/penetration-testing\"\u003ePenetration Testing\u0026nbsp;\u003c/a\u003e\u003c/li\u003e\u003cli\u003eVulnerability Scanning\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDuring these assessments, reviews, and audits, weaknesses can be found either proactively or reactively.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eProactive - \u003c/strong\u003eProactive weakness identification occurs during regular system reviews conducted by CMS.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eReactive - \u003c/strong\u003eReactive weakness determination indicates that the weakness was identified during an audit or external review, like a penetration test.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWeaknesses are always documented by the source that identified them, and its important to indicate the identification source as you create your POA\u0026amp;M.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWeakness severity levels\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThere are three severity levels for all weaknesses discovered during assessments, audits, and tests. The risk the weakness poses to the agencys overall security and privacy posture determines a weakness severity level . There are three levels of severity as defined by OMB: significant deficiency, reportable condition, and weakness.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eWeakness severity levels\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSignificant deficiency\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eA weakness is considered a \u003cstrong\u003esignificant deficiency\u003c/strong\u003e if it drastically restricts the capability of the agency to carry out its mission or if it compromises the security or privacy of its information, information systems, personnel, or other resources, operations, or assets.\u0026nbsp;\u003c/p\u003e\u003cp\u003eSenior management must be notified and immediate or near immediate corrective action must be taken.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eReportable Condition\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eA \u003cstrong\u003ereportable condition\u003c/strong\u003e is a weakness that affects the efficiency and effectiveness of agency operations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eDue to its lower associated risk, corrective actions for a reportable condition may be scheduled over a longer period of time. The control auditor or assessor will make the determination that a weakness is a reportable condition.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eWeakness\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAll other weaknesses that do not rise to the level of a significant deficiency or reportable condition must be categorized as a weakness.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThey must be mitigated in a timely and efficient manner, as resources permit.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe weakness severity level can be obtained from the source or the audit report. Most findings will generally be categorized as a “weakness”. In the event that a weakness is designated as a “significant deficiency”, then contact the \u003ca href=\"mailto:ciso@cms.hhs.gov\"\u003eCISO mailbox \u003c/a\u003efor further guidance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWeakness risk level\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final\"\u003eNIST SP 800-30 \u003c/a\u003econtains the definitions and the practical guidance necessary for assessing and mitigating identified risks to IT systems. Risk level is dependent on multiple factors, such as \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFederal Information Processing Standard (FIPS) 199 \u003c/a\u003ecategory, operating environment, compensating controls, nature of the vulnerability, and impact if a system is compromised.\u003c/p\u003e\u003cp\u003eRisk can be evaluated either qualitatively or quantitatively and is typically expressed in its simplified form as:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRISK = THREAT x IMPACT x LIKELIHOOD\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe result of the analysis of the risk(s) from following the NIST SP 800-30 guide will recommend the overall risk level assigned to FISMA system of record.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRoot Cause Analysis (RCA)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll weaknesses must be examined to determine their root cause prior to documentation in the\u003c/p\u003e\u003cp\u003ePOA\u0026amp;M. \u003cstrong\u003eRoot Cause Analysis (RCA)\u003c/strong\u003e is an important and effective methodology used to correct information security or privacy weaknesses by eliminating the underlying cause. Various factors are reviewed to determine if they are the underlying cause of the weakness. Proper evaluation ensures the cause, not the symptom, is treated and prevents resources from being expended unnecessarily on addressing the same weakness.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePrioritizing weaknesses\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS takes a risk management approach to ensure that critical and high-impact weaknesses\u0026nbsp;\u003c/p\u003e\u003cp\u003etake precedence over lower security weaknesses. The following chart will help CMS System/Business Owners and ISSOs prioritize weaknesses on an ongoing basis to ensure that high-priority weaknesses receive the funding and the resources necessary to remediate or mitigate the most significant risks.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePrioritization factor\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDescription\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk level/severity\u003c/td\u003e\u003ctd\u003e\u003cp\u003eWeaknesses on a High or Moderate system or weaknesses that contribute to a material weakness, significant deficiency or reportable condition will normally require more immediate resolution.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis prioritization factor must consider the following elements:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eSensitivity and criticality of information on the system, such as personally identifiable information (PII).\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe estimated likelihood of the weakness occurring and/or being exploited.\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe cost of a potential occurrence or exploitation in terms of dollars, resources,, and/or reputation\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAnalysis\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe weakness must be analyzed to determine if there are any other processes or system relationships that it may affect.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDoes the weakness fall within the system authorization boundary?\u0026nbsp;\u003c/li\u003e\u003cli\u003eIs it a potential program weakness?\u0026nbsp;\u003c/li\u003e\u003cli\u003eIs the weakness a systemic issue (across the enterprise) or is it an isolated event?\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSystemic issues represent much greater risk and may be a higher priority.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSource\u003c/td\u003e\u003ctd\u003eWhat is the source of the weakness? For example, if the weakness resulted from an audit and is considered a significant deficiency, then greater attention should be focused on this weakness.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVisibility\u003c/td\u003e\u003ctd\u003eHas the weakness drawn a high level of visibility external to the system or program? In some cases, a lower level weakness is a higher priority due to visibility. There are times when senior management or outside organizations focus on a specific weakness. Such weaknesses may take priority.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eRegardless of how the weakness is found and how severe it is,\u0026nbsp;its critical that system teams work together to create a Corrective Action Plan (CAP) to address it.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eDevelop a Corrective Action Plan (CAP)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAfter weaknesses have been identified and the root cause has been determined, a \u003cstrong\u003eCorrective Action Plan (CAP)\u003c/strong\u003e must be developed. The CAP identifies:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe specific tasks, or “milestones”, that need to be accomplished to reduce or eliminate weakness\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe resources required to accomplish the plan\u003c/li\u003e\u003cli\u003eA timeline for correcting the weakness including a completion date\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe milestones in the CAP must provide specific, action-oriented descriptions of the tasks/steps that the stakeholder will take to mitigate the weakness. When creating your milestones, be sure that they are:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSpecific\u003c/strong\u003e target a specific area for improvement\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMeasurable\u003c/strong\u003e quantify or at least suggest an indicator of progress\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAssignable\u003c/strong\u003e specify who will do it\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRealistic\u003c/strong\u003e state what results can realistically be achieved, given available resources\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTime-related\u003c/strong\u003e specify when the result(s) can be achieved.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe number of milestones written per weakness must directly correspond to the number of steps or corrective actions necessary to fully address and resolve the weakness. Each weakness must have at least one corresponding milestone with an estimated completion date and resource requirements to remediate the weakness. The chart below provides samples of compliant and non-compliant milestones that system teams can use when writing their CAP.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eExamples of appropriate milestones\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePOA\u0026amp;M description\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eExample\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eMilestones with completion dates\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVulnerability scanning does not incorporate the entire environment as documented in the System Security and Privacy Plan (SSPP)\u003c/td\u003e\u003ctd\u003eInappropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eEnsure vulnerability scanning covers the entire environment; (11/15/2018)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVulnerability scanning does not incorporate the entire environment as documented in the System Security and Privacy Plan (SSPP)\u003c/td\u003e\u003ctd\u003eAppropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eSchedule a review of the environment inventory; (11/15/2018)\u003c/li\u003e\u003cli\u003eUpdate the SSPP and the vulnerability scanner to reflect the updated inventory; (1/31/2019)\u003c/li\u003e\u003cli\u003eConduct a vulnerability scan to check that the entire inventory is included; (2/15/2019)\u003c/li\u003e\u003cli\u003eImplement an ongoing process to evaluate and update the inventory, the SSPP, and the vulnerability scans on a regular basis; (3/15/2019)\u003c/li\u003e\u003cli\u003ePerform a vulnerability scan and cross check the output with the updated inventory list to verify that the entire environment is included; (4/15/2019)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAudit logs are not periodically reviewed\u003c/td\u003e\u003ctd\u003eInappropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eEnsure that audit logs are periodically reviewed; (12/15/2018)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAudit logs are not periodically reviewed\u003c/td\u003e\u003ctd\u003eAppropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eReview policy to ensure that audit log review is required; (12/15/2018)\u003c/li\u003e\u003cli\u003eIdentify the SO; (12/16/2018)\u003c/li\u003e\u003cli\u003eEstablish communication and training to convey the requirement of audit log review; (2/28/2019)\u003c/li\u003e\u003cli\u003eSchedule a follow-up review with the SO to ensure that audit log review is taking place. (3/31/2019)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe CAP should be a collaborative effort with stakeholders including the CISO, System/Business Owners, System Developers and Maintainers, ISSOs, and others as needed. These stakeholders ensure that the CAP is created, executed, monitored, and worked to closure or risk-based acceptance.\u003c/p\u003e\u003cp\u003eOMB provides a standard POA\u0026amp;M format which is utilized at CMS. This structure improves the stakeholders ability to easily locate information and organize details for analysis. The CAP format includes a location for the identified program weakness, any associated milestones, and the necessary resources required.\u0026nbsp;\u003c/p\u003e\u003cp\u003eOnce the CAP is documented, the plan must be entered into \u003ca href=\"https://cfacts.cms.gov/\"\u003eCFACTS\u003c/a\u003e in the form of a series of milestone records. The status of the POA\u0026amp;M will automatically be moved from “draft” to “ongoing” 30 days after the weakness creation date. Once a milestone has been accepted/approved and closed, the record must be retained for one year.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eDetermine resource and funding availability\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eMaking funding decisions is often a collaborative exercise that involves multiple system personnel and stakeholders. Examples of questions to ask to determine if your team has the resources to appropriately respond to a weakness are:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eIs one team or person enough or will the participation of a larger team be needed?\u0026nbsp;\u003c/li\u003e\u003cli\u003eCan the task be accomplished within a week or will it take several months?\u0026nbsp;\u003c/li\u003e\u003cli\u003eHow serious is the weakness?\u0026nbsp;\u003c/li\u003e\u003cli\u003eWhat is this weakness risk level?\u0026nbsp;\u003c/li\u003e\u003cli\u003eHow complex is the CAP?\u0026nbsp;\u003c/li\u003e\u003cli\u003eDo we need to purchase equipment?\u003c/li\u003e\u003cli\u003eCan the weakness be addressed with existing funding or will we require new allocation from an existing budget source?\u0026nbsp;\u003c/li\u003e\u003cli\u003eWill my addressing this milestone require changes to existing policy or code?\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe System/Business Owner, ISSOs, and other stakeholders must ensure that adequate resources are allocated to mitigate or remediate weaknesses. They must also work together to determine the funding stream required to address the weakness, and any full-time equivalent (FTE) resources required to remediate or mitigate each weakness on the POA\u0026amp;M. The resources required for weakness remediation must fall into one of the following three categories:\u003c/p\u003e\u003col\u003e\u003cli\u003eUsing current resources allocated for the security and/or management of a program or system to complete remediation activities\u003c/li\u003e\u003cli\u003eReallocating existing funds that are appropriated and available for the remediation, or redirecting existing personnel\u003c/li\u003e\u003cli\u003eRequesting additional funding or personnel\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eDuplicate or similar weaknesses shall be documented in one POA\u0026amp;M, existing or new, to avoid inconsistencies. If a related POA\u0026amp;M already exists, the additional weakness shall be noted in the comment field.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAssign a completion date\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSystem/Business Owners, ISSOs, and other stakeholders must determine the scheduled completion date for each weakness using the criteria established by the remediation and mitigation timeline, the risk level, and the severity level. The milestone(s) completion date must not exceed the scheduled completion date assigned to the weakness.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIt is also a good practice to first determine the milestones with completion dates, as this will help determine a more accurate overall scheduled completion date for the weakness. The weakness schedule completion date is a calculated date. It is determined by the identified date and the risk level. The scheduled completion date established at the creation of the weakness must not be modified after the weakness is reported to OMB. POA\u0026amp;Ms become reportable once the status changes from “Draft” to “Ongoing” in CFACTS.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf a weakness is not remediated within the scheduled completion date, a new estimated completion date must be determined and documented in the Changes to Milestones and Comment fields in the POA\u0026amp;M in CFACTS.\u003c/p\u003e\u003cp\u003e\u003cem\u003eNOTE: In use cases where a responsive and timely POA\u0026amp;M cannot be developed, the ISSO can choose to consider the Risk Based Decision (RBD) process to request the Authorizing Official (AO) to consider a risk acceptance until such time the vulnerability can be remediated.\u003c/em\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eExecute the Corrective Action Plan (CAP)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA designated Point of Contact (POC), responsible for ensuring proper execution of the CAP, must be identified for each weakness and its milestones. Individual(s) responsible for the execution of the CAP vary widely depending on the organization, system, milestones, and weakness.\u003c/p\u003e\u003cp\u003eThis POC resource will be key to identifying an “owner” of the milestone and ensuring the milestone is worked to the eventual remediation of the weakness or acceptable mitigation of the weakness. Once the planning of the necessary corrective action is complete and adequate resources have been made available, remediation or mitigation activities will proceed in accordance with the plan.\u003c/p\u003e\u003cp\u003eIf the completion of a milestone extends past its original estimated completion date, an update to the milestone and the completion date of the milestone must be captured in the “Changes to Milestone” field of CFACTS. If the scheduled completion date has passed before the weakness is remediated or mitigated, the weakness must default to “Delayed” status and a justification with a new estimated completion date must be documented in the “Comment” field and the “Changes to Milestone” field of the relevant weakness in CFACTS.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eVerify weakness completion\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS requires that all information in the POA\u0026amp;M be updated at least quarterly, ensuring accuracy for efficient tracking and reporting. As part of the review process, the ISSO will:\u003c/p\u003e\u003cul\u003e\u003cli\u003eValidate that the weakness is properly identified and prioritized\u003c/li\u003e\u003cli\u003eEnsure that appropriate resources have been made available to resolve the weakness\u003c/li\u003e\u003cli\u003eEnsure that the schedule for resolving the weakness is both appropriate and achievable\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eAccept risk when applicable\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA POA\u0026amp;M is a plan to resolve unacceptable risks. In rare cases, the Business Owner can present a case for accepting the risk to the AO or CIO, who may make the decision to accept the risk at their discretion. This is part of the Risk Based Decision (RBD) process. After approval, RBDs shall be reviewed at least annually to ensure the risk remains acceptable and updated as events occur and information changes. RBDs are managed in CFACTS under the \"RBD\" tab.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eClosing a POA\u0026amp;M\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePOA\u0026amp;Ms designated as Low and Moderate are closed by the ISSO and spot audited by a CRA.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms designed as Critical and High are closed by the CRA.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms generated from audits should be reviewed by the auditor prior to closure.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms resulting from a Penetration Test (PenTest) are closed by the PenTest team after the re-test has been performed.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eReports\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eReporting is a critical component of POA\u0026amp;M management, and CMS reports its remediation efforts on a monthly basis. The information in the POA\u0026amp;M must be maintained continuously to communicate overall progress. CMS must submit POA\u0026amp;M updates at least once a month (by the 3rd business day of each month) to HHS to demonstrate the status of POA\u0026amp;M mitigation or remediation activities.\u003c/p\u003e\u003cp\u003eCMS must submit the following information in accordance with the Department POA\u0026amp;M reporting requirements:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAll POA\u0026amp;Ms associated with a program, system and/or component that are within an authorization boundary. POA\u0026amp;Ms must be tied to the individual system and/or component and not the authorization boundary.\u003c/li\u003e\u003cli\u003eAn explanation associated with each delayed POA\u0026amp;M and a revised estimated completion date.\u003c/li\u003e\u003cli\u003eCompleted POA\u0026amp;Ms for up to one year from the date of completion.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWeakness remediation and mitigation timeline\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAfter positive identification of scan findings or approval of security assessment and/or audit report, all findings/weaknesses shall be documented in a POA\u0026amp;M, reported to HHS, and remediated/mitigated within the following remediation timelines.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eCritical within 15 days\u003c/li\u003e\u003cli\u003e\u0026nbsp;High within 30 days\u003c/li\u003e\u003cli\u003eModerate within 90 days\u003c/li\u003e\u003cli\u003eLow within 365 days\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eBusiness Owners, ISSOs, and/or other POA\u0026amp;M stakeholders must work together to determine the scheduled completion date for each POA\u0026amp;M within the specified remediation timelines. These timelines are based on the date the weakness is identified, not the date the POA\u0026amp;M is created. Stakeholders should complete and submit their CAAT templates in a timely manner to allow for the maximum time to complete the remediation/mitigation.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf it is determined that additional time is needed to remediate or mitigate a weakness, the justification with a modified estimated completion date shall be documented in the POA\u0026amp;M in the Changes to Milestones and Comment fields in CFACTS. If weaknesses are not remediated within the scheduled completion date, the status shall change to “Delayed”.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWeaknesses discovered during a government audit\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWeaknesses identified during a government audit (i.e., Inspector General or GAO audit) shall be documented in the POA\u0026amp;M after the audit draft report is produced, regardless of CMS acceptance of the identified weakness(es). Disagreements on findings that cannot be resolved between CMS and the auditing office shall be elevated to the Department for resolution. Systems must review and update POA\u0026amp;Ms at least quarterly. In addition, compensating controls must be in place and documented until weaknesses are remediated or mitigated to an acceptable level of risk.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eCFACTS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eStakeholders must use\u0026nbsp;\u003ca href=\"https://cfacts.cms.gov/\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eCFACTS\u003c/a\u003e, the CMS GRC tool, to identify, track, and manage all system weaknesses and associated POA\u0026amp;Ms to closure for CMS information systems. Users who need access to CFACTS may request an account and appropriate privileges through the Enterprise User Administration (EUA). The job code is \u003cstrong\u003eCFACTS_User_P\u003c/strong\u003e. Once the job code is assigned, the user must email the CISO mailbox at \u003ca href=\"mailto:ciso@cms.hhs.gov\"\u003eciso@cms.hhs.gov\u003c/a\u003e to notify the CISO of the users role (ISSO, System Developer, or System/Business Owner).\u003c/p\u003e\u003cp\u003eThe \u003cstrong\u003eCFACTS User Manual\u003c/strong\u003e provides detailed instructions for processing POA\u0026amp;M actions in the CFACTS tracking system. The User Manual can be accessed under the \u003cstrong\u003eCFACTS Documents\u003c/strong\u003e section on the \u003cstrong\u003eCFACTS Artifacts\u003c/strong\u003e page which can be accessed by clicking on the CFACTS Artifacts icon on the welcome page.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePOA\u0026amp;M Glossary\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe following glossary will help system teams understand the language of the POA\u0026amp;M process.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTerm\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDefinition\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAnnual Assessment\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe process of validating the effective implementation of security and privacy controls in the information system and its environment of operation within every three hundred sixty-five (365) days in accordance with the CMS Information Security (IS) Acceptable Risk Safeguards (ARS) Including CMS Minimum Security Requirements (CMSR) Standard, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAudit\u003c/td\u003e\u003ctd\u003eAn independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCapital Planning and Investment Control\u003c/td\u003e\u003ctd\u003eA decision-making process for ensuring that investments integrate strategic planning, budgeting, procurement, and the management of or in support of Agency missions and business needs. [OMB Circular No. A-11]. The term comes from the Clinger-Cohen Act of 1996; while originally focused on IT, it now applies also to non-IT investments.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCommon Control\u003c/td\u003e\u003ctd\u003eA security or privacy control that is inherited by one or more organizational information systems. See Security Control Inheritance.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompleted\u003c/td\u003e\u003ctd\u003eA status assigned when all corrective actions have been completed or closed for a weakness and the weakness has been verified as successfully mitigated. Documentation is required to demonstrate the weakness has been adequately resolved. When assigning the status of Completed, the date of completion must also be included.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompletion date\u003c/td\u003e\u003ctd\u003eThe action date when all weaknesses have been fully resolved and the corrective action plan has been tested.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl activities\u003c/td\u003e\u003ctd\u003eThe policies and procedures that help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entitys objectives. Control activities, whether automated or manual, help achieve control objectives and are applied at various organizational and functional levels.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl deficiency\u003c/td\u003e\u003ctd\u003eA deficiency that exists when the design or operation of a control does not allow management or employees to, in the normal course of performing their assigned functions, prevent or detect breaches of confidentiality, integrity, or availability on a timely basis. (See also design deficiency or operations deficiency)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCorrective Action Plan (CAP)\u003c/td\u003e\u003ctd\u003eThe plan management formulates to document the procedures and milestones identified to correct control deficiencies.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCriteria\u003c/td\u003e\u003ctd\u003e\u003cp\u003eA context for evaluating evidence and understanding the findings, conclusions, and recommendations included in the report. Criteria represent the laws, regulations, contracts, grant agreements, standards, specific requirements, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated.\u003c/p\u003e\u003cp\u003eCriteria identify the required or desired state or expectation with respect to the program or operation.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDelayed\u003c/td\u003e\u003ctd\u003eA status assigned when a weakness continues to be mitigated after the original scheduled completion date has passed. When assigning the status of Delayed, an explanation must be provided in the milestone as to why the delay is occurring, as well as the revised completion date.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDesign deficiency\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA deficiency that exists when a control necessary to meet the control objective is missing or an existing control is not properly designed, so that even if the control operates as designed the control objective is not always met.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDraft\u003c/td\u003e\u003ctd\u003eA status that indicates that a weakness requires review and approval prior to “official” entry in the POA\u0026amp;M. Types of review that may take place while a weakness is in draft status would be: reviewing to determine if the weakness already exists and would be a duplicate; reviewing to determine if the organization will accept the risk, or apply for a waiver; etc.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEvidence\u003c/td\u003e\u003ctd\u003eAny information used by the auditor, tester, or evaluator, to determine whether the information being audited, evaluated, or assessed is stated in accordance with the established criteria.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFISMA Audit\u003c/td\u003e\u003ctd\u003eA FISMA assessment designed to determine areas of compliance and areas requiring remediation to become FISMA compliant.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFederal Information Security Modernization Act (FISMA)\u003c/td\u003e\u003ctd\u003eRequires agencies to integrate information technology (IT) security into their capital planning and enterprise architecture processes at the agency, conduct annual IT security reviews of all programs and systems, and report the results of those reviews to the OMB. [NIST SP 800-65]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFindings\u003c/td\u003e\u003ctd\u003eConclusions based on an evaluation of sufficient, appropriate evidence against criteria.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInformation Security Risk\u003c/td\u003e\u003ctd\u003eThe risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and /or information systems.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePrimary Information System Security Officer (ISSO)\u003c/td\u003e\u003ctd\u003eIndividual with assigned responsibility for maintaining the appropriate operational security and privacy posture for an information system or program.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInitial audit findings\u003c/td\u003e\u003ctd\u003eAny type of audit conducted on a financial system or a non-financial system.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInternal control\u003c/td\u003e\u003ctd\u003eAn integral component of an organizations management systems that provides reasonable assurance that the following objectives are being achieved: effectiveness and efficiency of operations, reliability of financial reporting, or compliance with applicable laws and regulations.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eManagement controls\u003c/td\u003e\u003ctd\u003eThe security or privacy controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security and privacy.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMaterial weakness\u003c/td\u003e\u003ctd\u003eMaterial weaknesses includes reportable conditions in which the Secretary or Component Head determines to be significant enough to report outside of the Department. Material weakness in internal control over financial reporting is a reportable condition, or combination of reportable conditions, that results in more than a remote likelihood that a material misstatement of the financial statements, or other significant financial reports, will not be prevented or detected.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMetrics\u0026nbsp;\u003c/td\u003e\u003ctd\u003eTools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNon-conformance\u0026nbsp;\u003c/td\u003e\u003ctd\u003eInstances in which financial management systems do not substantially conform to financial systems requirements. Financial management systems include both financial and financially-related (or mixed) systems.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOngoing\u003c/td\u003e\u003ctd\u003eA status assigned when a weakness is in the process of being mitigated and has not yet exceeded the original scheduled completion date.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOperational controls\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe security or privacy controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by people (as opposed to systems).\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOperations deficiency\u003c/td\u003e\u003ctd\u003eA deficiency that exists when a properly designed control does not operate as designed or when the person performing the control is not qualified or properly skilled to perform the control effectively.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePending verification\u003c/td\u003e\u003ctd\u003eA status that indicates that all milestones/corrective actions have been completed but require review and sign-off to ensure effective resolution.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/td\u003e\u003ctd\u003eA FISMA mandated corrective action plan to identify and resolve information security and privacy weaknesses. A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePotential impact\u003c/td\u003e\u003ctd\u003eThe loss of confidentiality, integrity, or availability could be expected to have: (i) a limited adverse effect (FIPS 199 low); (ii) a serious adverse effect (FIPS 199 moderate); or (iii) a severe or catastrophic adverse effect (FIPS 199 high) on organizational operations, organizational assets, or individuals.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eProgram\u003c/td\u003e\u003ctd\u003eAn organized set of activities directed toward a goal or particular set of goals or objectives for which the program is accountable; a distinct set of activities and strategies organized toward achieving a specific purpose. A program is a representation of what is delivered to the public. Programs usually operate for indefinite or continuous periods, but may consist of several projects or initiatives.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eReportable condition\u0026nbsp;\u003c/td\u003e\u003ctd\u003eReportable conditions overall include a control deficiency, or combination of control deficiencies, that in managements judgment, must be communicated because they represent significant weaknesses in the design or operation of an internal control that could adversely affect the organizations ability to meet its internal control objectives.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eResilience\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe ability to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs. [NIST SP 800-39, Adapted]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security and privacy risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk accepted\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA status assigned when the weakness risk has been accepted. When assigning this status, an acceptance of the risk must be certified by the appropriate Authorizing Official and documented accordingly. The weakness and corresponding risk must be monitored periodically to ensure the associated risk remains at an acceptable level.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSafeguards\u0026nbsp;\u003c/td\u003e\u003ctd\u003eProtective measures prescribed to meet the security and privacy requirements specified for an information system. Safeguards may include security and privacy features, management constraints, personnel security, and security of physical structures, areas, and devices; synonymous with security and privacy controls and countermeasures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eScheduled or estimated completion date\u003c/td\u003e\u003ctd\u003eA realistic estimate of the amount of time it will take to complete all associated milestones for a POA\u0026amp;M.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity Control Assessment (SCA)\u003c/td\u003e\u003ctd\u003eThe testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. [NIST SP 800-37]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity Control Inheritance\u003c/td\u003e\u003ctd\u003eA situation in which an information system or application receives protection from security and privacy controls (or portions of security and privacy controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See Common Control.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSignificant deficiency\u003c/td\u003e\u003ctd\u003eA weakness in an agencys overall information systems security and privacy program or management control structure, or within one or more information systems, that significantly restricts the capability of the agency to carry out its mission or compromises the security or privacy of its information, information systems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that the agency head and outside agencies must be notified and immediate or near-immediate corrective action must be taken.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTechnical controls\u003c/td\u003e\u003ctd\u003eSecurity controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. [FIPS 200]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eThreat\u003c/td\u003e\u003ctd\u003eAny potential danger to information or systems. A potential threat event, if realized, would cause an undesirable impact. The undesirable impact can come in many forms, but often results in a financial loss. A threat agent could be an intruder accessing the network through a port on the firewall, a process of accessing data in a way that violates that security or privacy policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information or destroy a files integrity.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVulnerability\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe absence or weakness of a safeguard that could be exploited; the absence or weakness of cumulative controls protecting a particular asset. Vulnerability is a software, hardware, or procedure weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eWaiver\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA status provided when the weakness risk has been accepted and justification has been appropriately documented. Justification of non- compliance must follow the agency's waiver policy and be documented accordingly.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eWeakness\u003c/td\u003e\u003ctd\u003eThe absence of adequate controls.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1d:{\"self\":\"$1e\"}\n21:[\"menu_ui\",\"scheduler\"]\n20:{\"module\":\"$21\"}\n24:[]\n23:{\"available_menus\":\"$24\",\"parent\":\"\"}\n25:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n22:{\"menu_ui\":\"$23\",\"scheduler\":\"$25\"}\n1f:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$20\",\"third_party_settings\":\"$22\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1c:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1d\",\"attributes\":\"$1f\"}\n28:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}\n27:{\"self\":\"$28\"}\n29:{\"display_name\":\"jcallan - retired\"}\n26:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":\"$27\",\"attributes\":\"$29\"}\n2c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n2b:{\"self\":\"$2c\"}\n2d:{\"display_name\":\"meg - retired\"}\n2a:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$2b\",\"attributes\":\"$2d\"}\n30:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}\n2f:{\"self\":\"$30\"}\n32:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n31:{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04"])</script><script>self.__next_f.push([1,":03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$32\"}\n36:{\"drupal_internal__target_id\":\"resource_type\"}\n35:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$36\"}\n38:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"}\n39:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}\n37:{\"related\":\"$38\",\"self\":\"$39\"}\n34:{\"data\":\"$35\",\"links\":\"$37\"}\n3c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"}\n3d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}\n3b:{\"related\":\"$3c\",\"self\":\"$3d\"}\n3a:{\"data\":null,\"links\":\"$3b\"}\n44:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n43:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$44\"}\n42:{\"help\":\"$43\"}\n41:{\"links\":\"$42\"}\n40:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$41\"}\n3f:[\"$40\"]\n46:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"}\n47:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}\n45:{\"related\":\"$46\",\"self\":\"$47\"}\n3e:{\"data\":\"$3f\",\"links\":\"$45\"}\n33:{\"vid\":\"$34\",\"revision_user\":\"$3a\",\"parent\":\"$3e\"}\n2e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":\"$2f\",\"attributes\":\"$31\",\"relationships\":\"$33\"}\n4a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n49:{\"self\":\"$4a\"}\n4c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4b:{\"drup"])</script><script>self.__next_f.push([1,"al_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4c\"}\n50:{\"drupal_internal__target_id\":\"roles\"}\n4f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$50\"}\n52:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n53:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n51:{\"related\":\"$52\",\"self\":\"$53\"}\n4e:{\"data\":\"$4f\",\"links\":\"$51\"}\n56:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n57:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n55:{\"related\":\"$56\",\"self\":\"$57\"}\n54:{\"data\":null,\"links\":\"$55\"}\n5e:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5d:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5e\"}\n5c:{\"help\":\"$5d\"}\n5b:{\"links\":\"$5c\"}\n5a:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$5b\"}\n59:[\"$5a\"]\n60:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n61:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n5f:{\"related\":\"$60\",\"self\":\"$61\"}\n58:{\"data\":\"$59\",\"links\":\"$5f\"}\n4d:{\"vid\":\"$4e\",\"revision_user\":\"$54\",\"parent\":\"$58\"}\n48:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$49\",\"attributes\":\"$4b\",\"relationships\":\"$4d\"}\n64:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_t"])</script><script>self.__next_f.push([1,"erm/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n63:{\"self\":\"$64\"}\n66:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n65:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$66\"}\n6a:{\"drupal_internal__target_id\":\"roles\"}\n69:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$6a\"}\n6c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n6d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n6b:{\"related\":\"$6c\",\"self\":\"$6d\"}\n68:{\"data\":\"$69\",\"links\":\"$6b\"}\n70:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n71:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n6f:{\"related\":\"$70\",\"self\":\"$71\"}\n6e:{\"data\":null,\"links\":\"$6f\"}\n78:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n77:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$78\"}\n76:{\"help\":\"$77\"}\n75:{\"links\":\"$76\"}\n74:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$75\"}\n73:[\"$74\"]\n7a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n7b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n79:{\"related\":\"$7a\",\"self\":\"$7b\"}\n72:{\"data\":\"$73\",\"links\":\"$79\"}\n67:{\"vid\":\"$68\",\"revision_user\":\"$6e\",\"parent\":\"$72\"}\n62:{\"type\":\"taxonomy_term--"])</script><script>self.__next_f.push([1,"roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$63\",\"attributes\":\"$65\",\"relationships\":\"$67\"}\n7e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n7d:{\"self\":\"$7e\"}\n80:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7f:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$80\"}\n84:{\"drupal_internal__target_id\":\"roles\"}\n83:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$84\"}\n86:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n87:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n85:{\"related\":\"$86\",\"self\":\"$87\"}\n82:{\"data\":\"$83\",\"links\":\"$85\"}\n8a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n8b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n89:{\"related\":\"$8a\",\"self\":\"$8b\"}\n88:{\"data\":null,\"links\":\"$89\"}\n92:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n91:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$92\"}\n90:{\"help\":\"$91\"}\n8f:{\"links\":\"$90\"}\n8e:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$8f\"}\n8d:[\"$8e\"]\n94:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n95:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n93:"])</script><script>self.__next_f.push([1,"{\"related\":\"$94\",\"self\":\"$95\"}\n8c:{\"data\":\"$8d\",\"links\":\"$93\"}\n81:{\"vid\":\"$82\",\"revision_user\":\"$88\",\"parent\":\"$8c\"}\n7c:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$7d\",\"attributes\":\"$7f\",\"relationships\":\"$81\"}\n98:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\n97:{\"self\":\"$98\"}\n9a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n99:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$9a\"}\n9e:{\"drupal_internal__target_id\":\"roles\"}\n9d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$9e\"}\na0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\na1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\n9f:{\"related\":\"$a0\",\"self\":\"$a1\"}\n9c:{\"data\":\"$9d\",\"links\":\"$9f\"}\na4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\na5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\na3:{\"related\":\"$a4\",\"self\":\"$a5\"}\na2:{\"data\":null,\"links\":\"$a3\"}\nac:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nab:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$ac\"}\naa:{\"help\":\"$ab\"}\na9:{\"links\":\"$aa\"}\na8:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$a9\"}\na7:[\"$a8\"]\nae:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\naf:{\"href\":\"https://"])</script><script>self.__next_f.push([1,"cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\nad:{\"related\":\"$ae\",\"self\":\"$af\"}\na6:{\"data\":\"$a7\",\"links\":\"$ad\"}\n9b:{\"vid\":\"$9c\",\"revision_user\":\"$a2\",\"parent\":\"$a6\"}\n96:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$97\",\"attributes\":\"$99\",\"relationships\":\"$9b\"}\nb2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674?resourceVersion=id%3A6\"}\nb1:{\"self\":\"$b2\"}\nb4:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb3:{\"drupal_internal__tid\":6,\"drupal_internal__revision_id\":6,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:04:59+00:00\",\"status\":true,\"name\":\"Assessments \u0026 Audits\",\"description\":null,\"weight\":1,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b4\"}\nb8:{\"drupal_internal__target_id\":\"topics\"}\nb7:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$b8\"}\nba:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/vid?resourceVersion=id%3A6\"}\nbb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/vid?resourceVersion=id%3A6\"}\nb9:{\"related\":\"$ba\",\"self\":\"$bb\"}\nb6:{\"data\":\"$b7\",\"links\":\"$b9\"}\nbe:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/revision_user?resourceVersion=id%3A6\"}\nbf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/revision_user?resourceVersion=id%3A6\"}\nbd:{\"related\":\"$be\",\"self\":\"$bf\"}\nbc:{\"data\":null,\"links\":\"$bd\"}\nc6:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc5:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c6\"}\nc4:{\"help\":\"$c5\"}\nc3:{\"links\":\"$c4\"}\nc2:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$c3\"}\nc1:[\"$c2\"]\nc8:{\"href\":\"htt"])</script><script>self.__next_f.push([1,"ps://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/parent?resourceVersion=id%3A6\"}\nc9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/parent?resourceVersion=id%3A6\"}\nc7:{\"related\":\"$c8\",\"self\":\"$c9\"}\nc0:{\"data\":\"$c1\",\"links\":\"$c7\"}\nb5:{\"vid\":\"$b6\",\"revision_user\":\"$bc\",\"parent\":\"$c0\"}\nb0:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"links\":\"$b1\",\"attributes\":\"$b3\",\"relationships\":\"$b5\"}\ncc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}\ncb:{\"self\":\"$cc\"}\nce:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\ncd:{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$ce\"}\nd2:{\"drupal_internal__target_id\":\"topics\"}\nd1:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$d2\"}\nd4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"}\nd5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}\nd3:{\"related\":\"$d4\",\"self\":\"$d5\"}\nd0:{\"data\":\"$d1\",\"links\":\"$d3\"}\nd8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"}\nd9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}\nd7:{\"related\":\"$d8\",\"self\":\"$d9\"}\nd6:{\"data\":null,\"links\":\"$d7\"}\ne0:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\ndf:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-con"])</script><script>self.__next_f.push([1,"cepts#virtual\",\"meta\":\"$e0\"}\nde:{\"help\":\"$df\"}\ndd:{\"links\":\"$de\"}\ndc:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$dd\"}\ndb:[\"$dc\"]\ne2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"}\ne3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}\ne1:{\"related\":\"$e2\",\"self\":\"$e3\"}\nda:{\"data\":\"$db\",\"links\":\"$e1\"}\ncf:{\"vid\":\"$d0\",\"revision_user\":\"$d6\",\"parent\":\"$da\"}\nca:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":\"$cb\",\"attributes\":\"$cd\",\"relationships\":\"$cf\"}\ne6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7a011f0b-d154-4824-a3d9-ab6d2d897205?resourceVersion=id%3A19037\"}\ne5:{\"self\":\"$e6\"}\ne8:[]\n"])</script><script>self.__next_f.push([1,"e9:{\"value\":\"\u003ch2\u003e\u003cstrong\u003eWhat is a POA\u0026amp;M?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhen regular audits are conducted to assess the security posture of CMS information systems (and when new systems are being developed) there will inevitably be times that improvements or adjustments are needed. This isnt a negative reflection on the Business Owner, ISSO, or system builder its just a result of the fact that security is never “done”. Cyber threats are always evolving, and changes to systems or how they operate can also introduce new risks.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe process to mitigate risks and weaknesses in CMS systems is called a Plan of Action and Milestones (POA\u0026amp;M). A POA\u0026amp;M is created whenever audits reveal an area of weakness in security controls. This is an opportunity to strengthen or “harden” your system through carefully planned improvements which boosts the overall resilience of our agencys cyber infrastructure. The CMS security staff and your integrated team are ready to help you along the way.\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2\u003e\u003cstrong\u003eWhat is a POA\u0026amp;M?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhen regular audits are conducted to assess the security posture of CMS information systems (and when new systems are being developed) there will inevitably be times that improvements or adjustments are needed. This isnt a negative reflection on the Business Owner, ISSO, or system builder its just a result of the fact that security is never “done”. Cyber threats are always evolving, and changes to systems or how they operate can also introduce new risks.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe process to mitigate risks and weaknesses in CMS systems is called a Plan of Action and Milestones (POA\u0026amp;M). A POA\u0026amp;M is created whenever audits reveal an area of weakness in security controls. This is an opportunity to strengthen or “harden” your system through carefully planned improvements which boosts the overall resilience of our agencys cyber infrastructure. The CMS security staff and your integrated team are ready to help you along the way.\u003c/p\u003e\"}\n"])</script><script>self.__next_f.push([1,"e7:{\"drupal_internal__id\":506,\"drupal_internal__revision_id\":19037,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-02T16:47:02+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$e8\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$e9\"}\ned:{\"drupal_internal__target_id\":\"page_section\"}\nec:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$ed\"}\nef:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7a011f0b-d154-4824-a3d9-ab6d2d897205/paragraph_type?resourceVersion=id%3A19037\"}\nf0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7a011f0b-d154-4824-a3d9-ab6d2d897205/relationships/paragraph_type?resourceVersion=id%3A19037\"}\nee:{\"related\":\"$ef\",\"self\":\"$f0\"}\neb:{\"data\":\"$ec\",\"links\":\"$ee\"}\nf3:{\"target_revision_id\":19036,\"drupal_internal__target_id\":3384}\nf2:{\"type\":\"paragraph--call_out_box\",\"id\":\"435f83c6-c36a-46c4-bea6-029c80c14ff1\",\"meta\":\"$f3\"}\nf5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7a011f0b-d154-4824-a3d9-ab6d2d897205/field_specialty_item?resourceVersion=id%3A19037\"}\nf6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7a011f0b-d154-4824-a3d9-ab6d2d897205/relationships/field_specialty_item?resourceVersion=id%3A19037\"}\nf4:{\"related\":\"$f5\",\"self\":\"$f6\"}\nf1:{\"data\":\"$f2\",\"links\":\"$f4\"}\nea:{\"paragraph_type\":\"$eb\",\"field_specialty_item\":\"$f1\"}\ne4:{\"type\":\"paragraph--page_section\",\"id\":\"7a011f0b-d154-4824-a3d9-ab6d2d897205\",\"links\":\"$e5\",\"attributes\":\"$e7\",\"relationships\":\"$ea\"}\nf9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ee1fabb0-058d-4b71-a7db-8a9ce8319795?resourceVersion=id%3A19038\"}\nf8:{\"self\":\"$f9\"}\nfb:[]\nfd:T2408,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the POA\u0026amp;M process?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePOA\u0026amp;Ms are created and tracked in the \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Controls Tracking System (CFACTS)\u003c/a\u003e. The process is briefly summarized below. You can find detailed information about POA\u0026amp;Ms in the CMS Plan of Action and Milestones (POA\u0026amp;M) Handbook.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eReceive audit reports\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThroughout the year, ongoing assessments and audits are conducted on systems to help improve overall security stature at CMS. Sometimes these activities result in “findings” — threats and vulnerabilities that exist in our programs or security systems which require attention.\u003c/p\u003e\u003cp\u003eAfter an assessment or audit, youll receive a report that shows potential areas of concern. Risks are always present and always changing, and audit findings help us uncover them. There are various methods and time frames for resolving these findings, but all findings must follow a distinct remediation process. We look carefully at the finding source (how and where the weakness was identified) to determine what template to use to report the finding to you.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFind opportunities to improve security\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf a potential threat or vulnerability is found in your system, start by discussing it with your integrated project team to make sure you fully understand its implications. Whoever conducted the audit or assessment will document the finding using the CMS Assessment and Audit Template (CAAT). It will explain where the system is performing as expected and where it could be strengthened.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAuditors and assessors use the term \"weakness\" in their reports to describe threats and vulnerabilities. Sometimes the risk can be fixed right away, and sometimes a POA\u0026amp;M is needed. Occasionally, some of these threats and vulnerabilities may be addressed to some degree through an existing, compensating control, and your team may decide that the risk is acceptable.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAnalyze risks and options\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf your program or system is at risk, you will need to consider the Risk Level and Severity Level. A Risk Level is calculated based on the likelihood of the risk being exploited, and the potential resulting impact on the system and users. The Severity Level considers the significance that the weakness(s) poses to your system and the agencys overall security and privacy posture.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAnalyzing threats and vulnerabilities requires an impact assessment, and consultation with your integrated project team and vendor supports. Several methodologies may be used during this phase, including a \u003cstrong\u003eRoot Cause Analysis\u003c/strong\u003e which helps you uncover the actual cause(s) and not just a symptom of the finding.\u0026nbsp;\u003c/p\u003e\u003cp\u003eUsing the results of these analyses, you and your team will consider options for how to address the findings and associated risks. Ultimately there are two choices:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDeem the risk “acceptable” and develop a \u003cstrong\u003eRisk-Based Decision (RBD)\u003c/strong\u003e to explain your justification for accepting the risk\u003c/li\u003e\u003cli\u003eDeem the risk “unacceptable” and move on to develop a mitigation strategy\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eDevelop a corrective action plan\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Corrective Action Plan forms the foundation of the POA\u0026amp;M. It describes the identified weaknesses, any associated milestones, and necessary resources required. Developing this plan should be a collaborative process, with input from your integrated project team and other stakeholders.\u003c/p\u003e\u003cp\u003eThe milestones in your plan must provide specific descriptions of the steps your team will take to mitigate the finding. Each finding must have at least one corresponding milestone with an estimated completion date and resource requirements to remediate the finding.\u003c/p\u003e\u003cp\u003eOnce the plan is formally documented, it is entered into CFACTS as a series of milestone records. The status of the POA\u0026amp;M will automatically be moved from “draft” to “ongoing” 30 days after the creation date.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePut the plan into action\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOnce your POA\u0026amp;M is approved, possibly with additional recommendations from ISPG support staff, you will take steps to put the plan into action. You need to determine the specific funding and personnel resources needed to mitigate each finding on the POA\u0026amp;M. In most cases, the existing resources allocated to a program or system will be sufficient, but occasionally you may need to request additional funding or personnel.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eNext, you will work with your vendor(s) to create and test the appropriate safeguard(s) and countermeasures that mitigate the risks. This can take a few weeks or several months depending on the complexity of the change. In some cases, a third party software vendor may need to issue a patch or fix.\u003c/p\u003e\u003cp\u003eThe steps and timeline to complete your POA\u0026amp;M may need to be adjusted along the way. A POA\u0026amp;M is a living document that should be continually updated as circumstances evolve.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eReport on progress\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePOA\u0026amp;Ms should be reviewed and updated in CFACTS on a continuing basis to show that they are on track for completion. CMS requires that all information in the POA\u0026amp;M should at minimum be updated monthly and be accurate on the first day of each month for tracking and reporting purposes.\u003cbr\u003e\u003cbr\u003eRegular POA\u0026amp;M reporting helps to ensure that:\u003c/p\u003e\u003cul\u003e\u003cli\u003eVulnerabilities or \"weaknesses\" are properly identified and prioritized\u003c/li\u003e\u003cli\u003eAdequate resources have been allocated and assigned\u003c/li\u003e\u003cli\u003eTimeline to mitigate vulnerabilities is achievable\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eA vulnerability must have a milestone entered with it that identifies specific actions of mitigation and a completion date to denote progress. Identifying the status of a corrective action demonstrates that the POA\u0026amp;M is a part of an ongoing monitoring process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConfirm POA\u0026amp;M completion\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWhen your new safeguard(s) are tested and approved for release, you are almost across the finish line! Youll need to confirm the successful resolution of vulnerabilities and provide artifacts related to the POA\u0026amp;M completion. Examples of such artifacts may include control text results, a policy or procedure document, a screenshot of a patch applied, or other new system documentation.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCyber Risk Advisors at ISPG will review certain POA\u0026amp;M findings. Based on a risk determination and the evidence provided, they will decide if the finding has been adequately addressed and corrected. The initial findings that prompted the creation of a POA\u0026amp;M should not be marked “completed” until they are proven to be fully resolved. When completion is confirmed, the ISSO will mark the POA\u0026amp;M closed in CFACTS.\u003c/p\u003e\u003cp\u003eCompleted POA\u0026amp;Ms must remain on the monthly POA\u0026amp;M report for one year after their completion date. The artifacts are stored in CFACTS and retained for at least one year with the completed POA\u0026amp;M.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePOA\u0026amp;Ms and continuous monitoring\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBesides requiring corrective actions to mitigate weaknesses, CMS continuously monitors risk across all systems so that resources can be allocated effectively. Its important to understand how this continuous monitoring affects the POA\u0026amp;M process.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePOA\u0026amp;M reporting\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS submits POA\u0026amp;M reports to HHS at least once a month to show the status of mitigation activities. The information within a POA\u0026amp;M must be \u003cstrong\u003emaintained continuously\u003c/strong\u003e so that CMS reports are reflective of the current state. The reports to HHS also include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCompleted POA\u0026amp;Ms, for a year after their completion\u003c/li\u003e\u003cli\u003eDelayed POA\u0026amp;Ms, along with an explanation for their delay and a revised estimated completion date\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eRisk Based Decisions (RBD)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSometimes a Business Owner and their project team may decide to accept potential risk(s) identified by assessment findings. They must create a Risk Based Decision (RBD) to explain the reasoning and the accepted risk. As part of \u003cstrong\u003econtinuous monitoring\u003c/strong\u003e across CMS, all RBDs are reviewed annually to ensure the risk remains acceptable. Risk Based Decisions may be updated as events occur and information changes. RBDs are managed in CFACTS under the \"RBD\" tab.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eRisk evaluation and prioritization\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs POA\u0026amp;Ms are being worked on across all CMS systems, risk evaluation, and prioritization continue through \u003cstrong\u003eongoing assessments and \u003c/strong\u003e\u003ca href=\"/learn/system-audits\"\u003e\u003cstrong\u003eaudits\u003c/strong\u003e\u003c/a\u003e. When a new, critical weakness is discovered, resources may need to be shifted to remediate it appropriately. Weaknesses that were once deemed a high priority may not continue to receive the same level of consideration as risks and threats evolve.\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms are an essential part of CMS ongoing efforts to maintain a resilient cyber infrastructure and to protect the sensitive information of our beneficiaries. Each new safeguard or countermeasure implemented helps to reduce risk and improve our security and privacy posture.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"fe:T2408,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the POA\u0026amp;M process?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePOA\u0026amp;Ms are created and tracked in the \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Controls Tracking System (CFACTS)\u003c/a\u003e. The process is briefly summarized below. You can find detailed information about POA\u0026amp;Ms in the CMS Plan of Action and Milestones (POA\u0026amp;M) Handbook.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eReceive audit reports\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThroughout the year, ongoing assessments and audits are conducted on systems to help improve overall security stature at CMS. Sometimes these activities result in “findings” — threats and vulnerabilities that exist in our programs or security systems which require attention.\u003c/p\u003e\u003cp\u003eAfter an assessment or audit, youll receive a report that shows potential areas of concern. Risks are always present and always changing, and audit findings help us uncover them. There are various methods and time frames for resolving these findings, but all findings must follow a distinct remediation process. We look carefully at the finding source (how and where the weakness was identified) to determine what template to use to report the finding to you.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFind opportunities to improve security\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf a potential threat or vulnerability is found in your system, start by discussing it with your integrated project team to make sure you fully understand its implications. Whoever conducted the audit or assessment will document the finding using the CMS Assessment and Audit Template (CAAT). It will explain where the system is performing as expected and where it could be strengthened.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAuditors and assessors use the term \"weakness\" in their reports to describe threats and vulnerabilities. Sometimes the risk can be fixed right away, and sometimes a POA\u0026amp;M is needed. Occasionally, some of these threats and vulnerabilities may be addressed to some degree through an existing, compensating control, and your team may decide that the risk is acceptable.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAnalyze risks and options\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf your program or system is at risk, you will need to consider the Risk Level and Severity Level. A Risk Level is calculated based on the likelihood of the risk being exploited, and the potential resulting impact on the system and users. The Severity Level considers the significance that the weakness(s) poses to your system and the agencys overall security and privacy posture.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAnalyzing threats and vulnerabilities requires an impact assessment, and consultation with your integrated project team and vendor supports. Several methodologies may be used during this phase, including a \u003cstrong\u003eRoot Cause Analysis\u003c/strong\u003e which helps you uncover the actual cause(s) and not just a symptom of the finding.\u0026nbsp;\u003c/p\u003e\u003cp\u003eUsing the results of these analyses, you and your team will consider options for how to address the findings and associated risks. Ultimately there are two choices:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDeem the risk “acceptable” and develop a \u003cstrong\u003eRisk-Based Decision (RBD)\u003c/strong\u003e to explain your justification for accepting the risk\u003c/li\u003e\u003cli\u003eDeem the risk “unacceptable” and move on to develop a mitigation strategy\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eDevelop a corrective action plan\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Corrective Action Plan forms the foundation of the POA\u0026amp;M. It describes the identified weaknesses, any associated milestones, and necessary resources required. Developing this plan should be a collaborative process, with input from your integrated project team and other stakeholders.\u003c/p\u003e\u003cp\u003eThe milestones in your plan must provide specific descriptions of the steps your team will take to mitigate the finding. Each finding must have at least one corresponding milestone with an estimated completion date and resource requirements to remediate the finding.\u003c/p\u003e\u003cp\u003eOnce the plan is formally documented, it is entered into CFACTS as a series of milestone records. The status of the POA\u0026amp;M will automatically be moved from “draft” to “ongoing” 30 days after the creation date.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePut the plan into action\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOnce your POA\u0026amp;M is approved, possibly with additional recommendations from ISPG support staff, you will take steps to put the plan into action. You need to determine the specific funding and personnel resources needed to mitigate each finding on the POA\u0026amp;M. In most cases, the existing resources allocated to a program or system will be sufficient, but occasionally you may need to request additional funding or personnel.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eNext, you will work with your vendor(s) to create and test the appropriate safeguard(s) and countermeasures that mitigate the risks. This can take a few weeks or several months depending on the complexity of the change. In some cases, a third party software vendor may need to issue a patch or fix.\u003c/p\u003e\u003cp\u003eThe steps and timeline to complete your POA\u0026amp;M may need to be adjusted along the way. A POA\u0026amp;M is a living document that should be continually updated as circumstances evolve.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eReport on progress\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePOA\u0026amp;Ms should be reviewed and updated in CFACTS on a continuing basis to show that they are on track for completion. CMS requires that all information in the POA\u0026amp;M should at minimum be updated monthly and be accurate on the first day of each month for tracking and reporting purposes.\u003cbr\u003e\u003cbr\u003eRegular POA\u0026amp;M reporting helps to ensure that:\u003c/p\u003e\u003cul\u003e\u003cli\u003eVulnerabilities or \"weaknesses\" are properly identified and prioritized\u003c/li\u003e\u003cli\u003eAdequate resources have been allocated and assigned\u003c/li\u003e\u003cli\u003eTimeline to mitigate vulnerabilities is achievable\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eA vulnerability must have a milestone entered with it that identifies specific actions of mitigation and a completion date to denote progress. Identifying the status of a corrective action demonstrates that the POA\u0026amp;M is a part of an ongoing monitoring process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConfirm POA\u0026amp;M completion\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWhen your new safeguard(s) are tested and approved for release, you are almost across the finish line! Youll need to confirm the successful resolution of vulnerabilities and provide artifacts related to the POA\u0026amp;M completion. Examples of such artifacts may include control text results, a policy or procedure document, a screenshot of a patch applied, or other new system documentation.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCyber Risk Advisors at ISPG will review certain POA\u0026amp;M findings. Based on a risk determination and the evidence provided, they will decide if the finding has been adequately addressed and corrected. The initial findings that prompted the creation of a POA\u0026amp;M should not be marked “completed” until they are proven to be fully resolved. When completion is confirmed, the ISSO will mark the POA\u0026amp;M closed in CFACTS.\u003c/p\u003e\u003cp\u003eCompleted POA\u0026amp;Ms must remain on the monthly POA\u0026amp;M report for one year after their completion date. The artifacts are stored in CFACTS and retained for at least one year with the completed POA\u0026amp;M.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePOA\u0026amp;Ms and continuous monitoring\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBesides requiring corrective actions to mitigate weaknesses, CMS continuously monitors risk across all systems so that resources can be allocated effectively. Its important to understand how this continuous monitoring affects the POA\u0026amp;M process.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePOA\u0026amp;M reporting\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS submits POA\u0026amp;M reports to HHS at least once a month to show the status of mitigation activities. The information within a POA\u0026amp;M must be \u003cstrong\u003emaintained continuously\u003c/strong\u003e so that CMS reports are reflective of the current state. The reports to HHS also include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCompleted POA\u0026amp;Ms, for a year after their completion\u003c/li\u003e\u003cli\u003eDelayed POA\u0026amp;Ms, along with an explanation for their delay and a revised estimated completion date\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eRisk Based Decisions (RBD)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSometimes a Business Owner and their project team may decide to accept potential risk(s) identified by assessment findings. They must create a Risk Based Decision (RBD) to explain the reasoning and the accepted risk. As part of \u003cstrong\u003econtinuous monitoring\u003c/strong\u003e across CMS, all RBDs are reviewed annually to ensure the risk remains acceptable. Risk Based Decisions may be updated as events occur and information changes. RBDs are managed in CFACTS under the \"RBD\" tab.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eRisk evaluation and prioritization\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs POA\u0026amp;Ms are being worked on across all CMS systems, risk evaluation, and prioritization continue through \u003cstrong\u003eongoing assessments and \u003c/strong\u003e\u003ca href=\"/learn/system-audits\"\u003e\u003cstrong\u003eaudits\u003c/strong\u003e\u003c/a\u003e. When a new, critical weakness is discovered, resources may need to be shifted to remediate it appropriately. Weaknesses that were once deemed a high priority may not continue to receive the same level of consideration as risks and threats evolve.\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms are an essential part of CMS ongoing efforts to maintain a resilient cyber infrastructure and to protect the sensitive information of our beneficiaries. Each new safeguard or countermeasure implemented helps to reduce risk and improve our security and privacy posture.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"fc:{\"value\":\"$fd\",\"format\":\"body_text\",\"processed\":\"$fe\"}\nfa:{\"drupal_internal__id\":3385,\"drupal_internal__revision_id\":19038,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-28T18:11:29+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$fb\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$fc\"}\n102:{\"drupal_internal__target_id\":\"page_section\"}\n101:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$102\"}\n104:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ee1fabb0-058d-4b71-a7db-8a9ce8319795/paragraph_type?resourceVersion=id%3A19038\"}\n105:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ee1fabb0-058d-4b71-a7db-8a9ce8319795/relationships/paragraph_type?resourceVersion=id%3A19038\"}\n103:{\"related\":\"$104\",\"self\":\"$105\"}\n100:{\"data\":\"$101\",\"links\":\"$103\"}\n108:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ee1fabb0-058d-4b71-a7db-8a9ce8319795/field_specialty_item?resourceVersion=id%3A19038\"}\n109:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ee1fabb0-058d-4b71-a7db-8a9ce8319795/relationships/field_specialty_item?resourceVersion=id%3A19038\"}\n107:{\"related\":\"$108\",\"self\":\"$109\"}\n106:{\"data\":null,\"links\":\"$107\"}\nff:{\"paragraph_type\":\"$100\",\"field_specialty_item\":\"$106\"}\nf7:{\"type\":\"paragraph--page_section\",\"id\":\"ee1fabb0-058d-4b71-a7db-8a9ce8319795\",\"links\":\"$f8\",\"attributes\":\"$fa\",\"relationships\":\"$ff\"}\n10c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/435f83c6-c36a-46c4-bea6-029c80c14ff1?resourceVersion=id%3A19036\"}\n10b:{\"self\":\"$10c\"}\n10e:[]\n110:[]\n10f:{\"uri\":\"entity:node/401\",\"title\":\"\",\"options\":\"$110\",\"url\":\"/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"}\n111:{\"value\":\"The POA\u0026M Handbook provides an in-depth look at the POA\u0026M process from start to finish.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThe POA\u0026amp;M Handbook provides an in-depth look at the POA\u0026amp;M process from start"])</script><script>self.__next_f.push([1," to finish.\u003c/p\u003e\\n\"}\n10d:{\"drupal_internal__id\":3384,\"drupal_internal__revision_id\":19036,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-28T18:10:19+00:00\",\"parent_id\":\"506\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$10e\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":\"$10f\",\"field_call_out_link_text\":\"Read the Handbook\",\"field_call_out_text\":\"$111\",\"field_header\":\"Learn more about POA\u0026Ms\"}\n115:{\"drupal_internal__target_id\":\"call_out_box\"}\n114:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$115\"}\n117:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/435f83c6-c36a-46c4-bea6-029c80c14ff1/paragraph_type?resourceVersion=id%3A19036\"}\n118:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/435f83c6-c36a-46c4-bea6-029c80c14ff1/relationships/paragraph_type?resourceVersion=id%3A19036\"}\n116:{\"related\":\"$117\",\"self\":\"$118\"}\n113:{\"data\":\"$114\",\"links\":\"$116\"}\n112:{\"paragraph_type\":\"$113\"}\n10a:{\"type\":\"paragraph--call_out_box\",\"id\":\"435f83c6-c36a-46c4-bea6-029c80c14ff1\",\"links\":\"$10b\",\"attributes\":\"$10d\",\"relationships\":\"$112\"}\n11b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/df30d570-d5dc-431f-bec8-3054b29243cb?resourceVersion=id%3A19039\"}\n11a:{\"self\":\"$11b\"}\n11d:[]\n11c:{\"drupal_internal__id\":2041,\"drupal_internal__revision_id\":19039,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:14:46+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$11d\",\"default_langcode\":true,\"revision_translation_affected\":true}\n121:{\"drupal_internal__target_id\":\"internal_link\"}\n120:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$121\"}\n123:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/df30d570-d5dc-431f-bec8-3054b29243cb/paragraph_type?resourceVersion=id%3A19039\"}\n124:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_lin"])</script><script>self.__next_f.push([1,"k/df30d570-d5dc-431f-bec8-3054b29243cb/relationships/paragraph_type?resourceVersion=id%3A19039\"}\n122:{\"related\":\"$123\",\"self\":\"$124\"}\n11f:{\"data\":\"$120\",\"links\":\"$122\"}\n127:{\"drupal_internal__target_id\":201}\n126:{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"meta\":\"$127\"}\n129:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/df30d570-d5dc-431f-bec8-3054b29243cb/field_link?resourceVersion=id%3A19039\"}\n12a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/df30d570-d5dc-431f-bec8-3054b29243cb/relationships/field_link?resourceVersion=id%3A19039\"}\n128:{\"related\":\"$129\",\"self\":\"$12a\"}\n125:{\"data\":\"$126\",\"links\":\"$128\"}\n11e:{\"paragraph_type\":\"$11f\",\"field_link\":\"$125\"}\n119:{\"type\":\"paragraph--internal_link\",\"id\":\"df30d570-d5dc-431f-bec8-3054b29243cb\",\"links\":\"$11a\",\"attributes\":\"$11c\",\"relationships\":\"$11e\"}\n12d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4bccf275-df68-449d-8a48-3ba2274c322a?resourceVersion=id%3A19040\"}\n12c:{\"self\":\"$12d\"}\n12f:[]\n12e:{\"drupal_internal__id\":2046,\"drupal_internal__revision_id\":19040,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:15:08+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$12f\",\"default_langcode\":true,\"revision_translation_affected\":true}\n133:{\"drupal_internal__target_id\":\"internal_link\"}\n132:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$133\"}\n135:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4bccf275-df68-449d-8a48-3ba2274c322a/paragraph_type?resourceVersion=id%3A19040\"}\n136:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4bccf275-df68-449d-8a48-3ba2274c322a/relationships/paragraph_type?resourceVersion=id%3A19040\"}\n134:{\"related\":\"$135\",\"self\":\"$136\"}\n131:{\"data\":\"$132\",\"links\":\"$134\"}\n139:{\"drupal_internal__target_id\":391}\n138:{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"meta\":\"$139\"}\n13b:{\"href\":\"https://cyber"])</script><script>self.__next_f.push([1,"geek.cms.gov/jsonapi/paragraph/internal_link/4bccf275-df68-449d-8a48-3ba2274c322a/field_link?resourceVersion=id%3A19040\"}\n13c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4bccf275-df68-449d-8a48-3ba2274c322a/relationships/field_link?resourceVersion=id%3A19040\"}\n13a:{\"related\":\"$13b\",\"self\":\"$13c\"}\n137:{\"data\":\"$138\",\"links\":\"$13a\"}\n130:{\"paragraph_type\":\"$131\",\"field_link\":\"$137\"}\n12b:{\"type\":\"paragraph--internal_link\",\"id\":\"4bccf275-df68-449d-8a48-3ba2274c322a\",\"links\":\"$12c\",\"attributes\":\"$12e\",\"relationships\":\"$130\"}\n13f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/443bfeb0-96a1-4b88-bd6d-d93d1d744e64?resourceVersion=id%3A19041\"}\n13e:{\"self\":\"$13f\"}\n141:[]\n140:{\"drupal_internal__id\":2051,\"drupal_internal__revision_id\":19041,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:15:17+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$141\",\"default_langcode\":true,\"revision_translation_affected\":true}\n145:{\"drupal_internal__target_id\":\"internal_link\"}\n144:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$145\"}\n147:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/443bfeb0-96a1-4b88-bd6d-d93d1d744e64/paragraph_type?resourceVersion=id%3A19041\"}\n148:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/443bfeb0-96a1-4b88-bd6d-d93d1d744e64/relationships/paragraph_type?resourceVersion=id%3A19041\"}\n146:{\"related\":\"$147\",\"self\":\"$148\"}\n143:{\"data\":\"$144\",\"links\":\"$146\"}\n14b:{\"drupal_internal__target_id\":401}\n14a:{\"type\":\"node--library\",\"id\":\"cba2b00b-3f53-42bd-8a60-f175e1d47a0a\",\"meta\":\"$14b\"}\n14d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/443bfeb0-96a1-4b88-bd6d-d93d1d744e64/field_link?resourceVersion=id%3A19041\"}\n14e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/443bfeb0-96a1-4b88-bd6d-d93d1d744e64/relationships/field_link?resourceVersion=id%3A19041\"}\n14c:{\"related\":\"$14d\",\"self\":\"$14e\"}\n149:"])</script><script>self.__next_f.push([1,"{\"data\":\"$14a\",\"links\":\"$14c\"}\n142:{\"paragraph_type\":\"$143\",\"field_link\":\"$149\"}\n13d:{\"type\":\"paragraph--internal_link\",\"id\":\"443bfeb0-96a1-4b88-bd6d-d93d1d744e64\",\"links\":\"$13e\",\"attributes\":\"$140\",\"relationships\":\"$142\"}\n151:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71549f27-6a6b-4a16-9304-6208d994604a?resourceVersion=id%3A19042\"}\n150:{\"self\":\"$151\"}\n153:[]\n152:{\"drupal_internal__id\":2056,\"drupal_internal__revision_id\":19042,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:16:34+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$153\",\"default_langcode\":true,\"revision_translation_affected\":true}\n157:{\"drupal_internal__target_id\":\"internal_link\"}\n156:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$157\"}\n159:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71549f27-6a6b-4a16-9304-6208d994604a/paragraph_type?resourceVersion=id%3A19042\"}\n15a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71549f27-6a6b-4a16-9304-6208d994604a/relationships/paragraph_type?resourceVersion=id%3A19042\"}\n158:{\"related\":\"$159\",\"self\":\"$15a\"}\n155:{\"data\":\"$156\",\"links\":\"$158\"}\n15d:{\"drupal_internal__target_id\":561}\n15c:{\"type\":\"node--explainer\",\"id\":\"44c21f2c-38ee-44b9-87b6-1e981b2d3d5e\",\"meta\":\"$15d\"}\n15f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71549f27-6a6b-4a16-9304-6208d994604a/field_link?resourceVersion=id%3A19042\"}\n160:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71549f27-6a6b-4a16-9304-6208d994604a/relationships/field_link?resourceVersion=id%3A19042\"}\n15e:{\"related\":\"$15f\",\"self\":\"$160\"}\n15b:{\"data\":\"$15c\",\"links\":\"$15e\"}\n154:{\"paragraph_type\":\"$155\",\"field_link\":\"$15b\"}\n14f:{\"type\":\"paragraph--internal_link\",\"id\":\"71549f27-6a6b-4a16-9304-6208d994604a\",\"links\":\"$150\",\"attributes\":\"$152\",\"relationships\":\"$154\"}\n163:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ab8baea5-3667-47bd-b2c5-a8b59"])</script><script>self.__next_f.push([1,"a3847ac?resourceVersion=id%3A19043\"}\n162:{\"self\":\"$163\"}\n165:[]\n164:{\"drupal_internal__id\":2061,\"drupal_internal__revision_id\":19043,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:16:59+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$165\",\"default_langcode\":true,\"revision_translation_affected\":true}\n169:{\"drupal_internal__target_id\":\"internal_link\"}\n168:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$169\"}\n16b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ab8baea5-3667-47bd-b2c5-a8b59a3847ac/paragraph_type?resourceVersion=id%3A19043\"}\n16c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ab8baea5-3667-47bd-b2c5-a8b59a3847ac/relationships/paragraph_type?resourceVersion=id%3A19043\"}\n16a:{\"related\":\"$16b\",\"self\":\"$16c\"}\n167:{\"data\":\"$168\",\"links\":\"$16a\"}\n16f:{\"drupal_internal__target_id\":531}\n16e:{\"type\":\"node--explainer\",\"id\":\"27d871c0-b8f6-465e-b90f-c360ddcef8bb\",\"meta\":\"$16f\"}\n171:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ab8baea5-3667-47bd-b2c5-a8b59a3847ac/field_link?resourceVersion=id%3A19043\"}\n172:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ab8baea5-3667-47bd-b2c5-a8b59a3847ac/relationships/field_link?resourceVersion=id%3A19043\"}\n170:{\"related\":\"$171\",\"self\":\"$172\"}\n16d:{\"data\":\"$16e\",\"links\":\"$170\"}\n166:{\"paragraph_type\":\"$167\",\"field_link\":\"$16d\"}\n161:{\"type\":\"paragraph--internal_link\",\"id\":\"ab8baea5-3667-47bd-b2c5-a8b59a3847ac\",\"links\":\"$162\",\"attributes\":\"$164\",\"relationships\":\"$166\"}\n175:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6b40f485-c76e-44f6-8489-9bbf991c1f6c?resourceVersion=id%3A19044\"}\n174:{\"self\":\"$175\"}\n177:[]\n176:{\"drupal_internal__id\":2551,\"drupal_internal__revision_id\":19044,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-14T13:35:17+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$177\",\"default_"])</script><script>self.__next_f.push([1,"langcode\":true,\"revision_translation_affected\":true}\n17b:{\"drupal_internal__target_id\":\"internal_link\"}\n17a:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$17b\"}\n17d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6b40f485-c76e-44f6-8489-9bbf991c1f6c/paragraph_type?resourceVersion=id%3A19044\"}\n17e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6b40f485-c76e-44f6-8489-9bbf991c1f6c/relationships/paragraph_type?resourceVersion=id%3A19044\"}\n17c:{\"related\":\"$17d\",\"self\":\"$17e\"}\n179:{\"data\":\"$17a\",\"links\":\"$17c\"}\n181:{\"drupal_internal__target_id\":676}\n180:{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"meta\":\"$181\"}\n183:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6b40f485-c76e-44f6-8489-9bbf991c1f6c/field_link?resourceVersion=id%3A19044\"}\n184:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6b40f485-c76e-44f6-8489-9bbf991c1f6c/relationships/field_link?resourceVersion=id%3A19044\"}\n182:{\"related\":\"$183\",\"self\":\"$184\"}\n17f:{\"data\":\"$180\",\"links\":\"$182\"}\n178:{\"paragraph_type\":\"$179\",\"field_link\":\"$17f\"}\n173:{\"type\":\"paragraph--internal_link\",\"id\":\"6b40f485-c76e-44f6-8489-9bbf991c1f6c\",\"links\":\"$174\",\"attributes\":\"$176\",\"relationships\":\"$178\"}\n187:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320?resourceVersion=id%3A5941\"}\n186:{\"self\":\"$187\"}\n189:{\"alias\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"pid\":191,\"langcode\":\"en\"}\n18a:{\"value\":\"A streamlined risk-based control(s) testing methodology designed to relieve operational burden.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA streamlined risk-based control(s) testing methodology designed to relieve operational burden.\u003c/p\u003e\\n\"}\n18b:[]\n188:{\"drupal_internal__nid\":201,\"drupal_internal__vid\":5941,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-17T14:04:35+00:00\",\"status\":true,\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"created\":\"2022-08-25T18:58:52+00:00\",\"changed\""])</script><script>self.__next_f.push([1,":\"2024-10-07T20:27:11+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$189\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CSRAP@cms.hhs.gov\",\"field_contact_name\":\"CSRAP Team\",\"field_short_description\":\"$18a\",\"field_slack_channel\":\"$18b\"}\n18f:{\"drupal_internal__target_id\":\"explainer\"}\n18e:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$18f\"}\n191:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/node_type?resourceVersion=id%3A5941\"}\n192:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/node_type?resourceVersion=id%3A5941\"}\n190:{\"related\":\"$191\",\"self\":\"$192\"}\n18d:{\"data\":\"$18e\",\"links\":\"$190\"}\n195:{\"drupal_internal__target_id\":95}\n194:{\"type\":\"user--user\",\"id\":\"39240c69-3096-49cd-a07c-3843b6c48c5f\",\"meta\":\"$195\"}\n197:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/revision_uid?resourceVersion=id%3A5941\"}\n198:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/revision_uid?resourceVersion=id%3A5941\"}\n196:{\"related\":\"$197\",\"self\":\"$198\"}\n193:{\"data\":\"$194\",\"links\":\"$196\"}\n19b:{\"drupal_internal__target_id\":26}\n19a:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$19b\"}\n19d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/uid?resourceVersion=id%3A5941\"}\n19e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/uid?resourceVersion=id%3A5941\"}\n19c:{\"related\":\"$19d\",\"self\":\"$19e\"}\n199:{\"data\":\"$19a\",\"links\":\"$19c\"}\n1a2:{\"target_revision_id\":19433,\"drupal_internal__target_id\":3501}\n1a1:{\"type\":\"paragraph--page_section\",\"id\":\"f36fb6d1-0795-400f-8a15-"])</script><script>self.__next_f.push([1,"36d1979118b0\",\"meta\":\"$1a2\"}\n1a4:{\"target_revision_id\":19434,\"drupal_internal__target_id\":611}\n1a3:{\"type\":\"paragraph--page_section\",\"id\":\"eb5b28d8-8825-43c5-a889-513068f48fd8\",\"meta\":\"$1a4\"}\n1a6:{\"target_revision_id\":19435,\"drupal_internal__target_id\":651}\n1a5:{\"type\":\"paragraph--page_section\",\"id\":\"269aaf52-85f1-411f-a67e-e9d9ad620d8a\",\"meta\":\"$1a6\"}\n1a8:{\"target_revision_id\":19442,\"drupal_internal__target_id\":3502}\n1a7:{\"type\":\"paragraph--page_section\",\"id\":\"3a3615ff-9d53-40d6-8291-fd4516dbc893\",\"meta\":\"$1a8\"}\n1aa:{\"target_revision_id\":19443,\"drupal_internal__target_id\":3503}\n1a9:{\"type\":\"paragraph--page_section\",\"id\":\"cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa\",\"meta\":\"$1aa\"}\n1ac:{\"target_revision_id\":19444,\"drupal_internal__target_id\":3504}\n1ab:{\"type\":\"paragraph--page_section\",\"id\":\"a46d03b7-7478-40f1-a7da-3171ffcfaa2d\",\"meta\":\"$1ac\"}\n1a0:[\"$1a1\",\"$1a3\",\"$1a5\",\"$1a7\",\"$1a9\",\"$1ab\"]\n1ae:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_page_section?resourceVersion=id%3A5941\"}\n1af:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_page_section?resourceVersion=id%3A5941\"}\n1ad:{\"related\":\"$1ae\",\"self\":\"$1af\"}\n19f:{\"data\":\"$1a0\",\"links\":\"$1ad\"}\n1b3:{\"target_revision_id\":19445,\"drupal_internal__target_id\":656}\n1b2:{\"type\":\"paragraph--internal_link\",\"id\":\"28dbad4c-79e6-4f83-bc5e-965ba6aa4926\",\"meta\":\"$1b3\"}\n1b5:{\"target_revision_id\":19446,\"drupal_internal__target_id\":661}\n1b4:{\"type\":\"paragraph--internal_link\",\"id\":\"9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2\",\"meta\":\"$1b5\"}\n1b7:{\"target_revision_id\":19447,\"drupal_internal__target_id\":671}\n1b6:{\"type\":\"paragraph--internal_link\",\"id\":\"77c203ce-2da8-4200-986c-1093acc2ff5a\",\"meta\":\"$1b7\"}\n1b9:{\"target_revision_id\":19448,\"drupal_internal__target_id\":676}\n1b8:{\"type\":\"paragraph--internal_link\",\"id\":\"50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a\",\"meta\":\"$1b9\"}\n1bb:{\"target_revision_id\":19449,\"drupal_internal__target_id\":681}\n1ba:{\"type\":\"paragraph--internal_link\",\"id\":\"c4a332dc"])</script><script>self.__next_f.push([1,"-02ea-48f6-9c08-c12ca06e62b5\",\"meta\":\"$1bb\"}\n1bd:{\"target_revision_id\":19450,\"drupal_internal__target_id\":3505}\n1bc:{\"type\":\"paragraph--internal_link\",\"id\":\"5cc61db4-e2f7-43ad-b914-3661d73886e9\",\"meta\":\"$1bd\"}\n1b1:[\"$1b2\",\"$1b4\",\"$1b6\",\"$1b8\",\"$1ba\",\"$1bc\"]\n1bf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_related_collection?resourceVersion=id%3A5941\"}\n1c0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_related_collection?resourceVersion=id%3A5941\"}\n1be:{\"related\":\"$1bf\",\"self\":\"$1c0\"}\n1b0:{\"data\":\"$1b1\",\"links\":\"$1be\"}\n1c3:{\"drupal_internal__target_id\":121}\n1c2:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$1c3\"}\n1c5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_resource_type?resourceVersion=id%3A5941\"}\n1c6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_resource_type?resourceVersion=id%3A5941\"}\n1c4:{\"related\":\"$1c5\",\"self\":\"$1c6\"}\n1c1:{\"data\":\"$1c2\",\"links\":\"$1c4\"}\n1ca:{\"drupal_internal__target_id\":66}\n1c9:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$1ca\"}\n1cc:{\"drupal_internal__target_id\":61}\n1cb:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$1cc\"}\n1ce:{\"drupal_internal__target_id\":76}\n1cd:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$1ce\"}\n1c8:[\"$1c9\",\"$1cb\",\"$1cd\"]\n1d0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_roles?resourceVersion=id%3A5941\"}\n1d1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_roles?resourceVersion=id%3A5941\"}\n1cf:{\"related\":\"$1d0\",\"self\":\"$1d1\"}\n1c7:{\"data\":\"$1c8\",\"links\":\"$1cf\"}\n1d5:{\"drupal_internal__target_id\":6}\n1d4:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7"])</script><script>self.__next_f.push([1,"-4ebd-93a3-4c39d5f24674\",\"meta\":\"$1d5\"}\n1d7:{\"drupal_internal__target_id\":36}\n1d6:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$1d7\"}\n1d3:[\"$1d4\",\"$1d6\"]\n1d9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_topics?resourceVersion=id%3A5941\"}\n1da:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_topics?resourceVersion=id%3A5941\"}\n1d8:{\"related\":\"$1d9\",\"self\":\"$1da\"}\n1d2:{\"data\":\"$1d3\",\"links\":\"$1d8\"}\n18c:{\"node_type\":\"$18d\",\"revision_uid\":\"$193\",\"uid\":\"$199\",\"field_page_section\":\"$19f\",\"field_related_collection\":\"$1b0\",\"field_resource_type\":\"$1c1\",\"field_roles\":\"$1c7\",\"field_topics\":\"$1d2\"}\n185:{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"links\":\"$186\",\"attributes\":\"$188\",\"relationships\":\"$18c\"}\n1dd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748?resourceVersion=id%3A5886\"}\n1dc:{\"self\":\"$1dd\"}\n1df:{\"alias\":\"/learn/penetration-testing-pentesting\",\"pid\":381,\"langcode\":\"en\"}\n1e0:{\"value\":\"Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\u003c/p\u003e\\n\"}\n1e1:[\"#ccic_sec_eng_and_soc\"]\n1de:{\"drupal_internal__nid\":391,\"drupal_internal__vid\":5886,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-30T19:33:09+00:00\",\"status\":true,\"title\":\"Penetration Testing (PenTesting)\",\"created\":\"2022-08-29T16:54:55+00:00\",\"changed\":\"2024-08-30T19:33:09+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1df\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cmspentestmanagement@cms.hhs.gov\",\"field_contact_"])</script><script>self.__next_f.push([1,"name\":\"Penetration Testing Team\",\"field_short_description\":\"$1e0\",\"field_slack_channel\":\"$1e1\"}\n1e5:{\"drupal_internal__target_id\":\"explainer\"}\n1e4:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$1e5\"}\n1e7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/node_type?resourceVersion=id%3A5886\"}\n1e8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/node_type?resourceVersion=id%3A5886\"}\n1e6:{\"related\":\"$1e7\",\"self\":\"$1e8\"}\n1e3:{\"data\":\"$1e4\",\"links\":\"$1e6\"}\n1eb:{\"drupal_internal__target_id\":122}\n1ea:{\"type\":\"user--user\",\"id\":\"94466ab9-93ba-4374-964a-cac08e0505c1\",\"meta\":\"$1eb\"}\n1ed:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/revision_uid?resourceVersion=id%3A5886\"}\n1ee:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/revision_uid?resourceVersion=id%3A5886\"}\n1ec:{\"related\":\"$1ed\",\"self\":\"$1ee\"}\n1e9:{\"data\":\"$1ea\",\"links\":\"$1ec\"}\n1f1:{\"drupal_internal__target_id\":26}\n1f0:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$1f1\"}\n1f3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/uid?resourceVersion=id%3A5886\"}\n1f4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/uid?resourceVersion=id%3A5886\"}\n1f2:{\"related\":\"$1f3\",\"self\":\"$1f4\"}\n1ef:{\"data\":\"$1f0\",\"links\":\"$1f2\"}\n1f8:{\"target_revision_id\":19217,\"drupal_internal__target_id\":501}\n1f7:{\"type\":\"paragraph--page_section\",\"id\":\"9ce3ee98-23ca-4e7f-aba7-eb85e992ee97\",\"meta\":\"$1f8\"}\n1fa:{\"target_revision_id\":19218,\"drupal_internal__target_id\":2546}\n1f9:{\"type\":\"paragraph--page_section\",\"id\":\"7b5e13a5-a70b-4570-8feb-183ff1d4fae9\",\"meta\":\"$1fa\"}\n1f6:[\"$1f7\",\"$1f9\"]\n1fc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_page_section?resourceVersion=id%3A5886\"}"])</script><script>self.__next_f.push([1,"\n1fd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_page_section?resourceVersion=id%3A5886\"}\n1fb:{\"related\":\"$1fc\",\"self\":\"$1fd\"}\n1f5:{\"data\":\"$1f6\",\"links\":\"$1fb\"}\n201:{\"target_revision_id\":19219,\"drupal_internal__target_id\":2021}\n200:{\"type\":\"paragraph--internal_link\",\"id\":\"a7c47ed1-07a0-4487-8538-27c56a8e48d2\",\"meta\":\"$201\"}\n203:{\"target_revision_id\":19220,\"drupal_internal__target_id\":2026}\n202:{\"type\":\"paragraph--internal_link\",\"id\":\"44807064-0310-448f-8f66-09ee2ff9b17d\",\"meta\":\"$203\"}\n205:{\"target_revision_id\":19221,\"drupal_internal__target_id\":2031}\n204:{\"type\":\"paragraph--internal_link\",\"id\":\"825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb\",\"meta\":\"$205\"}\n207:{\"target_revision_id\":19222,\"drupal_internal__target_id\":2036}\n206:{\"type\":\"paragraph--internal_link\",\"id\":\"8d631ecf-4c48-46d2-b8f2-5db69fd03245\",\"meta\":\"$207\"}\n209:{\"target_revision_id\":19223,\"drupal_internal__target_id\":3388}\n208:{\"type\":\"paragraph--internal_link\",\"id\":\"2121533f-ed8e-4292-81c3-c9c5f3b88c42\",\"meta\":\"$209\"}\n20b:{\"target_revision_id\":19224,\"drupal_internal__target_id\":3389}\n20a:{\"type\":\"paragraph--internal_link\",\"id\":\"e3a2533a-0128-4439-8ca5-a56210aa267e\",\"meta\":\"$20b\"}\n1ff:[\"$200\",\"$202\",\"$204\",\"$206\",\"$208\",\"$20a\"]\n20d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_related_collection?resourceVersion=id%3A5886\"}\n20e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_related_collection?resourceVersion=id%3A5886\"}\n20c:{\"related\":\"$20d\",\"self\":\"$20e\"}\n1fe:{\"data\":\"$1ff\",\"links\":\"$20c\"}\n211:{\"drupal_internal__target_id\":121}\n210:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$211\"}\n213:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_resource_type?resourceVersion=id%3A5886\"}\n214:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/"])</script><script>self.__next_f.push([1,"relationships/field_resource_type?resourceVersion=id%3A5886\"}\n212:{\"related\":\"$213\",\"self\":\"$214\"}\n20f:{\"data\":\"$210\",\"links\":\"$212\"}\n218:{\"drupal_internal__target_id\":66}\n217:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$218\"}\n21a:{\"drupal_internal__target_id\":61}\n219:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$21a\"}\n21c:{\"drupal_internal__target_id\":76}\n21b:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$21c\"}\n21e:{\"drupal_internal__target_id\":71}\n21d:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$21e\"}\n216:[\"$217\",\"$219\",\"$21b\",\"$21d\"]\n220:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_roles?resourceVersion=id%3A5886\"}\n221:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_roles?resourceVersion=id%3A5886\"}\n21f:{\"related\":\"$220\",\"self\":\"$221\"}\n215:{\"data\":\"$216\",\"links\":\"$21f\"}\n225:{\"drupal_internal__target_id\":6}\n224:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":\"$225\"}\n227:{\"drupal_internal__target_id\":46}\n226:{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":\"$227\"}\n223:[\"$224\",\"$226\"]\n229:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_topics?resourceVersion=id%3A5886\"}\n22a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_topics?resourceVersion=id%3A5886\"}\n228:{\"related\":\"$229\",\"self\":\"$22a\"}\n222:{\"data\":\"$223\",\"links\":\"$228\"}\n1e2:{\"node_type\":\"$1e3\",\"revision_uid\":\"$1e9\",\"uid\":\"$1ef\",\"field_page_section\":\"$1f5\",\"field_related_collection\":\"$1fe\",\"field_resource_type\":\"$20f\",\"field_roles\":\"$215\",\"field_topics\":\"$222\"}\n1db:{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"links\":\"$1dc\",\"attributes\":\"$1de\",\"relationships\":\"$1e2\"}\n22d:{\"href"])</script><script>self.__next_f.push([1,"\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a?resourceVersion=id%3A5866\"}\n22c:{\"self\":\"$22d\"}\n22f:{\"alias\":\"/policy-guidance/cms-plan-action-and-milestones-poam-handbook\",\"pid\":391,\"langcode\":\"en\"}\n231:T9cb3,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is a POA\u0026amp;M?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA Plan of Action and Milestones (POA\u0026amp;M) is a corrective action plan that tracks system weakness and allows System Owners and ISSOs to create a plan to resolve the identified weaknesses over time. A POA\u0026amp;M provides details about the personnel, technology, and funding required to accomplish the elements of the plan, milestones for correcting the weaknesses, and scheduled completion dates for the milestones.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePOA\u0026amp;M process overview\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe POA\u0026amp;M process begins when a weakness is identified in a CMS FISMA system. Working together, the System/Business Owner and the Authorizing Official (AO) are responsible for mitigating the risk posed by the weakness, with support from the Information System Security Officer (ISSO) and Cyber Risk Advisor (CRA). The steps to the POA\u0026amp;M process are outlined below, and will be described in greater detail throughout the remainder of this guide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify weaknesses\u003c/li\u003e\u003cli\u003eDevelop a Corrective Action Plan (CAP)\u003c/li\u003e\u003cli\u003eDetermine resource and funding availability\u003c/li\u003e\u003cli\u003eAssign a completion date\u003c/li\u003e\u003cli\u003eExecute the Corrective Action Plan (CAP)\u003c/li\u003e\u003cli\u003eVerify weakness completion\u003c/li\u003e\u003cli\u003eAccept risk when applicable\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIdentifying weaknesses\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe term “weakness” represents any information security or privacy vulnerability that could be exploited as a result of a specific control deficiency. Weaknesses can compromise a systems confidentiality, integrity, or availability. All weaknesses that represent risk to the security or privacy of a system must be corrected and the required mitigation efforts captured in a POA\u0026amp;M.\u0026nbsp;For the purpose of this document, the term “weakness” as defined in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST SP 800-53, rev. 5 \u003c/a\u003ewill be synonymous with the terms finding and vulnerability. These terms are defined below:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFinding\u003c/strong\u003e During an assessment or audit, the security and privacy controls of a system are tested, or exercised. A system either satisfies the requirements or a control or does not satisfy it.\u0026nbsp; Findings are the result of the assessment or audit. Findings that do not satisfy a control must be addressed with a POA\u0026amp;M.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVulnerability\u003c/strong\u003e A vulnerability is a weakness in a system, a systems security procedures, its internal controls, or its implementation that could be exploited or triggered by a threat source.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFinding weaknesses\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWeaknesses may be found during an internal or external audit, review, or through Continuous Diagnostics and Mitigation (CDM) efforts. There are a number of specific sources that help system teams identify weaknesses:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eHHS OIG Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003eGovernment Accountability Office (GAO) Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003eChief Financial Officer (CFO) Reviews\u0026nbsp;\u003c/li\u003e\u003cli\u003eOMB A-123 Internal Control Reviews\u0026nbsp;\u003c/li\u003e\u003cli\u003eAnnual Assessments\u003c/li\u003e\u003cli\u003eFISMA Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e or Security Control Assessments (SCA)\u0026nbsp;\u003c/li\u003e\u003cli\u003eMedicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) Section 912 Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003eInternal Revenue Service (IRS) Safeguard Reviews\u0026nbsp;\u003c/li\u003e\u003cli\u003eDepartment of Homeland Security (DHS) Risk Vulnerability Assessments (RVA)\u0026nbsp;\u003c/li\u003e\u003cli\u003eDHS Cyber Hygiene\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/penetration-testing\"\u003ePenetration Testing\u0026nbsp;\u003c/a\u003e\u003c/li\u003e\u003cli\u003eVulnerability Scanning\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDuring these assessments, reviews, and audits, weaknesses can be found either proactively or reactively.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eProactive - \u003c/strong\u003eProactive weakness identification occurs during regular system reviews conducted by CMS.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eReactive - \u003c/strong\u003eReactive weakness determination indicates that the weakness was identified during an audit or external review, like a penetration test.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWeaknesses are always documented by the source that identified them, and its important to indicate the identification source as you create your POA\u0026amp;M.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWeakness severity levels\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThere are three severity levels for all weaknesses discovered during assessments, audits, and tests. The risk the weakness poses to the agencys overall security and privacy posture determines a weakness severity level . There are three levels of severity as defined by OMB: significant deficiency, reportable condition, and weakness.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eWeakness severity levels\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSignificant deficiency\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eA weakness is considered a \u003cstrong\u003esignificant deficiency\u003c/strong\u003e if it drastically restricts the capability of the agency to carry out its mission or if it compromises the security or privacy of its information, information systems, personnel, or other resources, operations, or assets.\u0026nbsp;\u003c/p\u003e\u003cp\u003eSenior management must be notified and immediate or near immediate corrective action must be taken.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eReportable Condition\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eA \u003cstrong\u003ereportable condition\u003c/strong\u003e is a weakness that affects the efficiency and effectiveness of agency operations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eDue to its lower associated risk, corrective actions for a reportable condition may be scheduled over a longer period of time. The control auditor or assessor will make the determination that a weakness is a reportable condition.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eWeakness\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAll other weaknesses that do not rise to the level of a significant deficiency or reportable condition must be categorized as a weakness.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThey must be mitigated in a timely and efficient manner, as resources permit.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe weakness severity level can be obtained from the source or the audit report. Most findings will generally be categorized as a “weakness”. In the event that a weakness is designated as a “significant deficiency”, then contact the \u003ca href=\"mailto:ciso@cms.hhs.gov\"\u003eCISO mailbox \u003c/a\u003efor further guidance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWeakness risk level\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final\"\u003eNIST SP 800-30 \u003c/a\u003econtains the definitions and the practical guidance necessary for assessing and mitigating identified risks to IT systems. Risk level is dependent on multiple factors, such as \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFederal Information Processing Standard (FIPS) 199 \u003c/a\u003ecategory, operating environment, compensating controls, nature of the vulnerability, and impact if a system is compromised.\u003c/p\u003e\u003cp\u003eRisk can be evaluated either qualitatively or quantitatively and is typically expressed in its simplified form as:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRISK = THREAT x IMPACT x LIKELIHOOD\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe result of the analysis of the risk(s) from following the NIST SP 800-30 guide will recommend the overall risk level assigned to FISMA system of record.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRoot Cause Analysis (RCA)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll weaknesses must be examined to determine their root cause prior to documentation in the\u003c/p\u003e\u003cp\u003ePOA\u0026amp;M. \u003cstrong\u003eRoot Cause Analysis (RCA)\u003c/strong\u003e is an important and effective methodology used to correct information security or privacy weaknesses by eliminating the underlying cause. Various factors are reviewed to determine if they are the underlying cause of the weakness. Proper evaluation ensures the cause, not the symptom, is treated and prevents resources from being expended unnecessarily on addressing the same weakness.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePrioritizing weaknesses\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS takes a risk management approach to ensure that critical and high-impact weaknesses\u0026nbsp;\u003c/p\u003e\u003cp\u003etake precedence over lower security weaknesses. The following chart will help CMS System/Business Owners and ISSOs prioritize weaknesses on an ongoing basis to ensure that high-priority weaknesses receive the funding and the resources necessary to remediate or mitigate the most significant risks.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePrioritization factor\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDescription\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk level/severity\u003c/td\u003e\u003ctd\u003e\u003cp\u003eWeaknesses on a High or Moderate system or weaknesses that contribute to a material weakness, significant deficiency or reportable condition will normally require more immediate resolution.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis prioritization factor must consider the following elements:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eSensitivity and criticality of information on the system, such as personally identifiable information (PII).\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe estimated likelihood of the weakness occurring and/or being exploited.\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe cost of a potential occurrence or exploitation in terms of dollars, resources,, and/or reputation\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAnalysis\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe weakness must be analyzed to determine if there are any other processes or system relationships that it may affect.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDoes the weakness fall within the system authorization boundary?\u0026nbsp;\u003c/li\u003e\u003cli\u003eIs it a potential program weakness?\u0026nbsp;\u003c/li\u003e\u003cli\u003eIs the weakness a systemic issue (across the enterprise) or is it an isolated event?\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSystemic issues represent much greater risk and may be a higher priority.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSource\u003c/td\u003e\u003ctd\u003eWhat is the source of the weakness? For example, if the weakness resulted from an audit and is considered a significant deficiency, then greater attention should be focused on this weakness.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVisibility\u003c/td\u003e\u003ctd\u003eHas the weakness drawn a high level of visibility external to the system or program? In some cases, a lower level weakness is a higher priority due to visibility. There are times when senior management or outside organizations focus on a specific weakness. Such weaknesses may take priority.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eRegardless of how the weakness is found and how severe it is,\u0026nbsp;its critical that system teams work together to create a Corrective Action Plan (CAP) to address it.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eDevelop a Corrective Action Plan (CAP)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAfter weaknesses have been identified and the root cause has been determined, a \u003cstrong\u003eCorrective Action Plan (CAP)\u003c/strong\u003e must be developed. The CAP identifies:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe specific tasks, or “milestones”, that need to be accomplished to reduce or eliminate weakness\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe resources required to accomplish the plan\u003c/li\u003e\u003cli\u003eA timeline for correcting the weakness including a completion date\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe milestones in the CAP must provide specific, action-oriented descriptions of the tasks/steps that the stakeholder will take to mitigate the weakness. When creating your milestones, be sure that they are:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSpecific\u003c/strong\u003e target a specific area for improvement\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMeasurable\u003c/strong\u003e quantify or at least suggest an indicator of progress\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAssignable\u003c/strong\u003e specify who will do it\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRealistic\u003c/strong\u003e state what results can realistically be achieved, given available resources\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTime-related\u003c/strong\u003e specify when the result(s) can be achieved.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe number of milestones written per weakness must directly correspond to the number of steps or corrective actions necessary to fully address and resolve the weakness. Each weakness must have at least one corresponding milestone with an estimated completion date and resource requirements to remediate the weakness. The chart below provides samples of compliant and non-compliant milestones that system teams can use when writing their CAP.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eExamples of appropriate milestones\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePOA\u0026amp;M description\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eExample\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eMilestones with completion dates\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVulnerability scanning does not incorporate the entire environment as documented in the System Security and Privacy Plan (SSPP)\u003c/td\u003e\u003ctd\u003eInappropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eEnsure vulnerability scanning covers the entire environment; (11/15/2018)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVulnerability scanning does not incorporate the entire environment as documented in the System Security and Privacy Plan (SSPP)\u003c/td\u003e\u003ctd\u003eAppropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eSchedule a review of the environment inventory; (11/15/2018)\u003c/li\u003e\u003cli\u003eUpdate the SSPP and the vulnerability scanner to reflect the updated inventory; (1/31/2019)\u003c/li\u003e\u003cli\u003eConduct a vulnerability scan to check that the entire inventory is included; (2/15/2019)\u003c/li\u003e\u003cli\u003eImplement an ongoing process to evaluate and update the inventory, the SSPP, and the vulnerability scans on a regular basis; (3/15/2019)\u003c/li\u003e\u003cli\u003ePerform a vulnerability scan and cross check the output with the updated inventory list to verify that the entire environment is included; (4/15/2019)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAudit logs are not periodically reviewed\u003c/td\u003e\u003ctd\u003eInappropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eEnsure that audit logs are periodically reviewed; (12/15/2018)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAudit logs are not periodically reviewed\u003c/td\u003e\u003ctd\u003eAppropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eReview policy to ensure that audit log review is required; (12/15/2018)\u003c/li\u003e\u003cli\u003eIdentify the SO; (12/16/2018)\u003c/li\u003e\u003cli\u003eEstablish communication and training to convey the requirement of audit log review; (2/28/2019)\u003c/li\u003e\u003cli\u003eSchedule a follow-up review with the SO to ensure that audit log review is taking place. (3/31/2019)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe CAP should be a collaborative effort with stakeholders including the CISO, System/Business Owners, System Developers and Maintainers, ISSOs, and others as needed. These stakeholders ensure that the CAP is created, executed, monitored, and worked to closure or risk-based acceptance.\u003c/p\u003e\u003cp\u003eOMB provides a standard POA\u0026amp;M format which is utilized at CMS. This structure improves the stakeholders ability to easily locate information and organize details for analysis. The CAP format includes a location for the identified program weakness, any associated milestones, and the necessary resources required.\u0026nbsp;\u003c/p\u003e\u003cp\u003eOnce the CAP is documented, the plan must be entered into \u003ca href=\"https://cfacts.cms.gov/\"\u003eCFACTS\u003c/a\u003e in the form of a series of milestone records. The status of the POA\u0026amp;M will automatically be moved from “draft” to “ongoing” 30 days after the weakness creation date. Once a milestone has been accepted/approved and closed, the record must be retained for one year.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eDetermine resource and funding availability\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eMaking funding decisions is often a collaborative exercise that involves multiple system personnel and stakeholders. Examples of questions to ask to determine if your team has the resources to appropriately respond to a weakness are:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eIs one team or person enough or will the participation of a larger team be needed?\u0026nbsp;\u003c/li\u003e\u003cli\u003eCan the task be accomplished within a week or will it take several months?\u0026nbsp;\u003c/li\u003e\u003cli\u003eHow serious is the weakness?\u0026nbsp;\u003c/li\u003e\u003cli\u003eWhat is this weakness risk level?\u0026nbsp;\u003c/li\u003e\u003cli\u003eHow complex is the CAP?\u0026nbsp;\u003c/li\u003e\u003cli\u003eDo we need to purchase equipment?\u003c/li\u003e\u003cli\u003eCan the weakness be addressed with existing funding or will we require new allocation from an existing budget source?\u0026nbsp;\u003c/li\u003e\u003cli\u003eWill my addressing this milestone require changes to existing policy or code?\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe System/Business Owner, ISSOs, and other stakeholders must ensure that adequate resources are allocated to mitigate or remediate weaknesses. They must also work together to determine the funding stream required to address the weakness, and any full-time equivalent (FTE) resources required to remediate or mitigate each weakness on the POA\u0026amp;M. The resources required for weakness remediation must fall into one of the following three categories:\u003c/p\u003e\u003col\u003e\u003cli\u003eUsing current resources allocated for the security and/or management of a program or system to complete remediation activities\u003c/li\u003e\u003cli\u003eReallocating existing funds that are appropriated and available for the remediation, or redirecting existing personnel\u003c/li\u003e\u003cli\u003eRequesting additional funding or personnel\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eDuplicate or similar weaknesses shall be documented in one POA\u0026amp;M, existing or new, to avoid inconsistencies. If a related POA\u0026amp;M already exists, the additional weakness shall be noted in the comment field.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAssign a completion date\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSystem/Business Owners, ISSOs, and other stakeholders must determine the scheduled completion date for each weakness using the criteria established by the remediation and mitigation timeline, the risk level, and the severity level. The milestone(s) completion date must not exceed the scheduled completion date assigned to the weakness.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIt is also a good practice to first determine the milestones with completion dates, as this will help determine a more accurate overall scheduled completion date for the weakness. The weakness schedule completion date is a calculated date. It is determined by the identified date and the risk level. The scheduled completion date established at the creation of the weakness must not be modified after the weakness is reported to OMB. POA\u0026amp;Ms become reportable once the status changes from “Draft” to “Ongoing” in CFACTS.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf a weakness is not remediated within the scheduled completion date, a new estimated completion date must be determined and documented in the Changes to Milestones and Comment fields in the POA\u0026amp;M in CFACTS.\u003c/p\u003e\u003cp\u003e\u003cem\u003eNOTE: In use cases where a responsive and timely POA\u0026amp;M cannot be developed, the ISSO can choose to consider the Risk Based Decision (RBD) process to request the Authorizing Official (AO) to consider a risk acceptance until such time the vulnerability can be remediated.\u003c/em\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eExecute the Corrective Action Plan (CAP)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA designated Point of Contact (POC), responsible for ensuring proper execution of the CAP, must be identified for each weakness and its milestones. Individual(s) responsible for the execution of the CAP vary widely depending on the organization, system, milestones, and weakness.\u003c/p\u003e\u003cp\u003eThis POC resource will be key to identifying an “owner” of the milestone and ensuring the milestone is worked to the eventual remediation of the weakness or acceptable mitigation of the weakness. Once the planning of the necessary corrective action is complete and adequate resources have been made available, remediation or mitigation activities will proceed in accordance with the plan.\u003c/p\u003e\u003cp\u003eIf the completion of a milestone extends past its original estimated completion date, an update to the milestone and the completion date of the milestone must be captured in the “Changes to Milestone” field of CFACTS. If the scheduled completion date has passed before the weakness is remediated or mitigated, the weakness must default to “Delayed” status and a justification with a new estimated completion date must be documented in the “Comment” field and the “Changes to Milestone” field of the relevant weakness in CFACTS.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eVerify weakness completion\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS requires that all information in the POA\u0026amp;M be updated at least quarterly, ensuring accuracy for efficient tracking and reporting. As part of the review process, the ISSO will:\u003c/p\u003e\u003cul\u003e\u003cli\u003eValidate that the weakness is properly identified and prioritized\u003c/li\u003e\u003cli\u003eEnsure that appropriate resources have been made available to resolve the weakness\u003c/li\u003e\u003cli\u003eEnsure that the schedule for resolving the weakness is both appropriate and achievable\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eAccept risk when applicable\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA POA\u0026amp;M is a plan to resolve unacceptable risks. In rare cases, the Business Owner can present a case for accepting the risk to the AO or CIO, who may make the decision to accept the risk at their discretion. This is part of the Risk Based Decision (RBD) process. After approval, RBDs shall be reviewed at least annually to ensure the risk remains acceptable and updated as events occur and information changes. RBDs are managed in CFACTS under the \"RBD\" tab.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eClosing a POA\u0026amp;M\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePOA\u0026amp;Ms designated as Low and Moderate are closed by the ISSO and spot audited by a CRA.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms designed as Critical and High are closed by the CRA.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms generated from audits should be reviewed by the auditor prior to closure.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms resulting from a Penetration Test (PenTest) are closed by the PenTest team after the re-test has been performed.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eReports\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eReporting is a critical component of POA\u0026amp;M management, and CMS reports its remediation efforts on a monthly basis. The information in the POA\u0026amp;M must be maintained continuously to communicate overall progress. CMS must submit POA\u0026amp;M updates at least once a month (by the 3rd business day of each month) to HHS to demonstrate the status of POA\u0026amp;M mitigation or remediation activities.\u003c/p\u003e\u003cp\u003eCMS must submit the following information in accordance with the Department POA\u0026amp;M reporting requirements:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAll POA\u0026amp;Ms associated with a program, system and/or component that are within an authorization boundary. POA\u0026amp;Ms must be tied to the individual system and/or component and not the authorization boundary.\u003c/li\u003e\u003cli\u003eAn explanation associated with each delayed POA\u0026amp;M and a revised estimated completion date.\u003c/li\u003e\u003cli\u003eCompleted POA\u0026amp;Ms for up to one year from the date of completion.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWeakness remediation and mitigation timeline\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAfter positive identification of scan findings or approval of security assessment and/or audit report, all findings/weaknesses shall be documented in a POA\u0026amp;M, reported to HHS, and remediated/mitigated within the following remediation timelines.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eCritical within 15 days\u003c/li\u003e\u003cli\u003e\u0026nbsp;High within 30 days\u003c/li\u003e\u003cli\u003eModerate within 90 days\u003c/li\u003e\u003cli\u003eLow within 365 days\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eBusiness Owners, ISSOs, and/or other POA\u0026amp;M stakeholders must work together to determine the scheduled completion date for each POA\u0026amp;M within the specified remediation timelines. These timelines are based on the date the weakness is identified, not the date the POA\u0026amp;M is created. Stakeholders should complete and submit their CAAT templates in a timely manner to allow for the maximum time to complete the remediation/mitigation.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf it is determined that additional time is needed to remediate or mitigate a weakness, the justification with a modified estimated completion date shall be documented in the POA\u0026amp;M in the Changes to Milestones and Comment fields in CFACTS. If weaknesses are not remediated within the scheduled completion date, the status shall change to “Delayed”.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWeaknesses discovered during a government audit\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWeaknesses identified during a government audit (i.e., Inspector General or GAO audit) shall be documented in the POA\u0026amp;M after the audit draft report is produced, regardless of CMS acceptance of the identified weakness(es). Disagreements on findings that cannot be resolved between CMS and the auditing office shall be elevated to the Department for resolution. Systems must review and update POA\u0026amp;Ms at least quarterly. In addition, compensating controls must be in place and documented until weaknesses are remediated or mitigated to an acceptable level of risk.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eCFACTS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eStakeholders must use\u0026nbsp;\u003ca href=\"https://cfacts.cms.gov/\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eCFACTS\u003c/a\u003e, the CMS GRC tool, to identify, track, and manage all system weaknesses and associated POA\u0026amp;Ms to closure for CMS information systems. Users who need access to CFACTS may request an account and appropriate privileges through the Enterprise User Administration (EUA). The job code is \u003cstrong\u003eCFACTS_User_P\u003c/strong\u003e. Once the job code is assigned, the user must email the CISO mailbox at \u003ca href=\"mailto:ciso@cms.hhs.gov\"\u003eciso@cms.hhs.gov\u003c/a\u003e to notify the CISO of the users role (ISSO, System Developer, or System/Business Owner).\u003c/p\u003e\u003cp\u003eThe \u003cstrong\u003eCFACTS User Manual\u003c/strong\u003e provides detailed instructions for processing POA\u0026amp;M actions in the CFACTS tracking system. The User Manual can be accessed under the \u003cstrong\u003eCFACTS Documents\u003c/strong\u003e section on the \u003cstrong\u003eCFACTS Artifacts\u003c/strong\u003e page which can be accessed by clicking on the CFACTS Artifacts icon on the welcome page.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePOA\u0026amp;M Glossary\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe following glossary will help system teams understand the language of the POA\u0026amp;M process.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTerm\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDefinition\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAnnual Assessment\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe process of validating the effective implementation of security and privacy controls in the information system and its environment of operation within every three hundred sixty-five (365) days in accordance with the CMS Information Security (IS) Acceptable Risk Safeguards (ARS) Including CMS Minimum Security Requirements (CMSR) Standard, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAudit\u003c/td\u003e\u003ctd\u003eAn independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCapital Planning and Investment Control\u003c/td\u003e\u003ctd\u003eA decision-making process for ensuring that investments integrate strategic planning, budgeting, procurement, and the management of or in support of Agency missions and business needs. [OMB Circular No. A-11]. The term comes from the Clinger-Cohen Act of 1996; while originally focused on IT, it now applies also to non-IT investments.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCommon Control\u003c/td\u003e\u003ctd\u003eA security or privacy control that is inherited by one or more organizational information systems. See Security Control Inheritance.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompleted\u003c/td\u003e\u003ctd\u003eA status assigned when all corrective actions have been completed or closed for a weakness and the weakness has been verified as successfully mitigated. Documentation is required to demonstrate the weakness has been adequately resolved. When assigning the status of Completed, the date of completion must also be included.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompletion date\u003c/td\u003e\u003ctd\u003eThe action date when all weaknesses have been fully resolved and the corrective action plan has been tested.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl activities\u003c/td\u003e\u003ctd\u003eThe policies and procedures that help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entitys objectives. Control activities, whether automated or manual, help achieve control objectives and are applied at various organizational and functional levels.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl deficiency\u003c/td\u003e\u003ctd\u003eA deficiency that exists when the design or operation of a control does not allow management or employees to, in the normal course of performing their assigned functions, prevent or detect breaches of confidentiality, integrity, or availability on a timely basis. (See also design deficiency or operations deficiency)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCorrective Action Plan (CAP)\u003c/td\u003e\u003ctd\u003eThe plan management formulates to document the procedures and milestones identified to correct control deficiencies.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCriteria\u003c/td\u003e\u003ctd\u003e\u003cp\u003eA context for evaluating evidence and understanding the findings, conclusions, and recommendations included in the report. Criteria represent the laws, regulations, contracts, grant agreements, standards, specific requirements, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated.\u003c/p\u003e\u003cp\u003eCriteria identify the required or desired state or expectation with respect to the program or operation.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDelayed\u003c/td\u003e\u003ctd\u003eA status assigned when a weakness continues to be mitigated after the original scheduled completion date has passed. When assigning the status of Delayed, an explanation must be provided in the milestone as to why the delay is occurring, as well as the revised completion date.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDesign deficiency\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA deficiency that exists when a control necessary to meet the control objective is missing or an existing control is not properly designed, so that even if the control operates as designed the control objective is not always met.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDraft\u003c/td\u003e\u003ctd\u003eA status that indicates that a weakness requires review and approval prior to “official” entry in the POA\u0026amp;M. Types of review that may take place while a weakness is in draft status would be: reviewing to determine if the weakness already exists and would be a duplicate; reviewing to determine if the organization will accept the risk, or apply for a waiver; etc.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEvidence\u003c/td\u003e\u003ctd\u003eAny information used by the auditor, tester, or evaluator, to determine whether the information being audited, evaluated, or assessed is stated in accordance with the established criteria.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFISMA Audit\u003c/td\u003e\u003ctd\u003eA FISMA assessment designed to determine areas of compliance and areas requiring remediation to become FISMA compliant.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFederal Information Security Modernization Act (FISMA)\u003c/td\u003e\u003ctd\u003eRequires agencies to integrate information technology (IT) security into their capital planning and enterprise architecture processes at the agency, conduct annual IT security reviews of all programs and systems, and report the results of those reviews to the OMB. [NIST SP 800-65]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFindings\u003c/td\u003e\u003ctd\u003eConclusions based on an evaluation of sufficient, appropriate evidence against criteria.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInformation Security Risk\u003c/td\u003e\u003ctd\u003eThe risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and /or information systems.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePrimary Information System Security Officer (ISSO)\u003c/td\u003e\u003ctd\u003eIndividual with assigned responsibility for maintaining the appropriate operational security and privacy posture for an information system or program.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInitial audit findings\u003c/td\u003e\u003ctd\u003eAny type of audit conducted on a financial system or a non-financial system.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInternal control\u003c/td\u003e\u003ctd\u003eAn integral component of an organizations management systems that provides reasonable assurance that the following objectives are being achieved: effectiveness and efficiency of operations, reliability of financial reporting, or compliance with applicable laws and regulations.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eManagement controls\u003c/td\u003e\u003ctd\u003eThe security or privacy controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security and privacy.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMaterial weakness\u003c/td\u003e\u003ctd\u003eMaterial weaknesses includes reportable conditions in which the Secretary or Component Head determines to be significant enough to report outside of the Department. Material weakness in internal control over financial reporting is a reportable condition, or combination of reportable conditions, that results in more than a remote likelihood that a material misstatement of the financial statements, or other significant financial reports, will not be prevented or detected.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMetrics\u0026nbsp;\u003c/td\u003e\u003ctd\u003eTools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNon-conformance\u0026nbsp;\u003c/td\u003e\u003ctd\u003eInstances in which financial management systems do not substantially conform to financial systems requirements. Financial management systems include both financial and financially-related (or mixed) systems.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOngoing\u003c/td\u003e\u003ctd\u003eA status assigned when a weakness is in the process of being mitigated and has not yet exceeded the original scheduled completion date.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOperational controls\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe security or privacy controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by people (as opposed to systems).\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOperations deficiency\u003c/td\u003e\u003ctd\u003eA deficiency that exists when a properly designed control does not operate as designed or when the person performing the control is not qualified or properly skilled to perform the control effectively.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePending verification\u003c/td\u003e\u003ctd\u003eA status that indicates that all milestones/corrective actions have been completed but require review and sign-off to ensure effective resolution.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/td\u003e\u003ctd\u003eA FISMA mandated corrective action plan to identify and resolve information security and privacy weaknesses. A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePotential impact\u003c/td\u003e\u003ctd\u003eThe loss of confidentiality, integrity, or availability could be expected to have: (i) a limited adverse effect (FIPS 199 low); (ii) a serious adverse effect (FIPS 199 moderate); or (iii) a severe or catastrophic adverse effect (FIPS 199 high) on organizational operations, organizational assets, or individuals.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eProgram\u003c/td\u003e\u003ctd\u003eAn organized set of activities directed toward a goal or particular set of goals or objectives for which the program is accountable; a distinct set of activities and strategies organized toward achieving a specific purpose. A program is a representation of what is delivered to the public. Programs usually operate for indefinite or continuous periods, but may consist of several projects or initiatives.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eReportable condition\u0026nbsp;\u003c/td\u003e\u003ctd\u003eReportable conditions overall include a control deficiency, or combination of control deficiencies, that in managements judgment, must be communicated because they represent significant weaknesses in the design or operation of an internal control that could adversely affect the organizations ability to meet its internal control objectives.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eResilience\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe ability to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs. [NIST SP 800-39, Adapted]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security and privacy risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk accepted\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA status assigned when the weakness risk has been accepted. When assigning this status, an acceptance of the risk must be certified by the appropriate Authorizing Official and documented accordingly. The weakness and corresponding risk must be monitored periodically to ensure the associated risk remains at an acceptable level.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSafeguards\u0026nbsp;\u003c/td\u003e\u003ctd\u003eProtective measures prescribed to meet the security and privacy requirements specified for an information system. Safeguards may include security and privacy features, management constraints, personnel security, and security of physical structures, areas, and devices; synonymous with security and privacy controls and countermeasures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eScheduled or estimated completion date\u003c/td\u003e\u003ctd\u003eA realistic estimate of the amount of time it will take to complete all associated milestones for a POA\u0026amp;M.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity Control Assessment (SCA)\u003c/td\u003e\u003ctd\u003eThe testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. [NIST SP 800-37]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity Control Inheritance\u003c/td\u003e\u003ctd\u003eA situation in which an information system or application receives protection from security and privacy controls (or portions of security and privacy controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See Common Control.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSignificant deficiency\u003c/td\u003e\u003ctd\u003eA weakness in an agencys overall information systems security and privacy program or management control structure, or within one or more information systems, that significantly restricts the capability of the agency to carry out its mission or compromises the security or privacy of its information, information systems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that the agency head and outside agencies must be notified and immediate or near-immediate corrective action must be taken.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTechnical controls\u003c/td\u003e\u003ctd\u003eSecurity controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. [FIPS 200]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eThreat\u003c/td\u003e\u003ctd\u003eAny potential danger to information or systems. A potential threat event, if realized, would cause an undesirable impact. The undesirable impact can come in many forms, but often results in a financial loss. A threat agent could be an intruder accessing the network through a port on the firewall, a process of accessing data in a way that violates that security or privacy policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information or destroy a files integrity.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVulnerability\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe absence or weakness of a safeguard that could be exploited; the absence or weakness of cumulative controls protecting a particular asset. Vulnerability is a software, hardware, or procedure weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eWaiver\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA status provided when the weakness risk has been accepted and justification has been appropriately documented. Justification of non- compliance must follow the agency's waiver policy and be documented accordingly.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eWeakness\u003c/td\u003e\u003ctd\u003eThe absence of adequate controls.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"232:T9cb3,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is a POA\u0026amp;M?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA Plan of Action and Milestones (POA\u0026amp;M) is a corrective action plan that tracks system weakness and allows System Owners and ISSOs to create a plan to resolve the identified weaknesses over time. A POA\u0026amp;M provides details about the personnel, technology, and funding required to accomplish the elements of the plan, milestones for correcting the weaknesses, and scheduled completion dates for the milestones.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePOA\u0026amp;M process overview\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe POA\u0026amp;M process begins when a weakness is identified in a CMS FISMA system. Working together, the System/Business Owner and the Authorizing Official (AO) are responsible for mitigating the risk posed by the weakness, with support from the Information System Security Officer (ISSO) and Cyber Risk Advisor (CRA). The steps to the POA\u0026amp;M process are outlined below, and will be described in greater detail throughout the remainder of this guide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify weaknesses\u003c/li\u003e\u003cli\u003eDevelop a Corrective Action Plan (CAP)\u003c/li\u003e\u003cli\u003eDetermine resource and funding availability\u003c/li\u003e\u003cli\u003eAssign a completion date\u003c/li\u003e\u003cli\u003eExecute the Corrective Action Plan (CAP)\u003c/li\u003e\u003cli\u003eVerify weakness completion\u003c/li\u003e\u003cli\u003eAccept risk when applicable\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIdentifying weaknesses\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe term “weakness” represents any information security or privacy vulnerability that could be exploited as a result of a specific control deficiency. Weaknesses can compromise a systems confidentiality, integrity, or availability. All weaknesses that represent risk to the security or privacy of a system must be corrected and the required mitigation efforts captured in a POA\u0026amp;M.\u0026nbsp;For the purpose of this document, the term “weakness” as defined in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST SP 800-53, rev. 5 \u003c/a\u003ewill be synonymous with the terms finding and vulnerability. These terms are defined below:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFinding\u003c/strong\u003e During an assessment or audit, the security and privacy controls of a system are tested, or exercised. A system either satisfies the requirements or a control or does not satisfy it.\u0026nbsp; Findings are the result of the assessment or audit. Findings that do not satisfy a control must be addressed with a POA\u0026amp;M.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVulnerability\u003c/strong\u003e A vulnerability is a weakness in a system, a systems security procedures, its internal controls, or its implementation that could be exploited or triggered by a threat source.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFinding weaknesses\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWeaknesses may be found during an internal or external audit, review, or through Continuous Diagnostics and Mitigation (CDM) efforts. There are a number of specific sources that help system teams identify weaknesses:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eHHS OIG Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003eGovernment Accountability Office (GAO) Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003eChief Financial Officer (CFO) Reviews\u0026nbsp;\u003c/li\u003e\u003cli\u003eOMB A-123 Internal Control Reviews\u0026nbsp;\u003c/li\u003e\u003cli\u003eAnnual Assessments\u003c/li\u003e\u003cli\u003eFISMA Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e or Security Control Assessments (SCA)\u0026nbsp;\u003c/li\u003e\u003cli\u003eMedicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) Section 912 Audits\u0026nbsp;\u003c/li\u003e\u003cli\u003eInternal Revenue Service (IRS) Safeguard Reviews\u0026nbsp;\u003c/li\u003e\u003cli\u003eDepartment of Homeland Security (DHS) Risk Vulnerability Assessments (RVA)\u0026nbsp;\u003c/li\u003e\u003cli\u003eDHS Cyber Hygiene\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/penetration-testing\"\u003ePenetration Testing\u0026nbsp;\u003c/a\u003e\u003c/li\u003e\u003cli\u003eVulnerability Scanning\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDuring these assessments, reviews, and audits, weaknesses can be found either proactively or reactively.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eProactive - \u003c/strong\u003eProactive weakness identification occurs during regular system reviews conducted by CMS.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eReactive - \u003c/strong\u003eReactive weakness determination indicates that the weakness was identified during an audit or external review, like a penetration test.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWeaknesses are always documented by the source that identified them, and its important to indicate the identification source as you create your POA\u0026amp;M.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWeakness severity levels\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThere are three severity levels for all weaknesses discovered during assessments, audits, and tests. The risk the weakness poses to the agencys overall security and privacy posture determines a weakness severity level . There are three levels of severity as defined by OMB: significant deficiency, reportable condition, and weakness.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eWeakness severity levels\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSignificant deficiency\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eA weakness is considered a \u003cstrong\u003esignificant deficiency\u003c/strong\u003e if it drastically restricts the capability of the agency to carry out its mission or if it compromises the security or privacy of its information, information systems, personnel, or other resources, operations, or assets.\u0026nbsp;\u003c/p\u003e\u003cp\u003eSenior management must be notified and immediate or near immediate corrective action must be taken.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eReportable Condition\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eA \u003cstrong\u003ereportable condition\u003c/strong\u003e is a weakness that affects the efficiency and effectiveness of agency operations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eDue to its lower associated risk, corrective actions for a reportable condition may be scheduled over a longer period of time. The control auditor or assessor will make the determination that a weakness is a reportable condition.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eWeakness\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAll other weaknesses that do not rise to the level of a significant deficiency or reportable condition must be categorized as a weakness.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThey must be mitigated in a timely and efficient manner, as resources permit.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe weakness severity level can be obtained from the source or the audit report. Most findings will generally be categorized as a “weakness”. In the event that a weakness is designated as a “significant deficiency”, then contact the \u003ca href=\"mailto:ciso@cms.hhs.gov\"\u003eCISO mailbox \u003c/a\u003efor further guidance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWeakness risk level\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final\"\u003eNIST SP 800-30 \u003c/a\u003econtains the definitions and the practical guidance necessary for assessing and mitigating identified risks to IT systems. Risk level is dependent on multiple factors, such as \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eFederal Information Processing Standard (FIPS) 199 \u003c/a\u003ecategory, operating environment, compensating controls, nature of the vulnerability, and impact if a system is compromised.\u003c/p\u003e\u003cp\u003eRisk can be evaluated either qualitatively or quantitatively and is typically expressed in its simplified form as:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRISK = THREAT x IMPACT x LIKELIHOOD\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe result of the analysis of the risk(s) from following the NIST SP 800-30 guide will recommend the overall risk level assigned to FISMA system of record.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRoot Cause Analysis (RCA)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll weaknesses must be examined to determine their root cause prior to documentation in the\u003c/p\u003e\u003cp\u003ePOA\u0026amp;M. \u003cstrong\u003eRoot Cause Analysis (RCA)\u003c/strong\u003e is an important and effective methodology used to correct information security or privacy weaknesses by eliminating the underlying cause. Various factors are reviewed to determine if they are the underlying cause of the weakness. Proper evaluation ensures the cause, not the symptom, is treated and prevents resources from being expended unnecessarily on addressing the same weakness.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePrioritizing weaknesses\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS takes a risk management approach to ensure that critical and high-impact weaknesses\u0026nbsp;\u003c/p\u003e\u003cp\u003etake precedence over lower security weaknesses. The following chart will help CMS System/Business Owners and ISSOs prioritize weaknesses on an ongoing basis to ensure that high-priority weaknesses receive the funding and the resources necessary to remediate or mitigate the most significant risks.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePrioritization factor\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDescription\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk level/severity\u003c/td\u003e\u003ctd\u003e\u003cp\u003eWeaknesses on a High or Moderate system or weaknesses that contribute to a material weakness, significant deficiency or reportable condition will normally require more immediate resolution.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis prioritization factor must consider the following elements:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eSensitivity and criticality of information on the system, such as personally identifiable information (PII).\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe estimated likelihood of the weakness occurring and/or being exploited.\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe cost of a potential occurrence or exploitation in terms of dollars, resources,, and/or reputation\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAnalysis\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe weakness must be analyzed to determine if there are any other processes or system relationships that it may affect.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDoes the weakness fall within the system authorization boundary?\u0026nbsp;\u003c/li\u003e\u003cli\u003eIs it a potential program weakness?\u0026nbsp;\u003c/li\u003e\u003cli\u003eIs the weakness a systemic issue (across the enterprise) or is it an isolated event?\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSystemic issues represent much greater risk and may be a higher priority.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSource\u003c/td\u003e\u003ctd\u003eWhat is the source of the weakness? For example, if the weakness resulted from an audit and is considered a significant deficiency, then greater attention should be focused on this weakness.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVisibility\u003c/td\u003e\u003ctd\u003eHas the weakness drawn a high level of visibility external to the system or program? In some cases, a lower level weakness is a higher priority due to visibility. There are times when senior management or outside organizations focus on a specific weakness. Such weaknesses may take priority.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eRegardless of how the weakness is found and how severe it is,\u0026nbsp;its critical that system teams work together to create a Corrective Action Plan (CAP) to address it.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eDevelop a Corrective Action Plan (CAP)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAfter weaknesses have been identified and the root cause has been determined, a \u003cstrong\u003eCorrective Action Plan (CAP)\u003c/strong\u003e must be developed. The CAP identifies:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe specific tasks, or “milestones”, that need to be accomplished to reduce or eliminate weakness\u0026nbsp;\u003c/li\u003e\u003cli\u003eThe resources required to accomplish the plan\u003c/li\u003e\u003cli\u003eA timeline for correcting the weakness including a completion date\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe milestones in the CAP must provide specific, action-oriented descriptions of the tasks/steps that the stakeholder will take to mitigate the weakness. When creating your milestones, be sure that they are:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSpecific\u003c/strong\u003e target a specific area for improvement\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMeasurable\u003c/strong\u003e quantify or at least suggest an indicator of progress\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAssignable\u003c/strong\u003e specify who will do it\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRealistic\u003c/strong\u003e state what results can realistically be achieved, given available resources\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTime-related\u003c/strong\u003e specify when the result(s) can be achieved.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe number of milestones written per weakness must directly correspond to the number of steps or corrective actions necessary to fully address and resolve the weakness. Each weakness must have at least one corresponding milestone with an estimated completion date and resource requirements to remediate the weakness. The chart below provides samples of compliant and non-compliant milestones that system teams can use when writing their CAP.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eExamples of appropriate milestones\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePOA\u0026amp;M description\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eExample\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eMilestones with completion dates\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVulnerability scanning does not incorporate the entire environment as documented in the System Security and Privacy Plan (SSPP)\u003c/td\u003e\u003ctd\u003eInappropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eEnsure vulnerability scanning covers the entire environment; (11/15/2018)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVulnerability scanning does not incorporate the entire environment as documented in the System Security and Privacy Plan (SSPP)\u003c/td\u003e\u003ctd\u003eAppropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eSchedule a review of the environment inventory; (11/15/2018)\u003c/li\u003e\u003cli\u003eUpdate the SSPP and the vulnerability scanner to reflect the updated inventory; (1/31/2019)\u003c/li\u003e\u003cli\u003eConduct a vulnerability scan to check that the entire inventory is included; (2/15/2019)\u003c/li\u003e\u003cli\u003eImplement an ongoing process to evaluate and update the inventory, the SSPP, and the vulnerability scans on a regular basis; (3/15/2019)\u003c/li\u003e\u003cli\u003ePerform a vulnerability scan and cross check the output with the updated inventory list to verify that the entire environment is included; (4/15/2019)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAudit logs are not periodically reviewed\u003c/td\u003e\u003ctd\u003eInappropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eEnsure that audit logs are periodically reviewed; (12/15/2018)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAudit logs are not periodically reviewed\u003c/td\u003e\u003ctd\u003eAppropriate\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eReview policy to ensure that audit log review is required; (12/15/2018)\u003c/li\u003e\u003cli\u003eIdentify the SO; (12/16/2018)\u003c/li\u003e\u003cli\u003eEstablish communication and training to convey the requirement of audit log review; (2/28/2019)\u003c/li\u003e\u003cli\u003eSchedule a follow-up review with the SO to ensure that audit log review is taking place. (3/31/2019)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe CAP should be a collaborative effort with stakeholders including the CISO, System/Business Owners, System Developers and Maintainers, ISSOs, and others as needed. These stakeholders ensure that the CAP is created, executed, monitored, and worked to closure or risk-based acceptance.\u003c/p\u003e\u003cp\u003eOMB provides a standard POA\u0026amp;M format which is utilized at CMS. This structure improves the stakeholders ability to easily locate information and organize details for analysis. The CAP format includes a location for the identified program weakness, any associated milestones, and the necessary resources required.\u0026nbsp;\u003c/p\u003e\u003cp\u003eOnce the CAP is documented, the plan must be entered into \u003ca href=\"https://cfacts.cms.gov/\"\u003eCFACTS\u003c/a\u003e in the form of a series of milestone records. The status of the POA\u0026amp;M will automatically be moved from “draft” to “ongoing” 30 days after the weakness creation date. Once a milestone has been accepted/approved and closed, the record must be retained for one year.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eDetermine resource and funding availability\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eMaking funding decisions is often a collaborative exercise that involves multiple system personnel and stakeholders. Examples of questions to ask to determine if your team has the resources to appropriately respond to a weakness are:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eIs one team or person enough or will the participation of a larger team be needed?\u0026nbsp;\u003c/li\u003e\u003cli\u003eCan the task be accomplished within a week or will it take several months?\u0026nbsp;\u003c/li\u003e\u003cli\u003eHow serious is the weakness?\u0026nbsp;\u003c/li\u003e\u003cli\u003eWhat is this weakness risk level?\u0026nbsp;\u003c/li\u003e\u003cli\u003eHow complex is the CAP?\u0026nbsp;\u003c/li\u003e\u003cli\u003eDo we need to purchase equipment?\u003c/li\u003e\u003cli\u003eCan the weakness be addressed with existing funding or will we require new allocation from an existing budget source?\u0026nbsp;\u003c/li\u003e\u003cli\u003eWill my addressing this milestone require changes to existing policy or code?\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe System/Business Owner, ISSOs, and other stakeholders must ensure that adequate resources are allocated to mitigate or remediate weaknesses. They must also work together to determine the funding stream required to address the weakness, and any full-time equivalent (FTE) resources required to remediate or mitigate each weakness on the POA\u0026amp;M. The resources required for weakness remediation must fall into one of the following three categories:\u003c/p\u003e\u003col\u003e\u003cli\u003eUsing current resources allocated for the security and/or management of a program or system to complete remediation activities\u003c/li\u003e\u003cli\u003eReallocating existing funds that are appropriated and available for the remediation, or redirecting existing personnel\u003c/li\u003e\u003cli\u003eRequesting additional funding or personnel\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eDuplicate or similar weaknesses shall be documented in one POA\u0026amp;M, existing or new, to avoid inconsistencies. If a related POA\u0026amp;M already exists, the additional weakness shall be noted in the comment field.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAssign a completion date\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSystem/Business Owners, ISSOs, and other stakeholders must determine the scheduled completion date for each weakness using the criteria established by the remediation and mitigation timeline, the risk level, and the severity level. The milestone(s) completion date must not exceed the scheduled completion date assigned to the weakness.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIt is also a good practice to first determine the milestones with completion dates, as this will help determine a more accurate overall scheduled completion date for the weakness. The weakness schedule completion date is a calculated date. It is determined by the identified date and the risk level. The scheduled completion date established at the creation of the weakness must not be modified after the weakness is reported to OMB. POA\u0026amp;Ms become reportable once the status changes from “Draft” to “Ongoing” in CFACTS.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf a weakness is not remediated within the scheduled completion date, a new estimated completion date must be determined and documented in the Changes to Milestones and Comment fields in the POA\u0026amp;M in CFACTS.\u003c/p\u003e\u003cp\u003e\u003cem\u003eNOTE: In use cases where a responsive and timely POA\u0026amp;M cannot be developed, the ISSO can choose to consider the Risk Based Decision (RBD) process to request the Authorizing Official (AO) to consider a risk acceptance until such time the vulnerability can be remediated.\u003c/em\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eExecute the Corrective Action Plan (CAP)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA designated Point of Contact (POC), responsible for ensuring proper execution of the CAP, must be identified for each weakness and its milestones. Individual(s) responsible for the execution of the CAP vary widely depending on the organization, system, milestones, and weakness.\u003c/p\u003e\u003cp\u003eThis POC resource will be key to identifying an “owner” of the milestone and ensuring the milestone is worked to the eventual remediation of the weakness or acceptable mitigation of the weakness. Once the planning of the necessary corrective action is complete and adequate resources have been made available, remediation or mitigation activities will proceed in accordance with the plan.\u003c/p\u003e\u003cp\u003eIf the completion of a milestone extends past its original estimated completion date, an update to the milestone and the completion date of the milestone must be captured in the “Changes to Milestone” field of CFACTS. If the scheduled completion date has passed before the weakness is remediated or mitigated, the weakness must default to “Delayed” status and a justification with a new estimated completion date must be documented in the “Comment” field and the “Changes to Milestone” field of the relevant weakness in CFACTS.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eVerify weakness completion\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS requires that all information in the POA\u0026amp;M be updated at least quarterly, ensuring accuracy for efficient tracking and reporting. As part of the review process, the ISSO will:\u003c/p\u003e\u003cul\u003e\u003cli\u003eValidate that the weakness is properly identified and prioritized\u003c/li\u003e\u003cli\u003eEnsure that appropriate resources have been made available to resolve the weakness\u003c/li\u003e\u003cli\u003eEnsure that the schedule for resolving the weakness is both appropriate and achievable\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eAccept risk when applicable\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA POA\u0026amp;M is a plan to resolve unacceptable risks. In rare cases, the Business Owner can present a case for accepting the risk to the AO or CIO, who may make the decision to accept the risk at their discretion. This is part of the Risk Based Decision (RBD) process. After approval, RBDs shall be reviewed at least annually to ensure the risk remains acceptable and updated as events occur and information changes. RBDs are managed in CFACTS under the \"RBD\" tab.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eClosing a POA\u0026amp;M\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePOA\u0026amp;Ms designated as Low and Moderate are closed by the ISSO and spot audited by a CRA.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms designed as Critical and High are closed by the CRA.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms generated from audits should be reviewed by the auditor prior to closure.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePOA\u0026amp;Ms resulting from a Penetration Test (PenTest) are closed by the PenTest team after the re-test has been performed.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eReports\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eReporting is a critical component of POA\u0026amp;M management, and CMS reports its remediation efforts on a monthly basis. The information in the POA\u0026amp;M must be maintained continuously to communicate overall progress. CMS must submit POA\u0026amp;M updates at least once a month (by the 3rd business day of each month) to HHS to demonstrate the status of POA\u0026amp;M mitigation or remediation activities.\u003c/p\u003e\u003cp\u003eCMS must submit the following information in accordance with the Department POA\u0026amp;M reporting requirements:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAll POA\u0026amp;Ms associated with a program, system and/or component that are within an authorization boundary. POA\u0026amp;Ms must be tied to the individual system and/or component and not the authorization boundary.\u003c/li\u003e\u003cli\u003eAn explanation associated with each delayed POA\u0026amp;M and a revised estimated completion date.\u003c/li\u003e\u003cli\u003eCompleted POA\u0026amp;Ms for up to one year from the date of completion.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWeakness remediation and mitigation timeline\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAfter positive identification of scan findings or approval of security assessment and/or audit report, all findings/weaknesses shall be documented in a POA\u0026amp;M, reported to HHS, and remediated/mitigated within the following remediation timelines.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eCritical within 15 days\u003c/li\u003e\u003cli\u003e\u0026nbsp;High within 30 days\u003c/li\u003e\u003cli\u003eModerate within 90 days\u003c/li\u003e\u003cli\u003eLow within 365 days\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eBusiness Owners, ISSOs, and/or other POA\u0026amp;M stakeholders must work together to determine the scheduled completion date for each POA\u0026amp;M within the specified remediation timelines. These timelines are based on the date the weakness is identified, not the date the POA\u0026amp;M is created. Stakeholders should complete and submit their CAAT templates in a timely manner to allow for the maximum time to complete the remediation/mitigation.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf it is determined that additional time is needed to remediate or mitigate a weakness, the justification with a modified estimated completion date shall be documented in the POA\u0026amp;M in the Changes to Milestones and Comment fields in CFACTS. If weaknesses are not remediated within the scheduled completion date, the status shall change to “Delayed”.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWeaknesses discovered during a government audit\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWeaknesses identified during a government audit (i.e., Inspector General or GAO audit) shall be documented in the POA\u0026amp;M after the audit draft report is produced, regardless of CMS acceptance of the identified weakness(es). Disagreements on findings that cannot be resolved between CMS and the auditing office shall be elevated to the Department for resolution. Systems must review and update POA\u0026amp;Ms at least quarterly. In addition, compensating controls must be in place and documented until weaknesses are remediated or mitigated to an acceptable level of risk.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eCFACTS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eStakeholders must use\u0026nbsp;\u003ca href=\"https://cfacts.cms.gov/\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eCFACTS\u003c/a\u003e, the CMS GRC tool, to identify, track, and manage all system weaknesses and associated POA\u0026amp;Ms to closure for CMS information systems. Users who need access to CFACTS may request an account and appropriate privileges through the Enterprise User Administration (EUA). The job code is \u003cstrong\u003eCFACTS_User_P\u003c/strong\u003e. Once the job code is assigned, the user must email the CISO mailbox at \u003ca href=\"mailto:ciso@cms.hhs.gov\"\u003eciso@cms.hhs.gov\u003c/a\u003e to notify the CISO of the users role (ISSO, System Developer, or System/Business Owner).\u003c/p\u003e\u003cp\u003eThe \u003cstrong\u003eCFACTS User Manual\u003c/strong\u003e provides detailed instructions for processing POA\u0026amp;M actions in the CFACTS tracking system. The User Manual can be accessed under the \u003cstrong\u003eCFACTS Documents\u003c/strong\u003e section on the \u003cstrong\u003eCFACTS Artifacts\u003c/strong\u003e page which can be accessed by clicking on the CFACTS Artifacts icon on the welcome page.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePOA\u0026amp;M Glossary\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe following glossary will help system teams understand the language of the POA\u0026amp;M process.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTerm\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDefinition\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAnnual Assessment\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe process of validating the effective implementation of security and privacy controls in the information system and its environment of operation within every three hundred sixty-five (365) days in accordance with the CMS Information Security (IS) Acceptable Risk Safeguards (ARS) Including CMS Minimum Security Requirements (CMSR) Standard, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAudit\u003c/td\u003e\u003ctd\u003eAn independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCapital Planning and Investment Control\u003c/td\u003e\u003ctd\u003eA decision-making process for ensuring that investments integrate strategic planning, budgeting, procurement, and the management of or in support of Agency missions and business needs. [OMB Circular No. A-11]. The term comes from the Clinger-Cohen Act of 1996; while originally focused on IT, it now applies also to non-IT investments.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCommon Control\u003c/td\u003e\u003ctd\u003eA security or privacy control that is inherited by one or more organizational information systems. See Security Control Inheritance.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompleted\u003c/td\u003e\u003ctd\u003eA status assigned when all corrective actions have been completed or closed for a weakness and the weakness has been verified as successfully mitigated. Documentation is required to demonstrate the weakness has been adequately resolved. When assigning the status of Completed, the date of completion must also be included.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompletion date\u003c/td\u003e\u003ctd\u003eThe action date when all weaknesses have been fully resolved and the corrective action plan has been tested.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl activities\u003c/td\u003e\u003ctd\u003eThe policies and procedures that help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entitys objectives. Control activities, whether automated or manual, help achieve control objectives and are applied at various organizational and functional levels.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl deficiency\u003c/td\u003e\u003ctd\u003eA deficiency that exists when the design or operation of a control does not allow management or employees to, in the normal course of performing their assigned functions, prevent or detect breaches of confidentiality, integrity, or availability on a timely basis. (See also design deficiency or operations deficiency)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCorrective Action Plan (CAP)\u003c/td\u003e\u003ctd\u003eThe plan management formulates to document the procedures and milestones identified to correct control deficiencies.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCriteria\u003c/td\u003e\u003ctd\u003e\u003cp\u003eA context for evaluating evidence and understanding the findings, conclusions, and recommendations included in the report. Criteria represent the laws, regulations, contracts, grant agreements, standards, specific requirements, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated.\u003c/p\u003e\u003cp\u003eCriteria identify the required or desired state or expectation with respect to the program or operation.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDelayed\u003c/td\u003e\u003ctd\u003eA status assigned when a weakness continues to be mitigated after the original scheduled completion date has passed. When assigning the status of Delayed, an explanation must be provided in the milestone as to why the delay is occurring, as well as the revised completion date.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDesign deficiency\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA deficiency that exists when a control necessary to meet the control objective is missing or an existing control is not properly designed, so that even if the control operates as designed the control objective is not always met.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDraft\u003c/td\u003e\u003ctd\u003eA status that indicates that a weakness requires review and approval prior to “official” entry in the POA\u0026amp;M. Types of review that may take place while a weakness is in draft status would be: reviewing to determine if the weakness already exists and would be a duplicate; reviewing to determine if the organization will accept the risk, or apply for a waiver; etc.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEvidence\u003c/td\u003e\u003ctd\u003eAny information used by the auditor, tester, or evaluator, to determine whether the information being audited, evaluated, or assessed is stated in accordance with the established criteria.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFISMA Audit\u003c/td\u003e\u003ctd\u003eA FISMA assessment designed to determine areas of compliance and areas requiring remediation to become FISMA compliant.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFederal Information Security Modernization Act (FISMA)\u003c/td\u003e\u003ctd\u003eRequires agencies to integrate information technology (IT) security into their capital planning and enterprise architecture processes at the agency, conduct annual IT security reviews of all programs and systems, and report the results of those reviews to the OMB. [NIST SP 800-65]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFindings\u003c/td\u003e\u003ctd\u003eConclusions based on an evaluation of sufficient, appropriate evidence against criteria.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInformation Security Risk\u003c/td\u003e\u003ctd\u003eThe risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and /or information systems.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePrimary Information System Security Officer (ISSO)\u003c/td\u003e\u003ctd\u003eIndividual with assigned responsibility for maintaining the appropriate operational security and privacy posture for an information system or program.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInitial audit findings\u003c/td\u003e\u003ctd\u003eAny type of audit conducted on a financial system or a non-financial system.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInternal control\u003c/td\u003e\u003ctd\u003eAn integral component of an organizations management systems that provides reasonable assurance that the following objectives are being achieved: effectiveness and efficiency of operations, reliability of financial reporting, or compliance with applicable laws and regulations.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eManagement controls\u003c/td\u003e\u003ctd\u003eThe security or privacy controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security and privacy.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMaterial weakness\u003c/td\u003e\u003ctd\u003eMaterial weaknesses includes reportable conditions in which the Secretary or Component Head determines to be significant enough to report outside of the Department. Material weakness in internal control over financial reporting is a reportable condition, or combination of reportable conditions, that results in more than a remote likelihood that a material misstatement of the financial statements, or other significant financial reports, will not be prevented or detected.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMetrics\u0026nbsp;\u003c/td\u003e\u003ctd\u003eTools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNon-conformance\u0026nbsp;\u003c/td\u003e\u003ctd\u003eInstances in which financial management systems do not substantially conform to financial systems requirements. Financial management systems include both financial and financially-related (or mixed) systems.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOngoing\u003c/td\u003e\u003ctd\u003eA status assigned when a weakness is in the process of being mitigated and has not yet exceeded the original scheduled completion date.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOperational controls\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe security or privacy controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by people (as opposed to systems).\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOperations deficiency\u003c/td\u003e\u003ctd\u003eA deficiency that exists when a properly designed control does not operate as designed or when the person performing the control is not qualified or properly skilled to perform the control effectively.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePending verification\u003c/td\u003e\u003ctd\u003eA status that indicates that all milestones/corrective actions have been completed but require review and sign-off to ensure effective resolution.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/td\u003e\u003ctd\u003eA FISMA mandated corrective action plan to identify and resolve information security and privacy weaknesses. A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePotential impact\u003c/td\u003e\u003ctd\u003eThe loss of confidentiality, integrity, or availability could be expected to have: (i) a limited adverse effect (FIPS 199 low); (ii) a serious adverse effect (FIPS 199 moderate); or (iii) a severe or catastrophic adverse effect (FIPS 199 high) on organizational operations, organizational assets, or individuals.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eProgram\u003c/td\u003e\u003ctd\u003eAn organized set of activities directed toward a goal or particular set of goals or objectives for which the program is accountable; a distinct set of activities and strategies organized toward achieving a specific purpose. A program is a representation of what is delivered to the public. Programs usually operate for indefinite or continuous periods, but may consist of several projects or initiatives.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eReportable condition\u0026nbsp;\u003c/td\u003e\u003ctd\u003eReportable conditions overall include a control deficiency, or combination of control deficiencies, that in managements judgment, must be communicated because they represent significant weaknesses in the design or operation of an internal control that could adversely affect the organizations ability to meet its internal control objectives.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eResilience\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe ability to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs. [NIST SP 800-39, Adapted]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security and privacy risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk accepted\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA status assigned when the weakness risk has been accepted. When assigning this status, an acceptance of the risk must be certified by the appropriate Authorizing Official and documented accordingly. The weakness and corresponding risk must be monitored periodically to ensure the associated risk remains at an acceptable level.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSafeguards\u0026nbsp;\u003c/td\u003e\u003ctd\u003eProtective measures prescribed to meet the security and privacy requirements specified for an information system. Safeguards may include security and privacy features, management constraints, personnel security, and security of physical structures, areas, and devices; synonymous with security and privacy controls and countermeasures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eScheduled or estimated completion date\u003c/td\u003e\u003ctd\u003eA realistic estimate of the amount of time it will take to complete all associated milestones for a POA\u0026amp;M.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity Control Assessment (SCA)\u003c/td\u003e\u003ctd\u003eThe testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. [NIST SP 800-37]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity Control Inheritance\u003c/td\u003e\u003ctd\u003eA situation in which an information system or application receives protection from security and privacy controls (or portions of security and privacy controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See Common Control.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSignificant deficiency\u003c/td\u003e\u003ctd\u003eA weakness in an agencys overall information systems security and privacy program or management control structure, or within one or more information systems, that significantly restricts the capability of the agency to carry out its mission or compromises the security or privacy of its information, information systems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that the agency head and outside agencies must be notified and immediate or near-immediate corrective action must be taken.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTechnical controls\u003c/td\u003e\u003ctd\u003eSecurity controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. [FIPS 200]\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eThreat\u003c/td\u003e\u003ctd\u003eAny potential danger to information or systems. A potential threat event, if realized, would cause an undesirable impact. The undesirable impact can come in many forms, but often results in a financial loss. A threat agent could be an intruder accessing the network through a port on the firewall, a process of accessing data in a way that violates that security or privacy policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information or destroy a files integrity.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eVulnerability\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe absence or weakness of a safeguard that could be exploited; the absence or weakness of cumulative controls protecting a particular asset. Vulnerability is a software, hardware, or procedure weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eWaiver\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA status provided when the weakness risk has been accepted and justification has been appropriately documented. Justification of non- compliance must follow the agency's waiver policy and be documented accordingly.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eWeakness\u003c/td\u003e\u003ctd\u003eThe absence of adequate controls.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"230:{\"value\":\"$231\",\"format\":\"body_text\",\"processed\":\"$232\",\"summary\":\"\"}\n235:[]\n234:{\"uri\":\"entity:node/561\",\"title\":\"CMS System Audits \",\"options\":\"$235\",\"url\":\"/learn/system-audits\"}\n237:[]\n236:{\"uri\":\"https://intranet.hhs.gov/document/standard-plans-action-and-milestones-poam-management-and-reporting\",\"title\":\"HHS Plan of Action and Milestones (POA\u0026M) guidance \",\"options\":\"$237\",\"url\":\"https://intranet.hhs.gov/document/standard-plans-action-and-milestones-poam-management-and-reporting\"}\n239:[]\n238:{\"uri\":\"entity:node/201\",\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"options\":\"$239\",\"url\":\"/learn/cybersecurity-risk-assessment-program-csrap\"}\n233:[\"$234\",\"$236\",\"$238\"]\n23a:{\"value\":\"A complete guide to creating, managing, and closing your systems POA\u0026M\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA complete guide to creating, managing, and closing your systems POA\u0026amp;M\u003c/p\u003e\\n\"}\n22e:{\"drupal_internal__nid\":401,\"drupal_internal__vid\":5866,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-13T19:41:02+00:00\",\"status\":true,\"title\":\"CMS Plan of Action and Milestones (POA\u0026M) Handbook\",\"created\":\"2022-08-29T16:59:47+00:00\",\"changed\":\"2024-08-05T15:55:04+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$22f\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$230\",\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2023-04-05\",\"field_related_resources\":\"$233\",\"field_short_description\":\"$23a\"}\n23e:{\"drupal_internal__target_id\":\"library\"}\n23d:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":\"$23e\"}\n240:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/node_type?resourceVersion=id%3A5866\"}\n241:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/relationships/node_ty"])</script><script>self.__next_f.push([1,"pe?resourceVersion=id%3A5866\"}\n23f:{\"related\":\"$240\",\"self\":\"$241\"}\n23c:{\"data\":\"$23d\",\"links\":\"$23f\"}\n244:{\"drupal_internal__target_id\":110}\n243:{\"type\":\"user--user\",\"id\":\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\",\"meta\":\"$244\"}\n246:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/revision_uid?resourceVersion=id%3A5866\"}\n247:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/relationships/revision_uid?resourceVersion=id%3A5866\"}\n245:{\"related\":\"$246\",\"self\":\"$247\"}\n242:{\"data\":\"$243\",\"links\":\"$245\"}\n24a:{\"drupal_internal__target_id\":26}\n249:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$24a\"}\n24c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/uid?resourceVersion=id%3A5866\"}\n24d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/relationships/uid?resourceVersion=id%3A5866\"}\n24b:{\"related\":\"$24c\",\"self\":\"$24d\"}\n248:{\"data\":\"$249\",\"links\":\"$24b\"}\n250:{\"drupal_internal__target_id\":91}\n24f:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":\"$250\"}\n252:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/field_resource_type?resourceVersion=id%3A5866\"}\n253:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/relationships/field_resource_type?resourceVersion=id%3A5866\"}\n251:{\"related\":\"$252\",\"self\":\"$253\"}\n24e:{\"data\":\"$24f\",\"links\":\"$251\"}\n257:{\"drupal_internal__target_id\":66}\n256:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$257\"}\n259:{\"drupal_internal__target_id\":61}\n258:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$259\"}\n25b:{\"drupal_internal__target_id\":76}\n25a:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$25b\"}\n255:[\"$256\",\"$258\",\"$25a\"]\n25d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/lib"])</script><script>self.__next_f.push([1,"rary/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/field_roles?resourceVersion=id%3A5866\"}\n25e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/relationships/field_roles?resourceVersion=id%3A5866\"}\n25c:{\"related\":\"$25d\",\"self\":\"$25e\"}\n254:{\"data\":\"$255\",\"links\":\"$25c\"}\n262:{\"drupal_internal__target_id\":16}\n261:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$262\"}\n264:{\"drupal_internal__target_id\":11}\n263:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$264\"}\n260:[\"$261\",\"$263\"]\n266:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/field_topics?resourceVersion=id%3A5866\"}\n267:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/relationships/field_topics?resourceVersion=id%3A5866\"}\n265:{\"related\":\"$266\",\"self\":\"$267\"}\n25f:{\"data\":\"$260\",\"links\":\"$265\"}\n23b:{\"node_type\":\"$23c\",\"revision_uid\":\"$242\",\"uid\":\"$248\",\"field_resource_type\":\"$24e\",\"field_roles\":\"$254\",\"field_topics\":\"$25f\"}\n22b:{\"type\":\"node--library\",\"id\":\"cba2b00b-3f53-42bd-8a60-f175e1d47a0a\",\"links\":\"$22c\",\"attributes\":\"$22e\",\"relationships\":\"$23b\"}\n26a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e?resourceVersion=id%3A5728\"}\n269:{\"self\":\"$26a\"}\n26c:{\"alias\":\"/learn/system-audits\",\"pid\":551,\"langcode\":\"en\"}\n26d:{\"value\":\"Independent review and examination of records and activities to assess the adequacy of system controls for compliance with established policies and procedures\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eIndependent review and examination of records and activities to assess the adequacy of system controls for compliance with established policies and procedures\u003c/p\u003e\\n\"}\n26e:[]\n26b:{\"drupal_internal__nid\":561,\"drupal_internal__vid\":5728,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-30T19:08:31+00:00\",\"status\":true,\"title\":\"System Audits\",\"created\":\"2022-08-29T18:26:03+00:00\",\"changed\":\"2024-07-30T19:08:31+00:0"])</script><script>self.__next_f.push([1,"0\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$26c\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ISPG_Audit_Mailbox@cms.hhs.gov\",\"field_contact_name\":\"Audit Team\",\"field_short_description\":\"$26d\",\"field_slack_channel\":\"$26e\"}\n272:{\"drupal_internal__target_id\":\"explainer\"}\n271:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$272\"}\n274:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/node_type?resourceVersion=id%3A5728\"}\n275:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/node_type?resourceVersion=id%3A5728\"}\n273:{\"related\":\"$274\",\"self\":\"$275\"}\n270:{\"data\":\"$271\",\"links\":\"$273\"}\n278:{\"drupal_internal__target_id\":159}\n277:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":\"$278\"}\n27a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/revision_uid?resourceVersion=id%3A5728\"}\n27b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/revision_uid?resourceVersion=id%3A5728\"}\n279:{\"related\":\"$27a\",\"self\":\"$27b\"}\n276:{\"data\":\"$277\",\"links\":\"$279\"}\n27e:{\"drupal_internal__target_id\":26}\n27d:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$27e\"}\n280:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/uid?resourceVersion=id%3A5728\"}\n281:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/uid?resourceVersion=id%3A5728\"}\n27f:{\"related\":\"$280\",\"self\":\"$281\"}\n27c:{\"data\":\"$27d\",\"links\":\"$27f\"}\n285:{\"target_revision_id\":18880,\"drupal_internal__target_id\":1456}\n284:{\"type\":\"paragraph--page_section\",\"id\":\"d59fe171-bb87-4443-8a61-0d130460fe1b"])</script><script>self.__next_f.push([1,"\",\"meta\":\"$285\"}\n287:{\"target_revision_id\":18892,\"drupal_internal__target_id\":1521}\n286:{\"type\":\"paragraph--page_section\",\"id\":\"8df52f42-8b8c-4c66-84f8-2f3b992e3528\",\"meta\":\"$287\"}\n283:[\"$284\",\"$286\"]\n289:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/field_page_section?resourceVersion=id%3A5728\"}\n28a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/field_page_section?resourceVersion=id%3A5728\"}\n288:{\"related\":\"$289\",\"self\":\"$28a\"}\n282:{\"data\":\"$283\",\"links\":\"$288\"}\n28e:{\"target_revision_id\":18893,\"drupal_internal__target_id\":1581}\n28d:{\"type\":\"paragraph--internal_link\",\"id\":\"a6c6dc63-c5e6-4410-8e41-9587f0186bfb\",\"meta\":\"$28e\"}\n290:{\"target_revision_id\":18894,\"drupal_internal__target_id\":1586}\n28f:{\"type\":\"paragraph--internal_link\",\"id\":\"3cf83065-e50e-4fdd-b921-d6bab90e7c44\",\"meta\":\"$290\"}\n292:{\"target_revision_id\":18895,\"drupal_internal__target_id\":1591}\n291:{\"type\":\"paragraph--internal_link\",\"id\":\"1b1a083f-34aa-45a2-ba9b-11e27135247a\",\"meta\":\"$292\"}\n294:{\"target_revision_id\":18896,\"drupal_internal__target_id\":1596}\n293:{\"type\":\"paragraph--internal_link\",\"id\":\"33bfd7be-39d8-4437-acc0-3c5c4f7772a2\",\"meta\":\"$294\"}\n296:{\"target_revision_id\":18897,\"drupal_internal__target_id\":1601}\n295:{\"type\":\"paragraph--internal_link\",\"id\":\"9f002c89-9bf5-49a8-9ec1-f49d5bf308a1\",\"meta\":\"$296\"}\n298:{\"target_revision_id\":18898,\"drupal_internal__target_id\":1606}\n297:{\"type\":\"paragraph--internal_link\",\"id\":\"01c7f6b4-a293-4219-8212-0f4438e6ba0d\",\"meta\":\"$298\"}\n28c:[\"$28d\",\"$28f\",\"$291\",\"$293\",\"$295\",\"$297\"]\n29a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/field_related_collection?resourceVersion=id%3A5728\"}\n29b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/field_related_collection?resourceVersion=id%3A5728\"}\n299:{\"related\":\"$29a\",\"self\":\"$29b\"}\n28b:{\"data\":\"$28c\",\"links\":\"$299\"}\n29e:{\"drupal_internal__target_id\":131}\n29"])</script><script>self.__next_f.push([1,"d:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$29e\"}\n2a0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/field_resource_type?resourceVersion=id%3A5728\"}\n2a1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/field_resource_type?resourceVersion=id%3A5728\"}\n29f:{\"related\":\"$2a0\",\"self\":\"$2a1\"}\n29c:{\"data\":\"$29d\",\"links\":\"$29f\"}\n2a5:{\"drupal_internal__target_id\":66}\n2a4:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$2a5\"}\n2a7:{\"drupal_internal__target_id\":61}\n2a6:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$2a7\"}\n2a9:{\"drupal_internal__target_id\":76}\n2a8:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$2a9\"}\n2a3:[\"$2a4\",\"$2a6\",\"$2a8\"]\n2ab:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/field_roles?resourceVersion=id%3A5728\"}\n2ac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/field_roles?resourceVersion=id%3A5728\"}\n2aa:{\"related\":\"$2ab\",\"self\":\"$2ac\"}\n2a2:{\"data\":\"$2a3\",\"links\":\"$2aa\"}\n2b0:{\"drupal_internal__target_id\":6}\n2af:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":\"$2b0\"}\n2ae:[\"$2af\"]\n2b2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/field_topics?resourceVersion=id%3A5728\"}\n2b3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/field_topics?resourceVersion=id%3A5728\"}\n2b1:{\"related\":\"$2b2\",\"self\":\"$2b3\"}\n2ad:{\"data\":\"$2ae\",\"links\":\"$2b1\"}\n26f:{\"node_type\":\"$270\",\"revision_uid\":\"$276\",\"uid\":\"$27c\",\"field_page_section\":\"$282\",\"field_related_collection\":\"$28b\",\"field_resource_type\":\"$29c\",\"field_roles\":\"$2a2\",\"field_topics\":\"$2ad\"}\n268:{\"type\":\"node--explainer\",\"id\":\"44c21f2c-38ee-44b9-87b6-1e981b2d3d5e\",\"l"])</script><script>self.__next_f.push([1,"inks\":\"$269\",\"attributes\":\"$26b\",\"relationships\":\"$26f\"}\n2b6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb?resourceVersion=id%3A5517\"}\n2b5:{\"self\":\"$2b6\"}\n2b8:{\"alias\":\"/learn/security-controls-assessment-sca\",\"pid\":521,\"langcode\":\"en\"}\n2b9:{\"value\":\"A compliance-based assessment to determine if a system's security and privacy controls are implemented correctly\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA compliance-based assessment to determine if a system\u0026#039;s security and privacy controls are implemented correctly\u003c/p\u003e\\n\"}\n2ba:[]\n2b7:{\"drupal_internal__nid\":531,\"drupal_internal__vid\":5517,\"langcode\":\"en\",\"revision_timestamp\":\"2024-05-31T21:17:47+00:00\",\"status\":true,\"title\":\"Security Controls Assessment (SCA)\",\"created\":\"2022-08-29T18:14:00+00:00\",\"changed\":\"2024-05-31T18:37:46+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$2b8\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CSRAP@cms.hhs.gov\",\"field_contact_name\":\"CSRAP Team \",\"field_short_description\":\"$2b9\",\"field_slack_channel\":\"$2ba\"}\n2be:{\"drupal_internal__target_id\":\"explainer\"}\n2bd:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$2be\"}\n2c0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/node_type?resourceVersion=id%3A5517\"}\n2c1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/node_type?resourceVersion=id%3A5517\"}\n2bf:{\"related\":\"$2c0\",\"self\":\"$2c1\"}\n2bc:{\"data\":\"$2bd\",\"links\":\"$2bf\"}\n2c4:{\"drupal_internal__target_id\":110}\n2c3:{\"type\":\"user--user\",\"id\":\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\",\"meta\":\"$2c4\"}\n2c6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/revision_uid?resourceVersion=id%3A5517\"}\n2c7:{\"href\":\""])</script><script>self.__next_f.push([1,"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/revision_uid?resourceVersion=id%3A5517\"}\n2c5:{\"related\":\"$2c6\",\"self\":\"$2c7\"}\n2c2:{\"data\":\"$2c3\",\"links\":\"$2c5\"}\n2ca:{\"drupal_internal__target_id\":26}\n2c9:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$2ca\"}\n2cc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/uid?resourceVersion=id%3A5517\"}\n2cd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/uid?resourceVersion=id%3A5517\"}\n2cb:{\"related\":\"$2cc\",\"self\":\"$2cd\"}\n2c8:{\"data\":\"$2c9\",\"links\":\"$2cb\"}\n2d1:{\"target_revision_id\":17841,\"drupal_internal__target_id\":521}\n2d0:{\"type\":\"paragraph--page_section\",\"id\":\"ecf4b25c-5e6a-4691-b899-7407e91f65df\",\"meta\":\"$2d1\"}\n2cf:[\"$2d0\"]\n2d3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/field_page_section?resourceVersion=id%3A5517\"}\n2d4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/field_page_section?resourceVersion=id%3A5517\"}\n2d2:{\"related\":\"$2d3\",\"self\":\"$2d4\"}\n2ce:{\"data\":\"$2cf\",\"links\":\"$2d2\"}\n2d8:{\"target_revision_id\":17842,\"drupal_internal__target_id\":1701}\n2d7:{\"type\":\"paragraph--internal_link\",\"id\":\"5bdf65fb-004d-44b9-8688-87401650cd53\",\"meta\":\"$2d8\"}\n2da:{\"target_revision_id\":17843,\"drupal_internal__target_id\":1706}\n2d9:{\"type\":\"paragraph--internal_link\",\"id\":\"a51e8dab-efa9-45a5-99ad-9822fb8b254e\",\"meta\":\"$2da\"}\n2dc:{\"target_revision_id\":17844,\"drupal_internal__target_id\":1711}\n2db:{\"type\":\"paragraph--internal_link\",\"id\":\"a4c8f341-7527-4b20-ac9d-6ecb3f940fac\",\"meta\":\"$2dc\"}\n2de:{\"target_revision_id\":17845,\"drupal_internal__target_id\":2566}\n2dd:{\"type\":\"paragraph--internal_link\",\"id\":\"69ab6154-a289-4b09-9c3b-90702a6d5573\",\"meta\":\"$2de\"}\n2d6:[\"$2d7\",\"$2d9\",\"$2db\",\"$2dd\"]\n2e0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/field_related_coll"])</script><script>self.__next_f.push([1,"ection?resourceVersion=id%3A5517\"}\n2e1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/field_related_collection?resourceVersion=id%3A5517\"}\n2df:{\"related\":\"$2e0\",\"self\":\"$2e1\"}\n2d5:{\"data\":\"$2d6\",\"links\":\"$2df\"}\n2e4:{\"drupal_internal__target_id\":131}\n2e3:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$2e4\"}\n2e6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/field_resource_type?resourceVersion=id%3A5517\"}\n2e7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/field_resource_type?resourceVersion=id%3A5517\"}\n2e5:{\"related\":\"$2e6\",\"self\":\"$2e7\"}\n2e2:{\"data\":\"$2e3\",\"links\":\"$2e5\"}\n2eb:{\"drupal_internal__target_id\":66}\n2ea:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$2eb\"}\n2ed:{\"drupal_internal__target_id\":61}\n2ec:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$2ed\"}\n2ef:{\"drupal_internal__target_id\":76}\n2ee:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$2ef\"}\n2f1:{\"drupal_internal__target_id\":71}\n2f0:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$2f1\"}\n2e9:[\"$2ea\",\"$2ec\",\"$2ee\",\"$2f0\"]\n2f3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/field_roles?resourceVersion=id%3A5517\"}\n2f4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/field_roles?resourceVersion=id%3A5517\"}\n2f2:{\"related\":\"$2f3\",\"self\":\"$2f4\"}\n2e8:{\"data\":\"$2e9\",\"links\":\"$2f2\"}\n2f8:{\"drupal_internal__target_id\":6}\n2f7:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":\"$2f8\"}\n2fa:{\"drupal_internal__target_id\":11}\n2f9:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$2fa\"}\n2f6:[\"$2f7\",\"$2f9\"]\n2fc:{\"href\":\"https://cybergeek.cms.gov/json"])</script><script>self.__next_f.push([1,"api/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/field_topics?resourceVersion=id%3A5517\"}\n2fd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/field_topics?resourceVersion=id%3A5517\"}\n2fb:{\"related\":\"$2fc\",\"self\":\"$2fd\"}\n2f5:{\"data\":\"$2f6\",\"links\":\"$2fb\"}\n2bb:{\"node_type\":\"$2bc\",\"revision_uid\":\"$2c2\",\"uid\":\"$2c8\",\"field_page_section\":\"$2ce\",\"field_related_collection\":\"$2d5\",\"field_resource_type\":\"$2e2\",\"field_roles\":\"$2e8\",\"field_topics\":\"$2f5\"}\n2b4:{\"type\":\"node--explainer\",\"id\":\"27d871c0-b8f6-465e-b90f-c360ddcef8bb\",\"links\":\"$2b5\",\"attributes\":\"$2b7\",\"relationships\":\"$2bb\"}\n300:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08?resourceVersion=id%3A5525\"}\n2ff:{\"self\":\"$300\"}\n302:{\"alias\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"pid\":666,\"langcode\":\"en\"}\n303:{\"value\":\"Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eAutomated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\u003c/p\u003e\\n\"}\n304:[\"#cyber-risk-management\"]\n301:{\"drupal_internal__nid\":676,\"drupal_internal__vid\":5525,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-04T17:13:19+00:00\",\"status\":true,\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"created\":\"2023-02-04T14:55:07+00:00\",\"changed\":\"2024-06-04T17:13:19+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$302\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CDMPMO@cms.hhs.gov\",\"field_contact_name\":\"CDM team\",\"field_short_description\":\"$303\",\"field_slack_channel\":\"$304\"}\n308:{\"drupal_internal__target_id\":\"explainer\"}\n307:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$308\"}\n30a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/n"])</script><script>self.__next_f.push([1,"ode/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/node_type?resourceVersion=id%3A5525\"}\n30b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/node_type?resourceVersion=id%3A5525\"}\n309:{\"related\":\"$30a\",\"self\":\"$30b\"}\n306:{\"data\":\"$307\",\"links\":\"$309\"}\n30e:{\"drupal_internal__target_id\":107}\n30d:{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":\"$30e\"}\n310:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/revision_uid?resourceVersion=id%3A5525\"}\n311:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/revision_uid?resourceVersion=id%3A5525\"}\n30f:{\"related\":\"$310\",\"self\":\"$311\"}\n30c:{\"data\":\"$30d\",\"links\":\"$30f\"}\n314:{\"drupal_internal__target_id\":6}\n313:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$314\"}\n316:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/uid?resourceVersion=id%3A5525\"}\n317:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/uid?resourceVersion=id%3A5525\"}\n315:{\"related\":\"$316\",\"self\":\"$317\"}\n312:{\"data\":\"$313\",\"links\":\"$315\"}\n31b:{\"target_revision_id\":17929,\"drupal_internal__target_id\":546}\n31a:{\"type\":\"paragraph--page_section\",\"id\":\"8b7bda2b-e3dc-4760-9901-27255f14ff41\",\"meta\":\"$31b\"}\n31d:{\"target_revision_id\":17930,\"drupal_internal__target_id\":551}\n31c:{\"type\":\"paragraph--page_section\",\"id\":\"8e76f588-fd94-4439-b7e3-73c8b83e3500\",\"meta\":\"$31d\"}\n319:[\"$31a\",\"$31c\"]\n31f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_page_section?resourceVersion=id%3A5525\"}\n320:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_page_section?resourceVersion=id%3A5525\"}\n31e:{\"related\":\"$31f\",\"self\":\"$320\"}\n318:{\"data\":\"$319\",\"links\":\"$31e\"}\n324:{\"target_revision_id\":17931,\"drupal_internal__targ"])</script><script>self.__next_f.push([1,"et_id\":1891}\n323:{\"type\":\"paragraph--internal_link\",\"id\":\"bc285af3-dba7-4a12-8881-a8fed446dded\",\"meta\":\"$324\"}\n326:{\"target_revision_id\":17932,\"drupal_internal__target_id\":1896}\n325:{\"type\":\"paragraph--internal_link\",\"id\":\"1bc4b03f-652f-4fbf-8024-43e830b4b0a3\",\"meta\":\"$326\"}\n328:{\"target_revision_id\":17933,\"drupal_internal__target_id\":1906}\n327:{\"type\":\"paragraph--internal_link\",\"id\":\"05f865ef-4960-439b-9fca-9e7d70dfbe39\",\"meta\":\"$328\"}\n322:[\"$323\",\"$325\",\"$327\"]\n32a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_related_collection?resourceVersion=id%3A5525\"}\n32b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_related_collection?resourceVersion=id%3A5525\"}\n329:{\"related\":\"$32a\",\"self\":\"$32b\"}\n321:{\"data\":\"$322\",\"links\":\"$329\"}\n32e:{\"drupal_internal__target_id\":121}\n32d:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$32e\"}\n330:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_resource_type?resourceVersion=id%3A5525\"}\n331:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_resource_type?resourceVersion=id%3A5525\"}\n32f:{\"related\":\"$330\",\"self\":\"$331\"}\n32c:{\"data\":\"$32d\",\"links\":\"$32f\"}\n335:{\"drupal_internal__target_id\":61}\n334:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$335\"}\n337:{\"drupal_internal__target_id\":76}\n336:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$337\"}\n333:[\"$334\",\"$336\"]\n339:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_roles?resourceVersion=id%3A5525\"}\n33a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_roles?resourceVersion=id%3A5525\"}\n338:{\"related\":\"$339\",\"self\":\"$33a\"}\n332:{\"data\":\"$333\",\"links\":\"$338\"}\n33e:{\"drupal_internal"])</script><script>self.__next_f.push([1,"__target_id\":36}\n33d:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$33e\"}\n340:{\"drupal_internal__target_id\":11}\n33f:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$340\"}\n33c:[\"$33d\",\"$33f\"]\n342:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_topics?resourceVersion=id%3A5525\"}\n343:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_topics?resourceVersion=id%3A5525\"}\n341:{\"related\":\"$342\",\"self\":\"$343\"}\n33b:{\"data\":\"$33c\",\"links\":\"$341\"}\n305:{\"node_type\":\"$306\",\"revision_uid\":\"$30c\",\"uid\":\"$312\",\"field_page_section\":\"$318\",\"field_related_collection\":\"$321\",\"field_resource_type\":\"$32c\",\"field_roles\":\"$332\",\"field_topics\":\"$33b\"}\n2fe:{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"links\":\"$2ff\",\"attributes\":\"$301\",\"relationships\":\"$305\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"6586d174-482d-43d2-9d86-2f0a42dc8a81\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81?resourceVersion=id%3A5754\"}},\"attributes\":{\"drupal_internal__nid\":396,\"drupal_internal__vid\":5754,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T15:53:09+00:00\",\"status\":true,\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"created\":\"2022-08-29T16:56:42+00:00\",\"changed\":\"2024-08-05T15:53:09+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/plan-action-and-milestones-poam\",\"pid\":386,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"A corrective action plan roadmap to address system weaknesses and the resources required to fix them\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA corrective action plan roadmap to address system weaknesses and the resources required to fix them\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cra-help\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/node_type?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/node_type?resourceVersion=id%3A5754\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/revision_uid?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/revision_uid?resourceVersion=id%3A5754\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/uid?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/uid?resourceVersion=id%3A5754\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"7a011f0b-d154-4824-a3d9-ab6d2d897205\",\"meta\":{\"target_revision_id\":19037,\"drupal_internal__target_id\":506}},{\"type\":\"paragraph--page_section\",\"id\":\"ee1fabb0-058d-4b71-a7db-8a9ce8319795\",\"meta\":{\"target_revision_id\":19038,\"drupal_internal__target_id\":3385}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/field_page_section?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/field_page_section?resourceVersion=id%3A5754\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"df30d570-d5dc-431f-bec8-3054b29243cb\",\"meta\":{\"target_revision_id\":19039,\"drupal_internal__target_id\":2041}},{\"type\":\"paragraph--internal_link\",\"id\":\"4bccf275-df68-449d-8a48-3ba2274c322a\",\"meta\":{\"target_revision_id\":19040,\"drupal_internal__target_id\":2046}},{\"type\":\"paragraph--internal_link\",\"id\":\"443bfeb0-96a1-4b88-bd6d-d93d1d744e64\",\"meta\":{\"target_revision_id\":19041,\"drupal_internal__target_id\":2051}},{\"type\":\"paragraph--internal_link\",\"id\":\"71549f27-6a6b-4a16-9304-6208d994604a\",\"meta\":{\"target_revision_id\":19042,\"drupal_internal__target_id\":2056}},{\"type\":\"paragraph--internal_link\",\"id\":\"ab8baea5-3667-47bd-b2c5-a8b59a3847ac\",\"meta\":{\"target_revision_id\":19043,\"drupal_internal__target_id\":2061}},{\"type\":\"paragraph--internal_link\",\"id\":\"6b40f485-c76e-44f6-8489-9bbf991c1f6c\",\"meta\":{\"target_revision_id\":19044,\"drupal_internal__target_id\":2551}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/field_related_collection?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/field_related_collection?resourceVersion=id%3A5754\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/field_resource_type?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/field_resource_type?resourceVersion=id%3A5754\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/field_roles?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/field_roles?resourceVersion=id%3A5754\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/field_topics?resourceVersion=id%3A5754\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/6586d174-482d-43d2-9d86-2f0a42dc8a81/relationships/field_topics?resourceVersion=id%3A5754\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}},\"attributes\":{\"display_name\":\"jcallan - retired\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}},\"attributes\":{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674?resourceVersion=id%3A6\"}},\"attributes\":{\"drupal_internal__tid\":6,\"drupal_internal__revision_id\":6,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:04:59+00:00\",\"status\":true,\"name\":\"Assessments \u0026 Audits\",\"description\":null,\"weight\":1,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/vid?resourceVersion=id%3A6\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/vid?resourceVersion=id%3A6\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/revision_user?resourceVersion=id%3A6\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/revision_user?resourceVersion=id%3A6\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/parent?resourceVersion=id%3A6\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/parent?resourceVersion=id%3A6\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}},\"attributes\":{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"7a011f0b-d154-4824-a3d9-ab6d2d897205\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7a011f0b-d154-4824-a3d9-ab6d2d897205?resourceVersion=id%3A19037\"}},\"attributes\":{\"drupal_internal__id\":506,\"drupal_internal__revision_id\":19037,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-02T16:47:02+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"\u003ch2\u003e\u003cstrong\u003eWhat is a POA\u0026amp;M?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhen regular audits are conducted to assess the security posture of CMS information systems (and when new systems are being developed) there will inevitably be times that improvements or adjustments are needed. This isnt a negative reflection on the Business Owner, ISSO, or system builder its just a result of the fact that security is never “done”. Cyber threats are always evolving, and changes to systems or how they operate can also introduce new risks.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe process to mitigate risks and weaknesses in CMS systems is called a Plan of Action and Milestones (POA\u0026amp;M). A POA\u0026amp;M is created whenever audits reveal an area of weakness in security controls. This is an opportunity to strengthen or “harden” your system through carefully planned improvements which boosts the overall resilience of our agencys cyber infrastructure. The CMS security staff and your integrated team are ready to help you along the way.\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2\u003e\u003cstrong\u003eWhat is a POA\u0026amp;M?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhen regular audits are conducted to assess the security posture of CMS information systems (and when new systems are being developed) there will inevitably be times that improvements or adjustments are needed. This isnt a negative reflection on the Business Owner, ISSO, or system builder its just a result of the fact that security is never “done”. Cyber threats are always evolving, and changes to systems or how they operate can also introduce new risks.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe process to mitigate risks and weaknesses in CMS systems is called a Plan of Action and Milestones (POA\u0026amp;M). A POA\u0026amp;M is created whenever audits reveal an area of weakness in security controls. This is an opportunity to strengthen or “harden” your system through carefully planned improvements which boosts the overall resilience of our agencys cyber infrastructure. The CMS security staff and your integrated team are ready to help you along the way.\u003c/p\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7a011f0b-d154-4824-a3d9-ab6d2d897205/paragraph_type?resourceVersion=id%3A19037\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7a011f0b-d154-4824-a3d9-ab6d2d897205/relationships/paragraph_type?resourceVersion=id%3A19037\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"435f83c6-c36a-46c4-bea6-029c80c14ff1\",\"meta\":{\"target_revision_id\":19036,\"drupal_internal__target_id\":3384}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7a011f0b-d154-4824-a3d9-ab6d2d897205/field_specialty_item?resourceVersion=id%3A19037\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/7a011f0b-d154-4824-a3d9-ab6d2d897205/relationships/field_specialty_item?resourceVersion=id%3A19037\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"ee1fabb0-058d-4b71-a7db-8a9ce8319795\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ee1fabb0-058d-4b71-a7db-8a9ce8319795?resourceVersion=id%3A19038\"}},\"attributes\":{\"drupal_internal__id\":3385,\"drupal_internal__revision_id\":19038,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-28T18:11:29+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ee1fabb0-058d-4b71-a7db-8a9ce8319795/paragraph_type?resourceVersion=id%3A19038\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ee1fabb0-058d-4b71-a7db-8a9ce8319795/relationships/paragraph_type?resourceVersion=id%3A19038\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ee1fabb0-058d-4b71-a7db-8a9ce8319795/field_specialty_item?resourceVersion=id%3A19038\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ee1fabb0-058d-4b71-a7db-8a9ce8319795/relationships/field_specialty_item?resourceVersion=id%3A19038\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"435f83c6-c36a-46c4-bea6-029c80c14ff1\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/435f83c6-c36a-46c4-bea6-029c80c14ff1?resourceVersion=id%3A19036\"}},\"attributes\":{\"drupal_internal__id\":3384,\"drupal_internal__revision_id\":19036,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-28T18:10:19+00:00\",\"parent_id\":\"506\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":{\"uri\":\"entity:node/401\",\"title\":\"\",\"options\":[],\"url\":\"/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"},\"field_call_out_link_text\":\"Read the Handbook\",\"field_call_out_text\":{\"value\":\"The POA\u0026M Handbook provides an in-depth look at the POA\u0026M process from start to finish.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThe POA\u0026amp;M Handbook provides an in-depth look at the POA\u0026amp;M process from start to finish.\u003c/p\u003e\\n\"},\"field_header\":\"Learn more about POA\u0026Ms\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/435f83c6-c36a-46c4-bea6-029c80c14ff1/paragraph_type?resourceVersion=id%3A19036\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/435f83c6-c36a-46c4-bea6-029c80c14ff1/relationships/paragraph_type?resourceVersion=id%3A19036\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"df30d570-d5dc-431f-bec8-3054b29243cb\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/df30d570-d5dc-431f-bec8-3054b29243cb?resourceVersion=id%3A19039\"}},\"attributes\":{\"drupal_internal__id\":2041,\"drupal_internal__revision_id\":19039,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:14:46+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/df30d570-d5dc-431f-bec8-3054b29243cb/paragraph_type?resourceVersion=id%3A19039\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/df30d570-d5dc-431f-bec8-3054b29243cb/relationships/paragraph_type?resourceVersion=id%3A19039\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"meta\":{\"drupal_internal__target_id\":201}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/df30d570-d5dc-431f-bec8-3054b29243cb/field_link?resourceVersion=id%3A19039\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/df30d570-d5dc-431f-bec8-3054b29243cb/relationships/field_link?resourceVersion=id%3A19039\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"4bccf275-df68-449d-8a48-3ba2274c322a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4bccf275-df68-449d-8a48-3ba2274c322a?resourceVersion=id%3A19040\"}},\"attributes\":{\"drupal_internal__id\":2046,\"drupal_internal__revision_id\":19040,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:15:08+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4bccf275-df68-449d-8a48-3ba2274c322a/paragraph_type?resourceVersion=id%3A19040\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4bccf275-df68-449d-8a48-3ba2274c322a/relationships/paragraph_type?resourceVersion=id%3A19040\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"meta\":{\"drupal_internal__target_id\":391}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4bccf275-df68-449d-8a48-3ba2274c322a/field_link?resourceVersion=id%3A19040\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4bccf275-df68-449d-8a48-3ba2274c322a/relationships/field_link?resourceVersion=id%3A19040\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"443bfeb0-96a1-4b88-bd6d-d93d1d744e64\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/443bfeb0-96a1-4b88-bd6d-d93d1d744e64?resourceVersion=id%3A19041\"}},\"attributes\":{\"drupal_internal__id\":2051,\"drupal_internal__revision_id\":19041,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:15:17+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/443bfeb0-96a1-4b88-bd6d-d93d1d744e64/paragraph_type?resourceVersion=id%3A19041\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/443bfeb0-96a1-4b88-bd6d-d93d1d744e64/relationships/paragraph_type?resourceVersion=id%3A19041\"}}},\"field_link\":{\"data\":{\"type\":\"node--library\",\"id\":\"cba2b00b-3f53-42bd-8a60-f175e1d47a0a\",\"meta\":{\"drupal_internal__target_id\":401}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/443bfeb0-96a1-4b88-bd6d-d93d1d744e64/field_link?resourceVersion=id%3A19041\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/443bfeb0-96a1-4b88-bd6d-d93d1d744e64/relationships/field_link?resourceVersion=id%3A19041\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"71549f27-6a6b-4a16-9304-6208d994604a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71549f27-6a6b-4a16-9304-6208d994604a?resourceVersion=id%3A19042\"}},\"attributes\":{\"drupal_internal__id\":2056,\"drupal_internal__revision_id\":19042,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:16:34+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71549f27-6a6b-4a16-9304-6208d994604a/paragraph_type?resourceVersion=id%3A19042\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71549f27-6a6b-4a16-9304-6208d994604a/relationships/paragraph_type?resourceVersion=id%3A19042\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"44c21f2c-38ee-44b9-87b6-1e981b2d3d5e\",\"meta\":{\"drupal_internal__target_id\":561}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71549f27-6a6b-4a16-9304-6208d994604a/field_link?resourceVersion=id%3A19042\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71549f27-6a6b-4a16-9304-6208d994604a/relationships/field_link?resourceVersion=id%3A19042\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"ab8baea5-3667-47bd-b2c5-a8b59a3847ac\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ab8baea5-3667-47bd-b2c5-a8b59a3847ac?resourceVersion=id%3A19043\"}},\"attributes\":{\"drupal_internal__id\":2061,\"drupal_internal__revision_id\":19043,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:16:59+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ab8baea5-3667-47bd-b2c5-a8b59a3847ac/paragraph_type?resourceVersion=id%3A19043\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ab8baea5-3667-47bd-b2c5-a8b59a3847ac/relationships/paragraph_type?resourceVersion=id%3A19043\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"27d871c0-b8f6-465e-b90f-c360ddcef8bb\",\"meta\":{\"drupal_internal__target_id\":531}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ab8baea5-3667-47bd-b2c5-a8b59a3847ac/field_link?resourceVersion=id%3A19043\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ab8baea5-3667-47bd-b2c5-a8b59a3847ac/relationships/field_link?resourceVersion=id%3A19043\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"6b40f485-c76e-44f6-8489-9bbf991c1f6c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6b40f485-c76e-44f6-8489-9bbf991c1f6c?resourceVersion=id%3A19044\"}},\"attributes\":{\"drupal_internal__id\":2551,\"drupal_internal__revision_id\":19044,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-14T13:35:17+00:00\",\"parent_id\":\"396\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6b40f485-c76e-44f6-8489-9bbf991c1f6c/paragraph_type?resourceVersion=id%3A19044\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6b40f485-c76e-44f6-8489-9bbf991c1f6c/relationships/paragraph_type?resourceVersion=id%3A19044\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"meta\":{\"drupal_internal__target_id\":676}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6b40f485-c76e-44f6-8489-9bbf991c1f6c/field_link?resourceVersion=id%3A19044\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6b40f485-c76e-44f6-8489-9bbf991c1f6c/relationships/field_link?resourceVersion=id%3A19044\"}}}}},{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320?resourceVersion=id%3A5941\"}},\"attributes\":{\"drupal_internal__nid\":201,\"drupal_internal__vid\":5941,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-17T14:04:35+00:00\",\"status\":true,\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"created\":\"2022-08-25T18:58:52+00:00\",\"changed\":\"2024-10-07T20:27:11+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"pid\":191,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CSRAP@cms.hhs.gov\",\"field_contact_name\":\"CSRAP Team\",\"field_short_description\":{\"value\":\"A streamlined risk-based control(s) testing methodology designed to relieve operational burden.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA streamlined risk-based control(s) testing methodology designed to relieve operational burden.\u003c/p\u003e\\n\"},\"field_slack_channel\":[]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/node_type?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/node_type?resourceVersion=id%3A5941\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"39240c69-3096-49cd-a07c-3843b6c48c5f\",\"meta\":{\"drupal_internal__target_id\":95}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/revision_uid?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/revision_uid?resourceVersion=id%3A5941\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/uid?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/uid?resourceVersion=id%3A5941\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"f36fb6d1-0795-400f-8a15-36d1979118b0\",\"meta\":{\"target_revision_id\":19433,\"drupal_internal__target_id\":3501}},{\"type\":\"paragraph--page_section\",\"id\":\"eb5b28d8-8825-43c5-a889-513068f48fd8\",\"meta\":{\"target_revision_id\":19434,\"drupal_internal__target_id\":611}},{\"type\":\"paragraph--page_section\",\"id\":\"269aaf52-85f1-411f-a67e-e9d9ad620d8a\",\"meta\":{\"target_revision_id\":19435,\"drupal_internal__target_id\":651}},{\"type\":\"paragraph--page_section\",\"id\":\"3a3615ff-9d53-40d6-8291-fd4516dbc893\",\"meta\":{\"target_revision_id\":19442,\"drupal_internal__target_id\":3502}},{\"type\":\"paragraph--page_section\",\"id\":\"cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa\",\"meta\":{\"target_revision_id\":19443,\"drupal_internal__target_id\":3503}},{\"type\":\"paragraph--page_section\",\"id\":\"a46d03b7-7478-40f1-a7da-3171ffcfaa2d\",\"meta\":{\"target_revision_id\":19444,\"drupal_internal__target_id\":3504}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_page_section?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_page_section?resourceVersion=id%3A5941\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"28dbad4c-79e6-4f83-bc5e-965ba6aa4926\",\"meta\":{\"target_revision_id\":19445,\"drupal_internal__target_id\":656}},{\"type\":\"paragraph--internal_link\",\"id\":\"9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2\",\"meta\":{\"target_revision_id\":19446,\"drupal_internal__target_id\":661}},{\"type\":\"paragraph--internal_link\",\"id\":\"77c203ce-2da8-4200-986c-1093acc2ff5a\",\"meta\":{\"target_revision_id\":19447,\"drupal_internal__target_id\":671}},{\"type\":\"paragraph--internal_link\",\"id\":\"50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a\",\"meta\":{\"target_revision_id\":19448,\"drupal_internal__target_id\":676}},{\"type\":\"paragraph--internal_link\",\"id\":\"c4a332dc-02ea-48f6-9c08-c12ca06e62b5\",\"meta\":{\"target_revision_id\":19449,\"drupal_internal__target_id\":681}},{\"type\":\"paragraph--internal_link\",\"id\":\"5cc61db4-e2f7-43ad-b914-3661d73886e9\",\"meta\":{\"target_revision_id\":19450,\"drupal_internal__target_id\":3505}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_related_collection?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_related_collection?resourceVersion=id%3A5941\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_resource_type?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_resource_type?resourceVersion=id%3A5941\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_roles?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_roles?resourceVersion=id%3A5941\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_topics?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_topics?resourceVersion=id%3A5941\"}}}}},{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748?resourceVersion=id%3A5886\"}},\"attributes\":{\"drupal_internal__nid\":391,\"drupal_internal__vid\":5886,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-30T19:33:09+00:00\",\"status\":true,\"title\":\"Penetration Testing (PenTesting)\",\"created\":\"2022-08-29T16:54:55+00:00\",\"changed\":\"2024-08-30T19:33:09+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/penetration-testing-pentesting\",\"pid\":381,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cmspentestmanagement@cms.hhs.gov\",\"field_contact_name\":\"Penetration Testing Team\",\"field_short_description\":{\"value\":\"Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ccic_sec_eng_and_soc\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/node_type?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/node_type?resourceVersion=id%3A5886\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"94466ab9-93ba-4374-964a-cac08e0505c1\",\"meta\":{\"drupal_internal__target_id\":122}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/revision_uid?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/revision_uid?resourceVersion=id%3A5886\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/uid?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/uid?resourceVersion=id%3A5886\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"9ce3ee98-23ca-4e7f-aba7-eb85e992ee97\",\"meta\":{\"target_revision_id\":19217,\"drupal_internal__target_id\":501}},{\"type\":\"paragraph--page_section\",\"id\":\"7b5e13a5-a70b-4570-8feb-183ff1d4fae9\",\"meta\":{\"target_revision_id\":19218,\"drupal_internal__target_id\":2546}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_page_section?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_page_section?resourceVersion=id%3A5886\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"a7c47ed1-07a0-4487-8538-27c56a8e48d2\",\"meta\":{\"target_revision_id\":19219,\"drupal_internal__target_id\":2021}},{\"type\":\"paragraph--internal_link\",\"id\":\"44807064-0310-448f-8f66-09ee2ff9b17d\",\"meta\":{\"target_revision_id\":19220,\"drupal_internal__target_id\":2026}},{\"type\":\"paragraph--internal_link\",\"id\":\"825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb\",\"meta\":{\"target_revision_id\":19221,\"drupal_internal__target_id\":2031}},{\"type\":\"paragraph--internal_link\",\"id\":\"8d631ecf-4c48-46d2-b8f2-5db69fd03245\",\"meta\":{\"target_revision_id\":19222,\"drupal_internal__target_id\":2036}},{\"type\":\"paragraph--internal_link\",\"id\":\"2121533f-ed8e-4292-81c3-c9c5f3b88c42\",\"meta\":{\"target_revision_id\":19223,\"drupal_internal__target_id\":3388}},{\"type\":\"paragraph--internal_link\",\"id\":\"e3a2533a-0128-4439-8ca5-a56210aa267e\",\"meta\":{\"target_revision_id\":19224,\"drupal_internal__target_id\":3389}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_related_collection?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_related_collection?resourceVersion=id%3A5886\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_resource_type?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_resource_type?resourceVersion=id%3A5886\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_roles?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_roles?resourceVersion=id%3A5886\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":{\"drupal_internal__target_id\":46}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_topics?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_topics?resourceVersion=id%3A5886\"}}}}},{\"type\":\"node--library\",\"id\":\"cba2b00b-3f53-42bd-8a60-f175e1d47a0a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a?resourceVersion=id%3A5866\"}},\"attributes\":{\"drupal_internal__nid\":401,\"drupal_internal__vid\":5866,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-13T19:41:02+00:00\",\"status\":true,\"title\":\"CMS Plan of Action and Milestones (POA\u0026M) Handbook\",\"created\":\"2022-08-29T16:59:47+00:00\",\"changed\":\"2024-08-05T15:55:04+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-plan-action-and-milestones-poam-handbook\",\"pid\":391,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2023-04-05\",\"field_related_resources\":[{\"uri\":\"entity:node/561\",\"title\":\"CMS System Audits \",\"options\":[],\"url\":\"/learn/system-audits\"},{\"uri\":\"https://intranet.hhs.gov/document/standard-plans-action-and-milestones-poam-management-and-reporting\",\"title\":\"HHS Plan of Action and Milestones (POA\u0026M) guidance \",\"options\":[],\"url\":\"https://intranet.hhs.gov/document/standard-plans-action-and-milestones-poam-management-and-reporting\"},{\"uri\":\"entity:node/201\",\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"options\":[],\"url\":\"/learn/cybersecurity-risk-assessment-program-csrap\"}],\"field_short_description\":{\"value\":\"A complete guide to creating, managing, and closing your systems POA\u0026M\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA complete guide to creating, managing, and closing your systems POA\u0026amp;M\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/node_type?resourceVersion=id%3A5866\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/relationships/node_type?resourceVersion=id%3A5866\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\",\"meta\":{\"drupal_internal__target_id\":110}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/revision_uid?resourceVersion=id%3A5866\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/relationships/revision_uid?resourceVersion=id%3A5866\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/uid?resourceVersion=id%3A5866\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/relationships/uid?resourceVersion=id%3A5866\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/field_resource_type?resourceVersion=id%3A5866\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/relationships/field_resource_type?resourceVersion=id%3A5866\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/field_roles?resourceVersion=id%3A5866\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/relationships/field_roles?resourceVersion=id%3A5866\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/field_topics?resourceVersion=id%3A5866\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cba2b00b-3f53-42bd-8a60-f175e1d47a0a/relationships/field_topics?resourceVersion=id%3A5866\"}}}}},{\"type\":\"node--explainer\",\"id\":\"44c21f2c-38ee-44b9-87b6-1e981b2d3d5e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e?resourceVersion=id%3A5728\"}},\"attributes\":{\"drupal_internal__nid\":561,\"drupal_internal__vid\":5728,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-30T19:08:31+00:00\",\"status\":true,\"title\":\"System Audits\",\"created\":\"2022-08-29T18:26:03+00:00\",\"changed\":\"2024-07-30T19:08:31+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/system-audits\",\"pid\":551,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ISPG_Audit_Mailbox@cms.hhs.gov\",\"field_contact_name\":\"Audit Team\",\"field_short_description\":{\"value\":\"Independent review and examination of records and activities to assess the adequacy of system controls for compliance with established policies and procedures\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eIndependent review and examination of records and activities to assess the adequacy of system controls for compliance with established policies and procedures\u003c/p\u003e\\n\"},\"field_slack_channel\":[]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/node_type?resourceVersion=id%3A5728\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/node_type?resourceVersion=id%3A5728\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/revision_uid?resourceVersion=id%3A5728\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/revision_uid?resourceVersion=id%3A5728\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/uid?resourceVersion=id%3A5728\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/uid?resourceVersion=id%3A5728\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"d59fe171-bb87-4443-8a61-0d130460fe1b\",\"meta\":{\"target_revision_id\":18880,\"drupal_internal__target_id\":1456}},{\"type\":\"paragraph--page_section\",\"id\":\"8df52f42-8b8c-4c66-84f8-2f3b992e3528\",\"meta\":{\"target_revision_id\":18892,\"drupal_internal__target_id\":1521}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/field_page_section?resourceVersion=id%3A5728\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/field_page_section?resourceVersion=id%3A5728\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"a6c6dc63-c5e6-4410-8e41-9587f0186bfb\",\"meta\":{\"target_revision_id\":18893,\"drupal_internal__target_id\":1581}},{\"type\":\"paragraph--internal_link\",\"id\":\"3cf83065-e50e-4fdd-b921-d6bab90e7c44\",\"meta\":{\"target_revision_id\":18894,\"drupal_internal__target_id\":1586}},{\"type\":\"paragraph--internal_link\",\"id\":\"1b1a083f-34aa-45a2-ba9b-11e27135247a\",\"meta\":{\"target_revision_id\":18895,\"drupal_internal__target_id\":1591}},{\"type\":\"paragraph--internal_link\",\"id\":\"33bfd7be-39d8-4437-acc0-3c5c4f7772a2\",\"meta\":{\"target_revision_id\":18896,\"drupal_internal__target_id\":1596}},{\"type\":\"paragraph--internal_link\",\"id\":\"9f002c89-9bf5-49a8-9ec1-f49d5bf308a1\",\"meta\":{\"target_revision_id\":18897,\"drupal_internal__target_id\":1601}},{\"type\":\"paragraph--internal_link\",\"id\":\"01c7f6b4-a293-4219-8212-0f4438e6ba0d\",\"meta\":{\"target_revision_id\":18898,\"drupal_internal__target_id\":1606}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/field_related_collection?resourceVersion=id%3A5728\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/field_related_collection?resourceVersion=id%3A5728\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/field_resource_type?resourceVersion=id%3A5728\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/field_resource_type?resourceVersion=id%3A5728\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/field_roles?resourceVersion=id%3A5728\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/field_roles?resourceVersion=id%3A5728\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/field_topics?resourceVersion=id%3A5728\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/44c21f2c-38ee-44b9-87b6-1e981b2d3d5e/relationships/field_topics?resourceVersion=id%3A5728\"}}}}},{\"type\":\"node--explainer\",\"id\":\"27d871c0-b8f6-465e-b90f-c360ddcef8bb\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb?resourceVersion=id%3A5517\"}},\"attributes\":{\"drupal_internal__nid\":531,\"drupal_internal__vid\":5517,\"langcode\":\"en\",\"revision_timestamp\":\"2024-05-31T21:17:47+00:00\",\"status\":true,\"title\":\"Security Controls Assessment (SCA)\",\"created\":\"2022-08-29T18:14:00+00:00\",\"changed\":\"2024-05-31T18:37:46+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/security-controls-assessment-sca\",\"pid\":521,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CSRAP@cms.hhs.gov\",\"field_contact_name\":\"CSRAP Team \",\"field_short_description\":{\"value\":\"A compliance-based assessment to determine if a system's security and privacy controls are implemented correctly\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA compliance-based assessment to determine if a system\u0026#039;s security and privacy controls are implemented correctly\u003c/p\u003e\\n\"},\"field_slack_channel\":[]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/node_type?resourceVersion=id%3A5517\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/node_type?resourceVersion=id%3A5517\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\",\"meta\":{\"drupal_internal__target_id\":110}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/revision_uid?resourceVersion=id%3A5517\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/revision_uid?resourceVersion=id%3A5517\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/uid?resourceVersion=id%3A5517\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/uid?resourceVersion=id%3A5517\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"ecf4b25c-5e6a-4691-b899-7407e91f65df\",\"meta\":{\"target_revision_id\":17841,\"drupal_internal__target_id\":521}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/field_page_section?resourceVersion=id%3A5517\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/field_page_section?resourceVersion=id%3A5517\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"5bdf65fb-004d-44b9-8688-87401650cd53\",\"meta\":{\"target_revision_id\":17842,\"drupal_internal__target_id\":1701}},{\"type\":\"paragraph--internal_link\",\"id\":\"a51e8dab-efa9-45a5-99ad-9822fb8b254e\",\"meta\":{\"target_revision_id\":17843,\"drupal_internal__target_id\":1706}},{\"type\":\"paragraph--internal_link\",\"id\":\"a4c8f341-7527-4b20-ac9d-6ecb3f940fac\",\"meta\":{\"target_revision_id\":17844,\"drupal_internal__target_id\":1711}},{\"type\":\"paragraph--internal_link\",\"id\":\"69ab6154-a289-4b09-9c3b-90702a6d5573\",\"meta\":{\"target_revision_id\":17845,\"drupal_internal__target_id\":2566}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/field_related_collection?resourceVersion=id%3A5517\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/field_related_collection?resourceVersion=id%3A5517\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/field_resource_type?resourceVersion=id%3A5517\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/field_resource_type?resourceVersion=id%3A5517\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/field_roles?resourceVersion=id%3A5517\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/field_roles?resourceVersion=id%3A5517\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/field_topics?resourceVersion=id%3A5517\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/27d871c0-b8f6-465e-b90f-c360ddcef8bb/relationships/field_topics?resourceVersion=id%3A5517\"}}}}},{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08?resourceVersion=id%3A5525\"}},\"attributes\":{\"drupal_internal__nid\":676,\"drupal_internal__vid\":5525,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-04T17:13:19+00:00\",\"status\":true,\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"created\":\"2023-02-04T14:55:07+00:00\",\"changed\":\"2024-06-04T17:13:19+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"pid\":666,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CDMPMO@cms.hhs.gov\",\"field_contact_name\":\"CDM team\",\"field_short_description\":{\"value\":\"Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eAutomated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cyber-risk-management\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/node_type?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/node_type?resourceVersion=id%3A5525\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":{\"drupal_internal__target_id\":107}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/revision_uid?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/revision_uid?resourceVersion=id%3A5525\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/uid?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/uid?resourceVersion=id%3A5525\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"8b7bda2b-e3dc-4760-9901-27255f14ff41\",\"meta\":{\"target_revision_id\":17929,\"drupal_internal__target_id\":546}},{\"type\":\"paragraph--page_section\",\"id\":\"8e76f588-fd94-4439-b7e3-73c8b83e3500\",\"meta\":{\"target_revision_id\":17930,\"drupal_internal__target_id\":551}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_page_section?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_page_section?resourceVersion=id%3A5525\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"bc285af3-dba7-4a12-8881-a8fed446dded\",\"meta\":{\"target_revision_id\":17931,\"drupal_internal__target_id\":1891}},{\"type\":\"paragraph--internal_link\",\"id\":\"1bc4b03f-652f-4fbf-8024-43e830b4b0a3\",\"meta\":{\"target_revision_id\":17932,\"drupal_internal__target_id\":1896}},{\"type\":\"paragraph--internal_link\",\"id\":\"05f865ef-4960-439b-9fca-9e7d70dfbe39\",\"meta\":{\"target_revision_id\":17933,\"drupal_internal__target_id\":1906}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_related_collection?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_related_collection?resourceVersion=id%3A5525\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_resource_type?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_resource_type?resourceVersion=id%3A5525\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_roles?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_roles?resourceVersion=id%3A5525\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_topics?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_topics?resourceVersion=id%3A5525\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1c\",\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\":\"$26\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$2a\",\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\":\"$2e\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$48\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$62\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$7c\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$96\",\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\":\"$b0\",\"65ef6410-4066-4db4-be03-c8eb26b63305\":\"$ca\",\"7a011f0b-d154-4824-a3d9-ab6d2d897205\":\"$e4\",\"ee1fabb0-058d-4b71-a7db-8a9ce8319795\":\"$f7\",\"435f83c6-c36a-46c4-bea6-029c80c14ff1\":\"$10a\",\"df30d570-d5dc-431f-bec8-3054b29243cb\":\"$119\",\"4bccf275-df68-449d-8a48-3ba2274c322a\":\"$12b\",\"443bfeb0-96a1-4b88-bd6d-d93d1d744e64\":\"$13d\",\"71549f27-6a6b-4a16-9304-6208d994604a\":\"$14f\",\"ab8baea5-3667-47bd-b2c5-a8b59a3847ac\":\"$161\",\"6b40f485-c76e-44f6-8489-9bbf991c1f6c\":\"$173\",\"a74e943d-f87d-4688-81e7-65a4013fa320\":\"$185\",\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\":\"$1db\",\"cba2b00b-3f53-42bd-8a60-f175e1d47a0a\":\"$22b\",\"44c21f2c-38ee-44b9-87b6-1e981b2d3d5e\":\"$268\",\"27d871c0-b8f6-465e-b90f-c360ddcef8bb\":\"$2b4\",\"1f32f891-d557-40ae-84b5-2cecc9300e08\":\"$2fe\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Plan of Action and Milestones (POA\u0026M) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"A corrective action plan roadmap to address system weaknesses and the resources required to fix them\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"Plan of Action and Milestones (POA\u0026M) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"A corrective action plan roadmap to address system weaknesses and the resources required to fix them\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/plan-action-and-milestones-poam/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"Plan of Action and Milestones (POA\u0026M) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"A corrective action plan roadmap to address system weaknesses and the resources required to fix them\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/plan-action-and-milestones-poam/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink