publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/privacy-impact-assessment-pia
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
438 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>Privacy Impact Assessment (PIA) | CMS Information Security &amp; Privacy Group</title><meta name="description" content="Process that identifies and mitigates privacy risks for CMS systems regarding the use of Personally Identifiable Information (PII)"/><link rel="canonical" href="https://security.cms.gov/learn/privacy-impact-assessment-pia"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="Privacy Impact Assessment (PIA) | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="Process that identifies and mitigates privacy risks for CMS systems regarding the use of Personally Identifiable Information (PII)"/><meta property="og:url" content="https://security.cms.gov/learn/privacy-impact-assessment-pia"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/privacy-impact-assessment-pia/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Privacy Impact Assessment (PIA) | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="Process that identifies and mitigates privacy risks for CMS systems regarding the use of Personally Identifiable Information (PII)"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/privacy-impact-assessment-pia/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">Privacy Impact Assessment (PIA)</h1><p class="hero__description">Process that identifies and mitigates privacy risks for CMS systems regarding the use of Personally Identifiable Information (PII)</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">Privacy Office</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:privacy@cms.hhs.gov">privacy@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#ispg-sec_privacy-policy</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What is a Privacy Impact Assessment (PIA)?&nbsp;</h2><p>A Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. The purpose of a PIA is to demonstrate that system owners have consciously incorporated privacy protections within their systems for information supplied by the public.&nbsp;</p><p>PIAs are required by the E-Government Act of 2002, which Congress enacted to improve the management of Federal electronic government services and processes. Section 208 of the E-Government Act specifically requires PIAs to be created when a federal agency develops or procures new information technology that involves the collection, maintenance, or dissemination of information in identifiable form.&nbsp;</p><p>Further, because the E-Government Act also includes a provision requiring PIAs to be published publicly on agency websites, they allow CMS to communicate more clearly with the public about how we handle information, including how we address privacy concerns and safeguard information. Copies of completed PIAs are&nbsp;<a href="https://www.hhs.gov/pia/index.html">posted on the HHS website</a> upon completion to offer transparency to the public.</p><h3>Who completes Privacy Impact Assessments (PIAs)?&nbsp;</h3><p>Privacy Impact Assessments (PIAs) are a team effort. The Information System Security Officer (ISSO) leads the effort on behalf of the System/Business Owner to complete the questions required to submit a compliant assessment. The ISSO receives support from the ISPG Division of Security, Privacy, Policy &amp; Oversight (DSPPO) and works in partnership with ISPG Cyber Risk Advisors (CRAs) to accurately complete the PIA.&nbsp;</p></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>PIA Handbook</h1><p>The CMS Privacy Impact Assessment Handbook has all the steps and instructions for successfully completing a PIA.</p><p><a href="https://security.cms.gov/policy-guidance/cms-privacy-impact-assessment-pia-handbook">Go to the Handbook</a></p></section><div class="text-block text-block--theme-explainer"><h2 id="types-of-privacy-assessments">Types of privacy assessments&nbsp;</h2><p>Protecting user privacy through system security is a core mission of CMS. The type of information collected by a system determines what kind of assessment is required. The HHS PIA &amp; PTA Writers Handbook provides guidance and questions to help system owners and ISSOs determine which privacy assessment is right for their specific needs.&nbsp;</p><p>There are four main types of privacy assessments:&nbsp;</p><h3 id="privacy-impact-assessments-pias">Privacy Impact Assessments (PIAs)&nbsp;</h3><p>PIAs are an analysis of how personally identifiable information is handled. PIAs are important because they help system owners:&nbsp;</p><ul><li>Determine the risks of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of PII within FISMA systems.</li><li>Examine and evaluate protections for handling information to mitigate potential privacy concerns.</li><li>Develop new solutions to manage PII if current collection methods arent optimized.</li><li>Ensure that information is handled in a manner that supports all applicable legal, regulatory, and policy requirements regarding privacy.</li></ul><p>PIAs must be completed in the following situations:&nbsp;</p><ul><li>For all new systems that collect PII from 10 or more members of the general public, a PIA is required to be completed as part of the broader Authority to Operate (ATO) process.</li><li>For every existing system that collects PII from 10 or more members of the general public, a PIA must be reviewed and re-approved once every three years. System/Business Owners and Information System Security Officers (ISSOs) must review and revise as necessary and submit PIAs for re-approval no later than three years from the last HHS approval date.&nbsp;</li><li>For any existing system undergoing a major change, an updated PIA is required.</li><li>An existing system going through the ATO process may need to update its PIA paperwork if its close to expiring; an ATO cannot be completed with an expired or incomplete PIA.&nbsp;</li></ul><p>If your FISMA system does not meet the requirements above, it may not require a traditional PIA. In these instances, there may be other Privacy compliance requirements for your system or application. If youre unsure which assessment is right for you, the Privacy Office can help you make the right choice from the following options:</p><h3 id="internal-privacy-impact-assessments">Internal Privacy Impact Assessments&nbsp;</h3><p>Internal PIAs are similar to the PIAs described above but are only conducted for systems that collect PII of CMS employees and direct contractors only. Like a PIA, an internal PIA must be updated when a major change is planned for an IT system or electronic information collection. Unlike a traditional PIA, an internal PIA is not published on the HHS website and is not subject to the three-year review requirement.&nbsp;</p><h3 id="privacy-threshold-analysis-pta">Privacy Threshold Analysis (PTA)&nbsp;</h3><p>A PTA is an analysis performed in lieu of a formal PIA for systems that do not collect, disseminate, maintain, or dispose of PII. The PTA must be updated during a major change or if the manner in which electronic information is collected is changed. It is possible that a major change (e.g., the addition of PII) could result in a PTA meeting the threshold to be a PIA. Since HHS uses an interactive form for PIAs, a separate document is not necessary to complete a PTA. PTAs are not published on the HHS website and are not subject to the three-year review requirement.&nbsp;</p><h3 id="third-party-website-application-tpwa-privacy-impact-assessment">Third-Party Website Application (TPWA) Privacy Impact Assessment&nbsp;</h3><p>A TPWA is an analysis of third-party websites or application technologies (like social media platforms) used by CMS to communicate and engage with members of the public. The TPWA PIA has different questions based on the specific risks and compliance requirements for TPWAs as outlined by <a href="https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf">OMB M-10-23</a>. However, the PIA and TPWA PIA require approval from HHS and are published on the HHS public web page.</p><h2 id="what-is-considered-a-major-change">What is considered a major change?</h2><p>A major change is something that alters the privacy risk associated with the use of a particular IT system. An example of a major change that would require an update to the PIA is a decision to collect social security numbers for an information system that previously was not collecting social security numbers. According to <a href="https://obamawhitehouse.archives.gov/omb/memoranda_m03-22/">OMB M-03-22</a>, PIAs should be reviewed following the major changes including, but not limited to:</p><p><strong>Conversions: </strong>A conversion from paper-based information collection methods to electronic systems (e.g. records currently in paper form will be scanned or otherwise added into a system).</p><p><strong>Anonymous to Non-Anonymous: </strong>When the system previously collected information about users that did not identify them, but has changed to collect information that makes anonymity impossible.</p><p><strong>Significant System Management Changes:</strong> The introduction of new applications or technologies to an existing system significantly changes the process of how PII is managed within the system.&nbsp;</p><p><strong>Significant Merging:</strong> When agency and/or government databases holding PII are merged, centralized, matched with other databases, or otherwise significantly manipulated.&nbsp;</p><p><strong>New Public Access: </strong>When user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system that can be accessed by the public.</p><p><strong>Commercial Sources: </strong>When PII is obtained from commercial or public sources and is integrated into the existing government information systems databases.</p><p><strong>New Interagency Uses: </strong>When agencies work together on shared functions involving significant new uses or exchanges of PII.&nbsp;</p><p><strong>Internal Flow or Collection: </strong>When alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional PII.</p><p><strong>Alteration in Character of Data: </strong>When a new type of PII is added to a pre-existing collection and raises the risk to personal privacy, such as the addition of health or privacy information.&nbsp;</p><h2 id="how-to-complete-a-privacy-impact-assessment-pia">How to complete a Privacy Impact Assessment (PIA)</h2><p>HHS issues the master guidance for the completion of PIAs. ISPG has taken the guidance provided by HHS and translated it into a questionnaire that can be found on <a href="https://cfacts.cms.gov/apps/ArcherApp/Home.aspx">CFACTS</a>. ISSOs can log in to CFACTS to complete the questionnaire with guidance from the System/Business Owner and the assigned Cyber Risk Advisor (CRA).&nbsp;</p><p>A step by step guide to answering the questions required to complete the PIA can be found within the PIA &amp; PTA Writers Handbook, which is written by HHS and can be found as a resource on the front page of each individual question in CFACTS. You can also check out the CMS Privacy Impact Assessment Handbook for guidance and tips to ensure that your PIA is written correctly.&nbsp;</p><p>The procedures below give a summary review of the actions necessary to complete a new PIA or modify an existing PIA.</p></div><div><ol class="usa-process-list"><li class="usa-process-list__item"><h4 class="usa-process-list__heading">PIA initial draft</h4><div class="margin-top-05 usa-process-list__description"><p><strong>Produced by: SO/BO, ISSO, Cyber Risk Advisor</strong></p><p>Following any of the scenarios or major changes that would require the completion of a PIA, the System/Business Owner works with the ISSO to draft a new or revised PIA in CFACTS. Upon completion of the new or revised PIA, the System/Business Owner or ISSO will contact the CRA for review. In CFACTS, the queue for the System/Business owner or ISSO is “ISSO Submitter '' for the PIA.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">PIA review / revision</h4><div class="margin-top-05 usa-process-list__description"><p><strong>Produced by: CRA, Privacy Advisor</strong></p><p>The CRA reviews the PIA in collaboration with the Privacy Advisor and coordinates recommended changes with the system/business owner or ISSO. Any identified privacy risks or compliance issues should be resolved before submission to the Senior Official for Privacy (SOP) for approval. If the SOP or Senior Agency Official for Privacy (SAOP) recommends changes, the review process will continue from this step as needed until the PIA is approved and finalized by the SAOP.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">PIA approval</h4><div class="margin-top-05 usa-process-list__description"><p><strong>Produced by: CMS Senior Official for Privacy (SOP), Final Approver</strong></p><p>The SOP or designated Final Approver will review the PIA and recommend approval to HHS if no changes are recommended.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">PIA signing</h4><div class="margin-top-05 usa-process-list__description"><p><strong>Produced by: Senior Agency Official for Privacy (SAOP)</strong></p><p>The SAOP will designate staff to review all PIAs before approval for signature. If no changes are recommended, the SOP and SAOP will digitally sign the PIA. Once signed by the SOP and SAOP, the PIA is approved and complete for a length of time as discussed above.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">PIA posting</h4><div class="margin-top-05 usa-process-list__description"><p>HHS will submit the final PIA for publication to the <a href="https://www.hhs.gov/pia">HHS PIA internet site</a>.</p></div></li></ol></div><div class="text-block text-block--theme-explainer"><p>We are here to help if you have questions about your PIA. You can send an email to the Privacy Office: <a href="mailto:privacy@cms.hhs.gov">privacy@cms.hhs.gov</a>. Or check in the CMS Slack community: <strong>#ispg-sec_privacy-policy</strong>.</p><p>You can also review the <a href="https://security.cms.gov/policy-guidance/cms-privacy-impact-assessment-pia-handbook">CMS Privacy Impact Assessment Handbook</a> for tips and guidance on completing your PIA.</p></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook">CMS Privacy Impact Assessment (PIA) Handbook</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Information, tips, and tricks for writing your Privacy Impact Assessment (PIA) concisely and correctly</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-fisma-continuous-tracking-system-cfacts">CMS FISMA Continuous Tracking System (CFACTS)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>CFACTS is a CMS database that tracks application security deficiencies and POA&amp;Ms, and supports the ATO process</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Testing and documenting system security and compliance to gain approval to operate the system at CMS</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-computer-matching-agreement-cma">CMS Computer Matching Agreement (CMA)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Written agreement used in the comparison of automated systems of record between federal or state agencies</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-information-system-risk-assessment-isra">CMS Information System Risk Assessment (ISRA)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Documentation of a systems vulnerabilities, security controls, risk levels, and recommended safeguards for keeping information safe</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"privacy-impact-assessment-pia\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"privacy-impact-assessment-pia\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"privacy-impact-assessment-pia\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"privacy-impact-assessment-pia\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:T6f0,\u003ch2\u003e\u003cstrong\u003eWhat is a Privacy Impact Assessment (PIA)?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. The purpose of a PIA is to demonstrate that system owners have consciously incorporated privacy protections within their systems for information supplied by the public.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePIAs are required by the E-Government Act of 2002, which Congress enacted to improve the management of Federal electronic government services and processes. Section 208 of the E-Government Act specifically requires PIAs to be created when a federal agency develops or procures new information technology that involves the collection, maintenance, or dissemination of information in identifiable form.\u0026nbsp;\u003c/p\u003e\u003cp\u003eFurther, because the E-Government Act also includes a provision requiring PIAs to be published publicly on agency websites, they allow CMS to communicate more clearly with the public about how we handle information, including how we address privacy concerns and safeguard information. Copies of completed PIAs are\u0026nbsp;\u003ca href=\"https://www.hhs.gov/pia/index.html\"\u003eposted on the HHS website\u003c/a\u003e upon completion to offer transparency to the public.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho completes Privacy Impact Assessments (PIAs)?\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePrivacy Impact Assessments (PIAs) are a team effort. The Information System Security Officer (ISSO) leads the effort on behalf of the System/Business Owner to complete the questions required to submit a compliant assessment. The ISSO receives support from the ISPG Division of Security, Privacy, Policy \u0026amp; Oversight (DSPP"])</script><script>self.__next_f.push([1,"O) and works in partnership with ISPG Cyber Risk Advisors (CRAs) to accurately complete the PIA.\u0026nbsp;\u003c/p\u003e19:T6f0,\u003ch2\u003e\u003cstrong\u003eWhat is a Privacy Impact Assessment (PIA)?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. The purpose of a PIA is to demonstrate that system owners have consciously incorporated privacy protections within their systems for information supplied by the public.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePIAs are required by the E-Government Act of 2002, which Congress enacted to improve the management of Federal electronic government services and processes. Section 208 of the E-Government Act specifically requires PIAs to be created when a federal agency develops or procures new information technology that involves the collection, maintenance, or dissemination of information in identifiable form.\u0026nbsp;\u003c/p\u003e\u003cp\u003eFurther, because the E-Government Act also includes a provision requiring PIAs to be published publicly on agency websites, they allow CMS to communicate more clearly with the public about how we handle information, including how we address privacy concerns and safeguard information. Copies of completed PIAs are\u0026nbsp;\u003ca href=\"https://www.hhs.gov/pia/index.html\"\u003eposted on the HHS website\u003c/a\u003e upon completion to offer transparency to the public.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho completes Privacy Impact Assessments (PIAs)?\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePrivacy Impact Assessments (PIAs) are a team effort. The Information System Security Officer (ISSO) leads the effort on behalf of the System/Business Owner to complete the questions required to submit a compliant assessment. The ISSO receives support from the ISPG Division of Security, Privacy, Policy \u0026amp; Oversight (DSPPO) and works in partnership with ISPG Cyber Risk Advisors (CRAs) to accurately complete the PIA.\u0026nbsp;\u003c/p\u003e1a:T1eae,"])</script><script>self.__next_f.push([1,"\u003ch2 id=\"types-of-privacy-assessments\"\u003e\u003cstrong\u003eTypes of privacy assessments\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eProtecting user privacy through system security is a core mission of CMS. The type of information collected by a system determines what kind of assessment is required. The HHS PIA \u0026amp; PTA Writers Handbook provides guidance and questions to help system owners and ISSOs determine which privacy assessment is right for their specific needs.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThere are four main types of privacy assessments:\u0026nbsp;\u003c/p\u003e\u003ch3 id=\"privacy-impact-assessments-pias\"\u003e\u003cstrong\u003ePrivacy Impact Assessments (PIAs)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePIAs are an analysis of how personally identifiable information is handled. PIAs are important because they help system owners:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDetermine the risks of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of PII within FISMA systems.\u003c/li\u003e\u003cli\u003eExamine and evaluate protections for handling information to mitigate potential privacy concerns.\u003c/li\u003e\u003cli\u003eDevelop new solutions to manage PII if current collection methods arent optimized.\u003c/li\u003e\u003cli\u003eEnsure that information is handled in a manner that supports all applicable legal, regulatory, and policy requirements regarding privacy.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ePIAs must be completed in the following situations:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor all new systems that collect PII from 10 or more members of the general public, a PIA is required to be completed as part of the broader Authority to Operate (ATO) process.\u003c/li\u003e\u003cli\u003eFor every existing system that collects PII from 10 or more members of the general public, a PIA must be reviewed and re-approved once every three years. System/Business Owners and Information System Security Officers (ISSOs) must review and revise as necessary and submit PIAs for re-approval no later than three years from the last HHS approval date.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor any existing system undergoing a major change, an updated PIA is required.\u003c/li\u003e\u003cli\u003eAn existing system going through the ATO process may need to update its PIA paperwork if its close to expiring; an ATO cannot be completed with an expired or incomplete PIA.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your FISMA system does not meet the requirements above, it may not require a traditional PIA. In these instances, there may be other Privacy compliance requirements for your system or application. If youre unsure which assessment is right for you, the Privacy Office can help you make the right choice from the following options:\u003c/p\u003e\u003ch3 id=\"internal-privacy-impact-assessments\"\u003e\u003cstrong\u003eInternal Privacy Impact Assessments\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eInternal PIAs are similar to the PIAs described above but are only conducted for systems that collect PII of CMS employees and direct contractors only. Like a PIA, an internal PIA must be updated when a major change is planned for an IT system or electronic information collection. Unlike a traditional PIA, an internal PIA is not published on the HHS website and is not subject to the three-year review requirement.\u0026nbsp;\u003c/p\u003e\u003ch3 id=\"privacy-threshold-analysis-pta\"\u003e\u003cstrong\u003ePrivacy Threshold Analysis (PTA)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA PTA is an analysis performed in lieu of a formal PIA for systems that do not collect, disseminate, maintain, or dispose of PII. The PTA must be updated during a major change or if the manner in which electronic information is collected is changed. It is possible that a major change (e.g., the addition of PII) could result in a PTA meeting the threshold to be a PIA. Since HHS uses an interactive form for PIAs, a separate document is not necessary to complete a PTA. PTAs are not published on the HHS website and are not subject to the three-year review requirement.\u0026nbsp;\u003c/p\u003e\u003ch3 id=\"third-party-website-application-tpwa-privacy-impact-assessment\"\u003e\u003cstrong\u003eThird-Party Website Application (TPWA) Privacy Impact Assessment\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA TPWA is an analysis of third-party websites or application technologies (like social media platforms) used by CMS to communicate and engage with members of the public. The TPWA PIA has different questions based on the specific risks and compliance requirements for TPWAs as outlined by \u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf\"\u003eOMB M-10-23\u003c/a\u003e. However, the PIA and TPWA PIA require approval from HHS and are published on the HHS public web page.\u003c/p\u003e\u003ch2 id=\"what-is-considered-a-major-change\"\u003e\u003cstrong\u003eWhat is considered a major change?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA major change is something that alters the privacy risk associated with the use of a particular IT system. An example of a major change that would require an update to the PIA is a decision to collect social security numbers for an information system that previously was not collecting social security numbers. According to \u003ca href=\"https://obamawhitehouse.archives.gov/omb/memoranda_m03-22/\"\u003eOMB M-03-22\u003c/a\u003e, PIAs should be reviewed following the major changes including, but not limited to:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eConversions: \u003c/strong\u003eA conversion from paper-based information collection methods to electronic systems (e.g. records currently in paper form will be scanned or otherwise added into a system).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAnonymous to Non-Anonymous: \u003c/strong\u003eWhen the system previously collected information about users that did not identify them, but has changed to collect information that makes anonymity impossible.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSignificant System Management Changes:\u003c/strong\u003e The introduction of new applications or technologies to an existing system significantly changes the process of how PII is managed within the system.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSignificant Merging:\u003c/strong\u003e When agency and/or government databases holding PII are merged, centralized, matched with other databases, or otherwise significantly manipulated.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNew Public Access: \u003c/strong\u003eWhen user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system that can be accessed by the public.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCommercial Sources: \u003c/strong\u003eWhen PII is obtained from commercial or public sources and is integrated into the existing government information systems databases.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNew Interagency Uses: \u003c/strong\u003eWhen agencies work together on shared functions involving significant new uses or exchanges of PII.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInternal Flow or Collection: \u003c/strong\u003eWhen alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional PII.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAlteration in Character of Data: \u003c/strong\u003eWhen a new type of PII is added to a pre-existing collection and raises the risk to personal privacy, such as the addition of health or privacy information.\u0026nbsp;\u003c/p\u003e\u003ch2 id=\"how-to-complete-a-privacy-impact-assessment-pia\"\u003e\u003cstrong\u003eHow to complete a Privacy Impact Assessment (PIA)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eHHS issues the master guidance for the completion of PIAs. ISPG has taken the guidance provided by HHS and translated it into a questionnaire that can be found on \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCFACTS\u003c/a\u003e. ISSOs can log in to CFACTS to complete the questionnaire with guidance from the System/Business Owner and the assigned Cyber Risk Advisor (CRA).\u0026nbsp;\u003c/p\u003e\u003cp\u003eA step by step guide to answering the questions required to complete the PIA can be found within the PIA \u0026amp; PTA Writers Handbook, which is written by HHS and can be found as a resource on the front page of each individual question in CFACTS. You can also check out the CMS Privacy Impact Assessment Handbook for guidance and tips to ensure that your PIA is written correctly.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe procedures below give a summary review of the actions necessary to complete a new PIA or modify an existing PIA.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1b:T1eae,"])</script><script>self.__next_f.push([1,"\u003ch2 id=\"types-of-privacy-assessments\"\u003e\u003cstrong\u003eTypes of privacy assessments\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eProtecting user privacy through system security is a core mission of CMS. The type of information collected by a system determines what kind of assessment is required. The HHS PIA \u0026amp; PTA Writers Handbook provides guidance and questions to help system owners and ISSOs determine which privacy assessment is right for their specific needs.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThere are four main types of privacy assessments:\u0026nbsp;\u003c/p\u003e\u003ch3 id=\"privacy-impact-assessments-pias\"\u003e\u003cstrong\u003ePrivacy Impact Assessments (PIAs)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePIAs are an analysis of how personally identifiable information is handled. PIAs are important because they help system owners:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDetermine the risks of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of PII within FISMA systems.\u003c/li\u003e\u003cli\u003eExamine and evaluate protections for handling information to mitigate potential privacy concerns.\u003c/li\u003e\u003cli\u003eDevelop new solutions to manage PII if current collection methods arent optimized.\u003c/li\u003e\u003cli\u003eEnsure that information is handled in a manner that supports all applicable legal, regulatory, and policy requirements regarding privacy.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ePIAs must be completed in the following situations:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor all new systems that collect PII from 10 or more members of the general public, a PIA is required to be completed as part of the broader Authority to Operate (ATO) process.\u003c/li\u003e\u003cli\u003eFor every existing system that collects PII from 10 or more members of the general public, a PIA must be reviewed and re-approved once every three years. System/Business Owners and Information System Security Officers (ISSOs) must review and revise as necessary and submit PIAs for re-approval no later than three years from the last HHS approval date.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor any existing system undergoing a major change, an updated PIA is required.\u003c/li\u003e\u003cli\u003eAn existing system going through the ATO process may need to update its PIA paperwork if its close to expiring; an ATO cannot be completed with an expired or incomplete PIA.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your FISMA system does not meet the requirements above, it may not require a traditional PIA. In these instances, there may be other Privacy compliance requirements for your system or application. If youre unsure which assessment is right for you, the Privacy Office can help you make the right choice from the following options:\u003c/p\u003e\u003ch3 id=\"internal-privacy-impact-assessments\"\u003e\u003cstrong\u003eInternal Privacy Impact Assessments\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eInternal PIAs are similar to the PIAs described above but are only conducted for systems that collect PII of CMS employees and direct contractors only. Like a PIA, an internal PIA must be updated when a major change is planned for an IT system or electronic information collection. Unlike a traditional PIA, an internal PIA is not published on the HHS website and is not subject to the three-year review requirement.\u0026nbsp;\u003c/p\u003e\u003ch3 id=\"privacy-threshold-analysis-pta\"\u003e\u003cstrong\u003ePrivacy Threshold Analysis (PTA)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA PTA is an analysis performed in lieu of a formal PIA for systems that do not collect, disseminate, maintain, or dispose of PII. The PTA must be updated during a major change or if the manner in which electronic information is collected is changed. It is possible that a major change (e.g., the addition of PII) could result in a PTA meeting the threshold to be a PIA. Since HHS uses an interactive form for PIAs, a separate document is not necessary to complete a PTA. PTAs are not published on the HHS website and are not subject to the three-year review requirement.\u0026nbsp;\u003c/p\u003e\u003ch3 id=\"third-party-website-application-tpwa-privacy-impact-assessment\"\u003e\u003cstrong\u003eThird-Party Website Application (TPWA) Privacy Impact Assessment\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA TPWA is an analysis of third-party websites or application technologies (like social media platforms) used by CMS to communicate and engage with members of the public. The TPWA PIA has different questions based on the specific risks and compliance requirements for TPWAs as outlined by \u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf\"\u003eOMB M-10-23\u003c/a\u003e. However, the PIA and TPWA PIA require approval from HHS and are published on the HHS public web page.\u003c/p\u003e\u003ch2 id=\"what-is-considered-a-major-change\"\u003e\u003cstrong\u003eWhat is considered a major change?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA major change is something that alters the privacy risk associated with the use of a particular IT system. An example of a major change that would require an update to the PIA is a decision to collect social security numbers for an information system that previously was not collecting social security numbers. According to \u003ca href=\"https://obamawhitehouse.archives.gov/omb/memoranda_m03-22/\"\u003eOMB M-03-22\u003c/a\u003e, PIAs should be reviewed following the major changes including, but not limited to:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eConversions: \u003c/strong\u003eA conversion from paper-based information collection methods to electronic systems (e.g. records currently in paper form will be scanned or otherwise added into a system).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAnonymous to Non-Anonymous: \u003c/strong\u003eWhen the system previously collected information about users that did not identify them, but has changed to collect information that makes anonymity impossible.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSignificant System Management Changes:\u003c/strong\u003e The introduction of new applications or technologies to an existing system significantly changes the process of how PII is managed within the system.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSignificant Merging:\u003c/strong\u003e When agency and/or government databases holding PII are merged, centralized, matched with other databases, or otherwise significantly manipulated.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNew Public Access: \u003c/strong\u003eWhen user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system that can be accessed by the public.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCommercial Sources: \u003c/strong\u003eWhen PII is obtained from commercial or public sources and is integrated into the existing government information systems databases.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNew Interagency Uses: \u003c/strong\u003eWhen agencies work together on shared functions involving significant new uses or exchanges of PII.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInternal Flow or Collection: \u003c/strong\u003eWhen alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional PII.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAlteration in Character of Data: \u003c/strong\u003eWhen a new type of PII is added to a pre-existing collection and raises the risk to personal privacy, such as the addition of health or privacy information.\u0026nbsp;\u003c/p\u003e\u003ch2 id=\"how-to-complete-a-privacy-impact-assessment-pia\"\u003e\u003cstrong\u003eHow to complete a Privacy Impact Assessment (PIA)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eHHS issues the master guidance for the completion of PIAs. ISPG has taken the guidance provided by HHS and translated it into a questionnaire that can be found on \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCFACTS\u003c/a\u003e. ISSOs can log in to CFACTS to complete the questionnaire with guidance from the System/Business Owner and the assigned Cyber Risk Advisor (CRA).\u0026nbsp;\u003c/p\u003e\u003cp\u003eA step by step guide to answering the questions required to complete the PIA can be found within the PIA \u0026amp; PTA Writers Handbook, which is written by HHS and can be found as a resource on the front page of each individual question in CFACTS. You can also check out the CMS Privacy Impact Assessment Handbook for guidance and tips to ensure that your PIA is written correctly.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe procedures below give a summary review of the actions necessary to complete a new PIA or modify an existing PIA.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1c:T5673,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the purpose of a Privacy Impact Assessment (PIA)?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. The purpose of a PIA is to demonstrate that system owners have consciously incorporated privacy protections within their systems for information supplied for by the public.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePIAs are required by the E-Government Act of 2002, which was enacted by Congress in order to improve the management of Federal electronic government services and processes. Section 208 of the E-Government Act specifically requires PIAs to be created when a federal agency develops or procures new information technology that involves the collection, maintenance, or dissemination of information in identifiable form.\u003c/p\u003e\u003cp\u003eFurther, because the E-Government Act also includes a provision requiring PIAs to be published publicly on agency websites, they allow CMS to communicate more clearly with the public about how we handle information, including how we address privacy concerns and safeguard information. Copies of completed PIAs are\u003ca href=\"https://www.hhs.gov/pia/index.html\"\u003e posted on the HHS website\u003c/a\u003e upon completion to offer transparency to the public.\u003c/p\u003e\u003cp\u003ePIAs must be completed in the following situations:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor all new systems that collect PII from 10 or more members of the general public, a PIA is required to be completed as part of the broader Authority to Operate (ATO) process.\u003c/li\u003e\u003cli\u003eFor every existing system that collects PII from 10 or more members of the general public, a PIA must be reviewed and re-approved once every three years. System/Business Owners and Information System Security Officers (ISSOs) must review and revise as necessary, and submit PIAs for re-approval no later than three years from the last HHS approval date.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor any existing system undergoing a \u003cstrong\u003emajor change\u003c/strong\u003e, an updated PIA is required.\u003c/li\u003e\u003cli\u003eAn existing system that is going through the ATO process may need to update their PIA paperwork if its close to expiring; an ATO cannot be completed with an expired or incomplete PIA.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your FISMA system does not meet the requirements above, it may not require a traditional PIA. In these instances, there may be other Privacy compliance requirements for your system or application. For example, you may be required to complete a different type of assessment (such as a Privacy Threshold Analysis (PTA), Third Party Website Application (TPWA) Privacy Impact Assessment, or Internal Privacy Impact Assessment).\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePIA roles and responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eHHS Chief Information Officer (CIO)/Senior Agency Official for Privacy (SAOP)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAt HHS, the Chief Information Officer (CIO) is designated as the Senior Agency Official for Privacy (SAOP) and provides the overall program structure for the completion of PIAs across all operating divisions. Responsibilities for the SAOP include, but are not limited to the following:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop a standard form for HHS PIAs\u003c/li\u003e\u003cli\u003eReview PIAs from all operating divisions for adequacy, consistency, and compliance with federal and HHS requirements\u003c/li\u003e\u003cli\u003eIf the PIA meets HHSs requirements, the PIA is signed by the SAOP, which finalizes the PIA for a period depending on the type of PIA\u003c/li\u003e\u003cli\u003eEnsure all PIAs are published and made publicly available on HHS.gov\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Senior Official for Privacy (SOP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAt CMS, the Senior Official for Privacy (SOP) is the lead privacy official responsible for administering the agency PIA process and providing direction for the CMS privacy program. Unresolved privacy risks and other potential issues should be addressed before submission to the CMS SOP for final review. Responsibilities of the CMS SOP include, but are not limited to the following:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eEstablish a CMS specific framework for the development and completion of PIAs in accordance with federal and HHS requirements\u003c/li\u003e\u003cli\u003eReview and approve all PIAs for completion and consistency prior to submission to the HHS SAOP in coordination with the CMS Final Approver\u003c/li\u003e\u003cli\u003eSigning the PIA on behalf of CMS once the PIA satisfies federal and HHS requirements (The PIA will still require HHSs final signature before publication to the HHS website)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS System Owner/Business Owner\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eInformation System Owners or Business Owners are individuals who are responsible for CMS FISMA systems or electronic information collections. System/Business Owners:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview, revise, and submit PIAs for approval for new systems or re-approval whenever a change to an IT system, a change in CMS practice, or another factor alters the privacy risks associated with the use of the IT system or electronic information collection.\u0026nbsp;\u003c/li\u003e\u003cli\u003eAllocate proper resources to permit identification and remediation of privacy risks and weaknesses identified on PIAs.\u0026nbsp;\u003c/li\u003e\u003cli\u003eReview, revise, and submit PIAs for re-approval three years from the last approval date, and as part of the authorization process as required.\u0026nbsp;\u003c/li\u003e\u003cli\u003eComply with all relevant Privacy Act requirements regarding any system of records, including, but not limited to, providing individuals with procedures for access and amendment of records.\u003c/li\u003e\u003cli\u003eEnsure all artifacts are in place as needed such as a Computer Matching Agreement (CMA), Information Exchange Agreements (IEA), or any other agreement when sharing information.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDepending on the structure of your specific team, some System/Business Owner responsibilities will be completed by the trained ISSO. Alternatively, some teams may utilize their System/Business Owner to complete ISSO tasks. Your team will decide what structure works best for your unique needs.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Privacy Advisor\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Privacy Advisor has in-depth knowledge of privacy risks and can help your team meet the requirements for your PIA. The Privacy Advisor will complete the following tasks:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview component PIAs for accuracy, consistency and compliance; coordinating with the Cyber Risk Advisor (CRA) to identify any outstanding privacy risks prior to submission to the CMS SOP.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEnsure answers provided in the PIA are consistent with the HHS PTA and PIA Writers Handbook.\u0026nbsp;\u003c/li\u003e\u003cli\u003eCheck each PIA for other Privacy-related requirements (e.g. Privacy Act implications).\u0026nbsp;\u003c/li\u003e\u003cli\u003eReview and edit each PIA for grammatical mistakes or incomplete responses.\u0026nbsp;\u003c/li\u003e\u003cli\u003eProvide input and guidance as needed regarding any other privacy weaknesses as identified.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Cyber Risk Advisor (CRA)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CRA is responsible for coordinating the drafting and review process of the PIA with the CMS office or center in which they are representing. The CRA will:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eCommunicate with System/Business Owners through the authorization process, and ensure that the PIA is included in the authorization package.\u003c/li\u003e\u003cli\u003eReview PIAs submitted by the ISSO or System Owner for potential security and privacy risk, this can include:\u003cul\u003e\u003cli\u003eChecking that information in the PIA matches other artifacts in the ATO package as needed, including checking for grammatical mistakes or incomplete responses.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEnsuring the answers provided in the PIA are consistent with the HHS PTA and PIA Writers Handbook.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the Privacy Advisor to identify any potential privacy risks during the review of the PIA.\u0026nbsp;\u003c/li\u003e\u003cli\u003eReview PIAs sent back from the SOP and/or HHS and coordinate with the ISSO and Privacy Advisor to resolve the outstanding comments as needed.\u0026nbsp;\u003c/li\u003e\u003cli\u003eCoordinate with the Privacy Advisor to submit completed PIAs for approval to the CMS SOP.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Information System Security Officer (ISSO)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO provides oversight and develops documentation to ensure the completion of the Security Assessment and Authorization (SA\u0026amp;A) process for their information systems. The ISSO typically performs this function on behalf of the System/Business Owner for the FISMA system. The PIA is included as one of the artifacts in the Security Assessment and Authorization package. The ISSO will:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDraft a new PIA or modify a PIA in coordination with the System Owner and CRA to address major changes or PIA requirements.\u003c/li\u003e\u003cli\u003eContact the CRA to obtain either HHS or CMS PIA guidance when required.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEngage with the System/Business Owner, CRA, Privacy Advisor, and CMS leadership to ensure all comments and suggestions are included in the PIA\u003c/li\u003e\u003cli\u003eAssist in identifying and remediating potential privacy risks and notify System/Business Owners of PIA requirements;\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eInform the CRA when a planned, new or existing system will require a PIA\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSteps for completing your PIA\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Department of Health and Human Services (HHS) issues the master guidance for completing PIAs. ISPG has taken the guidance provided by HHS and translated it into a questionnaire found on\u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003e CFACTS\u003c/a\u003e. ISSOs can log in to CFACTS to complete the questionnaire with guidance from the System/Business Owner and the assigned Cyber Risk Advisor (CRA). A step-by-step guide to answering the questions required to complete the PIA can be found within the PIA \u0026amp; PTA Writers Handbook, which is written by HHS and can be found as a resource on the front page of each question in CFACTS. If you would like a copy of the PIA \u0026amp; PTA Writers Handbook, please contact the Privacy Office. The procedures below give a summary review of the actions necessary to complete a new PIA or modify an existing PIA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 1: PIA initial draft\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: SO/BO, ISSO, Cyber Risk Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eFollowing any of the scenarios or major changes that would require the completion of a PIA, the System/Business Owner works with the ISSO to draft a new or revised PIA in CFACTS. Upon completion of the new or revised PIA, the System/Business Owner or ISSO will contact the CRA for review. In CFACTS, the queue for the System/Business owner or ISSO is “ISSO Submitter” for the PIA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 2: PIA review / revision\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: CRA, Privacy Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CRA reviews the PIA in collaboration with the Privacy Advisor and coordinates recommended changes with the system/business owner or ISSO. Any identified privacy risks or compliance issues should be resolved before submission to the SOP for approval. If the SOP or SAOP recommends changes, the review process will return to this step as needed until the PIA is approved and finalized by the Senior Agency Official for Privacy (SAOP).\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 3: PIA approval\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: CMS Senior Official for Privacy (SOP), Final Approver\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SOP or designated Final Approver will review the PIA and recommend approval to HHS if no changes are recommended.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 4: PIA signing\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: Senior Agency Official for Privacy (SAOP)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SAOP will designate staff to review all PIAs before approval for signature. If no changes are recommended, the SOP and SAOP will digitally sign the PIA. Once signed by the SOP and SAOP, the PIA is approved and complete for a length of time as discussed above.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 5: PIA posting\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: Senior Agency Official for Privacy (SAOP)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SAOP will send the completed PIA to HHS\u003cstrong\u003e. \u003c/strong\u003eHHS will submit the final PIA for publication to the HHS PIA internet site at\u003ca href=\"https://www.hhs.gov/pia\"\u003e https://www.hhs.gov/pia\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTips for completing your PIA\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBefore starting to fill out your PIA, obtain and review any available program and system documentation. This may include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWebsites that explain the service or business process supported by the system;\u003c/li\u003e\u003cli\u003eInformation Collection Requests (ICRs) if the system collects information from the public and is subject to the Paperwork Reduction Act (PRA); if unsure, please reach out to the PRA office.\u0026nbsp;\u003c/li\u003e\u003cli\u003ePrivacy Act Statements (PASs) and System of Records Notices (SORNs) if records in the system are subject to the Privacy Act;\u003c/li\u003e\u003cli\u003eAgency IT Portfolio Summaries (formerly called Exhibit 53s) or any Major IT Investment Business Cases (formerly called Exhibit 300s);\u003c/li\u003e\u003cli\u003eEnterprise Program Lifecycle Artifacts such as a System Security and Privacy Plan (SSPP); and\u003c/li\u003e\u003cli\u003eAny handbooks or other guidance on how to use the system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIt may be possible to reuse language from these documents to respond to questions. However, make sure you review all copied text to verify that it is specific to the system being reviewed, is complete, and makes sense absent the rest of the document. Text copied from marketing materials and system planning documents may discuss functions that were never purchased or implemented. Text copied from a SORN or budget document may describe more than one system.\u003c/p\u003e\u003cp\u003eThe purpose of a PIA is to provide the general public with information about how CMS systems collect and share user data. The general public is the audience for PIAs, so its essential to keep your end users in mind when drafting your PIA.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAnswer each question briefly; text fields have a limited capacity when translated to the final documentation in CFACTS\u003c/li\u003e\u003cli\u003eWrite in a way that is easily understood by the general public; avoid using overly technical language, and clearly define technical terms and references if needed to describe a system.\u003c/li\u003e\u003cli\u003eDefine each acronym the first time it is used; use the acronym alone in all subsequent references.\u003c/li\u003e\u003cli\u003eDo not include sensitive or confidential system information or information that could allow a potential threat source to gain unauthorized access into the system (e.g., do not provide detailed information on technical security controls)\u003c/li\u003e\u003cli\u003eProvide information about authentication credentials. Reviewers need to know if the system is accessed using system-specific login information such as a username and password or if the system uses only PIV access and single sign-on authentication. The login method determines how user credentials are stored outside the system boundary. Please include a statement indicating whether login information is stored in the system.\u003c/li\u003e\u003cli\u003eMake it clear who the “users” are for your system. In some cases, it may be confusing whether “users” refers to individuals creating records about themselves or whether “users” are CMS staff members receiving and acting on this information. Please make this distinction clear the first time the term “users” is used. If contractors are listed as users, please cite if contractors are “direct” or “indirect”.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eGuidance for specific PIA questions\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCompleting a Privacy Impact Assessment (PIA) can be a challenge. Its essential to provide all the relevant information while ensuring it is correct and up to date. The following guidance comes from the Privacy Office, as well as a number of ISSOs and System/Business Owners who have experience completing successful PIAs in CFACTS.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor PIA question 6b, make sure the ISSO information is correct and up to date.\u003c/li\u003e\u003cli\u003eWhen answering question 10, consider all changes that have occurred since the PIA was last finalized, as well as the changes that will occur when the PIA is finalized. All changes, whether or not they pose a new privacy risk, should be documented. Examples of changes include changing the physical location of a server or adding additional collection of new PII elements.\u003c/li\u003e\u003cli\u003eFor PIA question 11, you should include what HHS functions are supported by the system and how the system completes those functions. Your response should be concise and specific, and should not contain jargon or overly technical terms so that a reader with no prior knowledge of the system will understand the response. Dont forget to spell out all acronyms on first usage.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor PIA question 12, list and describe all types of information collected by the system regardless of whether that information is considered PII. Make sure to include how long information is stored in the system. If the system holds system-specific access credentials, e.g., username, password, please describe those components in the response to this question. Specify whether the username and/or password are created by the individual, generated by the system, provided by a system administrator, or established through some other process.\u0026nbsp; Reminder: Any types of PII listed in this response also need to be listed in PIA question 15.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor PIA question 12, describe why the information listed in the question is collected. The response to this question should consider all information, whether or not it is PII. The response to this question should also specify what information is collected about each category of individual and should document and discuss if records are retrieved by PII elements.\u003c/li\u003e\u003cli\u003eFor PIA question13, include a brief description of the method of record retrieval, if you answered “Yes'' to PIA question 22 regarding System of Record Notification (SORN). Note the PII used and categories of individuals to whom the PII relates.\u0026nbsp;\u003cul\u003e\u003cli\u003eAn example is: The Physical Security System (PSS) regularly uses PII to retrieve system records including using the last name, employee ID number, and/or work phone number of CMS employees, contractors, and members of the public authorized to access the main campus and satellite offices.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePIA question 14 is calculated by the system. Reminder: If the response to this question is No, PIA questions 15 through 38 should no longer appear on the form.\u0026nbsp;\u003c/li\u003e\u003cli\u003eIf PIA question 15 is shown, check all the boxes that apply. If the information collected by the system is not described by any of the items in the list, there is a text field under Other where you can list additional information. Your response should include all types of PII regardless of type sensitivity, or whether it is from employees or the public. Reminder: PII elements need to be accounted for in both PIA question 12 and PIA question 15.\u003c/li\u003e\u003cli\u003ePIA question 20 should describe all the ways Social Security Numbers (SSNS) are used in the system (if applicable). Youll need to share when, where, and why an SSN is disclosed or shared; and why the SSN is used rather than another identifier.\u0026nbsp;\u003cul\u003e\u003cli\u003eNOTE: Employer Identification Number (EIN) also known as Federal Employer Identification Number (FEIN) or Tax Identification Number (TIN) or Federal Tax Identification Number (FTIN).\u0026nbsp; Individuals may choose to use their SSN as their EIN or FTIN. Typically, this would be sole proprietors or other small business owners who use SSN as EIN for tax purposes. EIN often appears in the format XX-XXXXXXX and may not stand out as a SSN. Any time that Social Security Numbers are involved, examine whether the collection and/or use of the SSN can be eliminated.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eReminder: If the response to this question states that SSNs are collected, SSNs should also be listed in the response to PIA question 15.\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePIA question 21 asks for the legal authorities governing information collection. Every system with PII must have an authority to collect this information. This will be a statute or Executive Order that either (a) permits or requires collection of the PII, or (b) permits or requires the underlying activity, for which it is necessary to collect PII.\u003c/li\u003e\u003cli\u003ePIA questions 22 and 22a are relevant to System of Record Notifications (SORNs). If the\u003c/li\u003e\u003cli\u003esystem uses PII to retrieve records, it may need to be covered by a SORN. Any system that has already received Privacy Office signatures should already reference a SORN. If not, you may need to seek guidance from ISPG or DSPPG to determine whether a SORN is required and in identifying an existing SORN that might apply. Please also review your response to PIA question 13 to ensure that it matches with your response here in question 22.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEach system has unique functions and answers to questions will be different for different systems. Question 23 determines whether your system needs an Information Collection Approval number from the White House Office of Management and Budget (OMB). In some cases, when you answer question 23, question 23a will appear. It asks about an OMB Information Collection Approval number. Under the Paperwork Reduction Act (PRA), the System/Business Owner or ISSO may need to obtain an information collection approval number from the OMB. Use the information in the CMS guidance and HHS PIA Writers Handbook regarding this question to contact subject matter experts as needed.\u003c/li\u003e\u003cli\u003eFor PIA question 27, please state that any system that utilizes information obtained from the Enterprise Portal (EIDM) must provide individuals the option to opt-out of information sharing. And similar to PIA question 25, if EIDM has its own PIA for CMS please add this statement.\u003c/li\u003e\u003cli\u003eFor PIA question 29, Identify System Acronym\u003c/li\u003e\u003cli\u003eFor PIA question 37, NARA Disposition Schedule ID, and the retention period described by the schedule, should be included\u003c/li\u003e\u003cli\u003ePIA question 37 asks about the system retention schedule. Every system (whether it contains PII or not) should have been made subject to an information retention schedule. Check with the Records Officer to identify the appropriate retention schedule.\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1d:T5673,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the purpose of a Privacy Impact Assessment (PIA)?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. The purpose of a PIA is to demonstrate that system owners have consciously incorporated privacy protections within their systems for information supplied for by the public.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePIAs are required by the E-Government Act of 2002, which was enacted by Congress in order to improve the management of Federal electronic government services and processes. Section 208 of the E-Government Act specifically requires PIAs to be created when a federal agency develops or procures new information technology that involves the collection, maintenance, or dissemination of information in identifiable form.\u003c/p\u003e\u003cp\u003eFurther, because the E-Government Act also includes a provision requiring PIAs to be published publicly on agency websites, they allow CMS to communicate more clearly with the public about how we handle information, including how we address privacy concerns and safeguard information. Copies of completed PIAs are\u003ca href=\"https://www.hhs.gov/pia/index.html\"\u003e posted on the HHS website\u003c/a\u003e upon completion to offer transparency to the public.\u003c/p\u003e\u003cp\u003ePIAs must be completed in the following situations:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor all new systems that collect PII from 10 or more members of the general public, a PIA is required to be completed as part of the broader Authority to Operate (ATO) process.\u003c/li\u003e\u003cli\u003eFor every existing system that collects PII from 10 or more members of the general public, a PIA must be reviewed and re-approved once every three years. System/Business Owners and Information System Security Officers (ISSOs) must review and revise as necessary, and submit PIAs for re-approval no later than three years from the last HHS approval date.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor any existing system undergoing a \u003cstrong\u003emajor change\u003c/strong\u003e, an updated PIA is required.\u003c/li\u003e\u003cli\u003eAn existing system that is going through the ATO process may need to update their PIA paperwork if its close to expiring; an ATO cannot be completed with an expired or incomplete PIA.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your FISMA system does not meet the requirements above, it may not require a traditional PIA. In these instances, there may be other Privacy compliance requirements for your system or application. For example, you may be required to complete a different type of assessment (such as a Privacy Threshold Analysis (PTA), Third Party Website Application (TPWA) Privacy Impact Assessment, or Internal Privacy Impact Assessment).\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePIA roles and responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eHHS Chief Information Officer (CIO)/Senior Agency Official for Privacy (SAOP)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAt HHS, the Chief Information Officer (CIO) is designated as the Senior Agency Official for Privacy (SAOP) and provides the overall program structure for the completion of PIAs across all operating divisions. Responsibilities for the SAOP include, but are not limited to the following:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop a standard form for HHS PIAs\u003c/li\u003e\u003cli\u003eReview PIAs from all operating divisions for adequacy, consistency, and compliance with federal and HHS requirements\u003c/li\u003e\u003cli\u003eIf the PIA meets HHSs requirements, the PIA is signed by the SAOP, which finalizes the PIA for a period depending on the type of PIA\u003c/li\u003e\u003cli\u003eEnsure all PIAs are published and made publicly available on HHS.gov\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Senior Official for Privacy (SOP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAt CMS, the Senior Official for Privacy (SOP) is the lead privacy official responsible for administering the agency PIA process and providing direction for the CMS privacy program. Unresolved privacy risks and other potential issues should be addressed before submission to the CMS SOP for final review. Responsibilities of the CMS SOP include, but are not limited to the following:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eEstablish a CMS specific framework for the development and completion of PIAs in accordance with federal and HHS requirements\u003c/li\u003e\u003cli\u003eReview and approve all PIAs for completion and consistency prior to submission to the HHS SAOP in coordination with the CMS Final Approver\u003c/li\u003e\u003cli\u003eSigning the PIA on behalf of CMS once the PIA satisfies federal and HHS requirements (The PIA will still require HHSs final signature before publication to the HHS website)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS System Owner/Business Owner\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eInformation System Owners or Business Owners are individuals who are responsible for CMS FISMA systems or electronic information collections. System/Business Owners:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview, revise, and submit PIAs for approval for new systems or re-approval whenever a change to an IT system, a change in CMS practice, or another factor alters the privacy risks associated with the use of the IT system or electronic information collection.\u0026nbsp;\u003c/li\u003e\u003cli\u003eAllocate proper resources to permit identification and remediation of privacy risks and weaknesses identified on PIAs.\u0026nbsp;\u003c/li\u003e\u003cli\u003eReview, revise, and submit PIAs for re-approval three years from the last approval date, and as part of the authorization process as required.\u0026nbsp;\u003c/li\u003e\u003cli\u003eComply with all relevant Privacy Act requirements regarding any system of records, including, but not limited to, providing individuals with procedures for access and amendment of records.\u003c/li\u003e\u003cli\u003eEnsure all artifacts are in place as needed such as a Computer Matching Agreement (CMA), Information Exchange Agreements (IEA), or any other agreement when sharing information.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDepending on the structure of your specific team, some System/Business Owner responsibilities will be completed by the trained ISSO. Alternatively, some teams may utilize their System/Business Owner to complete ISSO tasks. Your team will decide what structure works best for your unique needs.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Privacy Advisor\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Privacy Advisor has in-depth knowledge of privacy risks and can help your team meet the requirements for your PIA. The Privacy Advisor will complete the following tasks:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview component PIAs for accuracy, consistency and compliance; coordinating with the Cyber Risk Advisor (CRA) to identify any outstanding privacy risks prior to submission to the CMS SOP.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEnsure answers provided in the PIA are consistent with the HHS PTA and PIA Writers Handbook.\u0026nbsp;\u003c/li\u003e\u003cli\u003eCheck each PIA for other Privacy-related requirements (e.g. Privacy Act implications).\u0026nbsp;\u003c/li\u003e\u003cli\u003eReview and edit each PIA for grammatical mistakes or incomplete responses.\u0026nbsp;\u003c/li\u003e\u003cli\u003eProvide input and guidance as needed regarding any other privacy weaknesses as identified.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Cyber Risk Advisor (CRA)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CRA is responsible for coordinating the drafting and review process of the PIA with the CMS office or center in which they are representing. The CRA will:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eCommunicate with System/Business Owners through the authorization process, and ensure that the PIA is included in the authorization package.\u003c/li\u003e\u003cli\u003eReview PIAs submitted by the ISSO or System Owner for potential security and privacy risk, this can include:\u003cul\u003e\u003cli\u003eChecking that information in the PIA matches other artifacts in the ATO package as needed, including checking for grammatical mistakes or incomplete responses.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEnsuring the answers provided in the PIA are consistent with the HHS PTA and PIA Writers Handbook.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the Privacy Advisor to identify any potential privacy risks during the review of the PIA.\u0026nbsp;\u003c/li\u003e\u003cli\u003eReview PIAs sent back from the SOP and/or HHS and coordinate with the ISSO and Privacy Advisor to resolve the outstanding comments as needed.\u0026nbsp;\u003c/li\u003e\u003cli\u003eCoordinate with the Privacy Advisor to submit completed PIAs for approval to the CMS SOP.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Information System Security Officer (ISSO)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO provides oversight and develops documentation to ensure the completion of the Security Assessment and Authorization (SA\u0026amp;A) process for their information systems. The ISSO typically performs this function on behalf of the System/Business Owner for the FISMA system. The PIA is included as one of the artifacts in the Security Assessment and Authorization package. The ISSO will:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDraft a new PIA or modify a PIA in coordination with the System Owner and CRA to address major changes or PIA requirements.\u003c/li\u003e\u003cli\u003eContact the CRA to obtain either HHS or CMS PIA guidance when required.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEngage with the System/Business Owner, CRA, Privacy Advisor, and CMS leadership to ensure all comments and suggestions are included in the PIA\u003c/li\u003e\u003cli\u003eAssist in identifying and remediating potential privacy risks and notify System/Business Owners of PIA requirements;\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eInform the CRA when a planned, new or existing system will require a PIA\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSteps for completing your PIA\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Department of Health and Human Services (HHS) issues the master guidance for completing PIAs. ISPG has taken the guidance provided by HHS and translated it into a questionnaire found on\u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003e CFACTS\u003c/a\u003e. ISSOs can log in to CFACTS to complete the questionnaire with guidance from the System/Business Owner and the assigned Cyber Risk Advisor (CRA). A step-by-step guide to answering the questions required to complete the PIA can be found within the PIA \u0026amp; PTA Writers Handbook, which is written by HHS and can be found as a resource on the front page of each question in CFACTS. If you would like a copy of the PIA \u0026amp; PTA Writers Handbook, please contact the Privacy Office. The procedures below give a summary review of the actions necessary to complete a new PIA or modify an existing PIA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 1: PIA initial draft\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: SO/BO, ISSO, Cyber Risk Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eFollowing any of the scenarios or major changes that would require the completion of a PIA, the System/Business Owner works with the ISSO to draft a new or revised PIA in CFACTS. Upon completion of the new or revised PIA, the System/Business Owner or ISSO will contact the CRA for review. In CFACTS, the queue for the System/Business owner or ISSO is “ISSO Submitter” for the PIA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 2: PIA review / revision\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: CRA, Privacy Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CRA reviews the PIA in collaboration with the Privacy Advisor and coordinates recommended changes with the system/business owner or ISSO. Any identified privacy risks or compliance issues should be resolved before submission to the SOP for approval. If the SOP or SAOP recommends changes, the review process will return to this step as needed until the PIA is approved and finalized by the Senior Agency Official for Privacy (SAOP).\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 3: PIA approval\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: CMS Senior Official for Privacy (SOP), Final Approver\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SOP or designated Final Approver will review the PIA and recommend approval to HHS if no changes are recommended.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 4: PIA signing\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: Senior Agency Official for Privacy (SAOP)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SAOP will designate staff to review all PIAs before approval for signature. If no changes are recommended, the SOP and SAOP will digitally sign the PIA. Once signed by the SOP and SAOP, the PIA is approved and complete for a length of time as discussed above.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 5: PIA posting\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: Senior Agency Official for Privacy (SAOP)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SAOP will send the completed PIA to HHS\u003cstrong\u003e. \u003c/strong\u003eHHS will submit the final PIA for publication to the HHS PIA internet site at\u003ca href=\"https://www.hhs.gov/pia\"\u003e https://www.hhs.gov/pia\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTips for completing your PIA\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBefore starting to fill out your PIA, obtain and review any available program and system documentation. This may include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWebsites that explain the service or business process supported by the system;\u003c/li\u003e\u003cli\u003eInformation Collection Requests (ICRs) if the system collects information from the public and is subject to the Paperwork Reduction Act (PRA); if unsure, please reach out to the PRA office.\u0026nbsp;\u003c/li\u003e\u003cli\u003ePrivacy Act Statements (PASs) and System of Records Notices (SORNs) if records in the system are subject to the Privacy Act;\u003c/li\u003e\u003cli\u003eAgency IT Portfolio Summaries (formerly called Exhibit 53s) or any Major IT Investment Business Cases (formerly called Exhibit 300s);\u003c/li\u003e\u003cli\u003eEnterprise Program Lifecycle Artifacts such as a System Security and Privacy Plan (SSPP); and\u003c/li\u003e\u003cli\u003eAny handbooks or other guidance on how to use the system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIt may be possible to reuse language from these documents to respond to questions. However, make sure you review all copied text to verify that it is specific to the system being reviewed, is complete, and makes sense absent the rest of the document. Text copied from marketing materials and system planning documents may discuss functions that were never purchased or implemented. Text copied from a SORN or budget document may describe more than one system.\u003c/p\u003e\u003cp\u003eThe purpose of a PIA is to provide the general public with information about how CMS systems collect and share user data. The general public is the audience for PIAs, so its essential to keep your end users in mind when drafting your PIA.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAnswer each question briefly; text fields have a limited capacity when translated to the final documentation in CFACTS\u003c/li\u003e\u003cli\u003eWrite in a way that is easily understood by the general public; avoid using overly technical language, and clearly define technical terms and references if needed to describe a system.\u003c/li\u003e\u003cli\u003eDefine each acronym the first time it is used; use the acronym alone in all subsequent references.\u003c/li\u003e\u003cli\u003eDo not include sensitive or confidential system information or information that could allow a potential threat source to gain unauthorized access into the system (e.g., do not provide detailed information on technical security controls)\u003c/li\u003e\u003cli\u003eProvide information about authentication credentials. Reviewers need to know if the system is accessed using system-specific login information such as a username and password or if the system uses only PIV access and single sign-on authentication. The login method determines how user credentials are stored outside the system boundary. Please include a statement indicating whether login information is stored in the system.\u003c/li\u003e\u003cli\u003eMake it clear who the “users” are for your system. In some cases, it may be confusing whether “users” refers to individuals creating records about themselves or whether “users” are CMS staff members receiving and acting on this information. Please make this distinction clear the first time the term “users” is used. If contractors are listed as users, please cite if contractors are “direct” or “indirect”.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eGuidance for specific PIA questions\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCompleting a Privacy Impact Assessment (PIA) can be a challenge. Its essential to provide all the relevant information while ensuring it is correct and up to date. The following guidance comes from the Privacy Office, as well as a number of ISSOs and System/Business Owners who have experience completing successful PIAs in CFACTS.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor PIA question 6b, make sure the ISSO information is correct and up to date.\u003c/li\u003e\u003cli\u003eWhen answering question 10, consider all changes that have occurred since the PIA was last finalized, as well as the changes that will occur when the PIA is finalized. All changes, whether or not they pose a new privacy risk, should be documented. Examples of changes include changing the physical location of a server or adding additional collection of new PII elements.\u003c/li\u003e\u003cli\u003eFor PIA question 11, you should include what HHS functions are supported by the system and how the system completes those functions. Your response should be concise and specific, and should not contain jargon or overly technical terms so that a reader with no prior knowledge of the system will understand the response. Dont forget to spell out all acronyms on first usage.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor PIA question 12, list and describe all types of information collected by the system regardless of whether that information is considered PII. Make sure to include how long information is stored in the system. If the system holds system-specific access credentials, e.g., username, password, please describe those components in the response to this question. Specify whether the username and/or password are created by the individual, generated by the system, provided by a system administrator, or established through some other process.\u0026nbsp; Reminder: Any types of PII listed in this response also need to be listed in PIA question 15.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor PIA question 12, describe why the information listed in the question is collected. The response to this question should consider all information, whether or not it is PII. The response to this question should also specify what information is collected about each category of individual and should document and discuss if records are retrieved by PII elements.\u003c/li\u003e\u003cli\u003eFor PIA question13, include a brief description of the method of record retrieval, if you answered “Yes'' to PIA question 22 regarding System of Record Notification (SORN). Note the PII used and categories of individuals to whom the PII relates.\u0026nbsp;\u003cul\u003e\u003cli\u003eAn example is: The Physical Security System (PSS) regularly uses PII to retrieve system records including using the last name, employee ID number, and/or work phone number of CMS employees, contractors, and members of the public authorized to access the main campus and satellite offices.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePIA question 14 is calculated by the system. Reminder: If the response to this question is No, PIA questions 15 through 38 should no longer appear on the form.\u0026nbsp;\u003c/li\u003e\u003cli\u003eIf PIA question 15 is shown, check all the boxes that apply. If the information collected by the system is not described by any of the items in the list, there is a text field under Other where you can list additional information. Your response should include all types of PII regardless of type sensitivity, or whether it is from employees or the public. Reminder: PII elements need to be accounted for in both PIA question 12 and PIA question 15.\u003c/li\u003e\u003cli\u003ePIA question 20 should describe all the ways Social Security Numbers (SSNS) are used in the system (if applicable). Youll need to share when, where, and why an SSN is disclosed or shared; and why the SSN is used rather than another identifier.\u0026nbsp;\u003cul\u003e\u003cli\u003eNOTE: Employer Identification Number (EIN) also known as Federal Employer Identification Number (FEIN) or Tax Identification Number (TIN) or Federal Tax Identification Number (FTIN).\u0026nbsp; Individuals may choose to use their SSN as their EIN or FTIN. Typically, this would be sole proprietors or other small business owners who use SSN as EIN for tax purposes. EIN often appears in the format XX-XXXXXXX and may not stand out as a SSN. Any time that Social Security Numbers are involved, examine whether the collection and/or use of the SSN can be eliminated.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eReminder: If the response to this question states that SSNs are collected, SSNs should also be listed in the response to PIA question 15.\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePIA question 21 asks for the legal authorities governing information collection. Every system with PII must have an authority to collect this information. This will be a statute or Executive Order that either (a) permits or requires collection of the PII, or (b) permits or requires the underlying activity, for which it is necessary to collect PII.\u003c/li\u003e\u003cli\u003ePIA questions 22 and 22a are relevant to System of Record Notifications (SORNs). If the\u003c/li\u003e\u003cli\u003esystem uses PII to retrieve records, it may need to be covered by a SORN. Any system that has already received Privacy Office signatures should already reference a SORN. If not, you may need to seek guidance from ISPG or DSPPG to determine whether a SORN is required and in identifying an existing SORN that might apply. Please also review your response to PIA question 13 to ensure that it matches with your response here in question 22.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEach system has unique functions and answers to questions will be different for different systems. Question 23 determines whether your system needs an Information Collection Approval number from the White House Office of Management and Budget (OMB). In some cases, when you answer question 23, question 23a will appear. It asks about an OMB Information Collection Approval number. Under the Paperwork Reduction Act (PRA), the System/Business Owner or ISSO may need to obtain an information collection approval number from the OMB. Use the information in the CMS guidance and HHS PIA Writers Handbook regarding this question to contact subject matter experts as needed.\u003c/li\u003e\u003cli\u003eFor PIA question 27, please state that any system that utilizes information obtained from the Enterprise Portal (EIDM) must provide individuals the option to opt-out of information sharing. And similar to PIA question 25, if EIDM has its own PIA for CMS please add this statement.\u003c/li\u003e\u003cli\u003eFor PIA question 29, Identify System Acronym\u003c/li\u003e\u003cli\u003eFor PIA question 37, NARA Disposition Schedule ID, and the retention period described by the schedule, should be included\u003c/li\u003e\u003cli\u003ePIA question 37 asks about the system retention schedule. Every system (whether it contains PII or not) should have been made subject to an information retention schedule. Check with the Records Officer to identify the appropriate retention schedule.\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"20:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1f:{\"self\":\"$20\"}\n23:[\"menu_ui\",\"scheduler\"]\n22:{\"module\":\"$23\"}\n26:[]\n25:{\"available_menus\":\"$26\",\"parent\":\"\"}\n27:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n24:{\"menu_ui\":\"$25\",\"scheduler\":\"$27\"}\n21:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$22\",\"third_party_settings\":\"$24\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1e:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1f\",\"attributes\":\"$21\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/a54cc91d-d38c-4158-9cf3-d7bcda34fc84\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"lnettles\"}\n28:{\"type\":\"user--user\",\"id\":\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n2d:{\"self\":\"$2e\"}\n2f:{\"display_name\":\"meg - retired\"}\n2c:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$2d\",\"attributes\":\"$2f\"}\n32:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}\n31:{\"self\":\"$32\"}\n34:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n33:{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00"])</script><script>self.__next_f.push([1,"\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$34\"}\n38:{\"drupal_internal__target_id\":\"resource_type\"}\n37:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$38\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n36:{\"data\":\"$37\",\"links\":\"$39\"}\n3e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"}\n3f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}\n3d:{\"related\":\"$3e\",\"self\":\"$3f\"}\n3c:{\"data\":null,\"links\":\"$3d\"}\n46:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n45:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$46\"}\n44:{\"help\":\"$45\"}\n43:{\"links\":\"$44\"}\n42:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$43\"}\n41:[\"$42\"]\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"}\n49:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}\n47:{\"related\":\"$48\",\"self\":\"$49\"}\n40:{\"data\":\"$41\",\"links\":\"$47\"}\n35:{\"vid\":\"$36\",\"revision_user\":\"$3c\",\"parent\":\"$40\"}\n30:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":\"$31\",\"attributes\":\"$33\",\"relationships\":\"$35\"}\n4c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n4b:{\"self\":\"$4c\"}\n4e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4d:{\"drupal_intern"])</script><script>self.__next_f.push([1,"al__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4e\"}\n52:{\"drupal_internal__target_id\":\"roles\"}\n51:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$52\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n50:{\"data\":\"$51\",\"links\":\"$53\"}\n58:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n59:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n57:{\"related\":\"$58\",\"self\":\"$59\"}\n56:{\"data\":null,\"links\":\"$57\"}\n60:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$60\"}\n5e:{\"help\":\"$5f\"}\n5d:{\"links\":\"$5e\"}\n5c:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$5d\"}\n5b:[\"$5c\"]\n62:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n63:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n61:{\"related\":\"$62\",\"self\":\"$63\"}\n5a:{\"data\":\"$5b\",\"links\":\"$61\"}\n4f:{\"vid\":\"$50\",\"revision_user\":\"$56\",\"parent\":\"$5a\"}\n4a:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$4b\",\"attributes\":\"$4d\",\"relationships\":\"$4f\"}\n66:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles"])</script><script>self.__next_f.push([1,"/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n65:{\"self\":\"$66\"}\n68:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n67:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$68\"}\n6c:{\"drupal_internal__target_id\":\"roles\"}\n6b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$6c\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6a:{\"data\":\"$6b\",\"links\":\"$6d\"}\n72:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n73:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n71:{\"related\":\"$72\",\"self\":\"$73\"}\n70:{\"data\":null,\"links\":\"$71\"}\n7a:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n79:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$7a\"}\n78:{\"help\":\"$79\"}\n77:{\"links\":\"$78\"}\n76:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$77\"}\n75:[\"$76\"]\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n7d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n7b:{\"related\":\"$7c\",\"self\":\"$7d\"}\n74:{\"data\":\"$75\",\"links\":\"$7b\"}\n69:{\"vid\":\"$6a\",\"revision_user\":\"$70\",\"parent\":\"$74\"}\n64:{\"type\":\"taxonomy_term--roles\",\"i"])</script><script>self.__next_f.push([1,"d\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$65\",\"attributes\":\"$67\",\"relationships\":\"$69\"}\n80:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n7f:{\"self\":\"$80\"}\n82:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n81:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$82\"}\n86:{\"drupal_internal__target_id\":\"roles\"}\n85:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$86\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n84:{\"data\":\"$85\",\"links\":\"$87\"}\n8c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n8d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n8b:{\"related\":\"$8c\",\"self\":\"$8d\"}\n8a:{\"data\":null,\"links\":\"$8b\"}\n94:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n93:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$94\"}\n92:{\"help\":\"$93\"}\n91:{\"links\":\"$92\"}\n90:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$91\"}\n8f:[\"$90\"]\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n97:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n95:{\"related"])</script><script>self.__next_f.push([1,"\":\"$96\",\"self\":\"$97\"}\n8e:{\"data\":\"$8f\",\"links\":\"$95\"}\n83:{\"vid\":\"$84\",\"revision_user\":\"$8a\",\"parent\":\"$8e\"}\n7e:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$7f\",\"attributes\":\"$81\",\"relationships\":\"$83\"}\n9a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674?resourceVersion=id%3A6\"}\n99:{\"self\":\"$9a\"}\n9c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n9b:{\"drupal_internal__tid\":6,\"drupal_internal__revision_id\":6,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:04:59+00:00\",\"status\":true,\"name\":\"Assessments \u0026 Audits\",\"description\":null,\"weight\":1,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$9c\"}\na0:{\"drupal_internal__target_id\":\"topics\"}\n9f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$a0\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/vid?resourceVersion=id%3A6\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/vid?resourceVersion=id%3A6\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\n9e:{\"data\":\"$9f\",\"links\":\"$a1\"}\na6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/revision_user?resourceVersion=id%3A6\"}\na7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/revision_user?resourceVersion=id%3A6\"}\na5:{\"related\":\"$a6\",\"self\":\"$a7\"}\na4:{\"data\":null,\"links\":\"$a5\"}\nae:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nad:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$ae\"}\nac:{\"help\":\"$ad\"}\nab:{\"links\":\"$ac\"}\naa:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$ab\"}\na9:[\"$aa\"]\nb0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/parent?resourceVersion=id%3A6\"}\nb1:{\"href\":\"https://c"])</script><script>self.__next_f.push([1,"ybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/parent?resourceVersion=id%3A6\"}\naf:{\"related\":\"$b0\",\"self\":\"$b1\"}\na8:{\"data\":\"$a9\",\"links\":\"$af\"}\n9d:{\"vid\":\"$9e\",\"revision_user\":\"$a4\",\"parent\":\"$a8\"}\n98:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"links\":\"$99\",\"attributes\":\"$9b\",\"relationships\":\"$9d\"}\nb4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf?resourceVersion=id%3A31\"}\nb3:{\"self\":\"$b4\"}\nb6:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb5:{\"drupal_internal__tid\":31,\"drupal_internal__revision_id\":31,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:48+00:00\",\"status\":true,\"name\":\"Privacy\",\"description\":null,\"weight\":4,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b6\"}\nba:{\"drupal_internal__target_id\":\"topics\"}\nb9:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$ba\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/vid?resourceVersion=id%3A31\"}\nbd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/vid?resourceVersion=id%3A31\"}\nbb:{\"related\":\"$bc\",\"self\":\"$bd\"}\nb8:{\"data\":\"$b9\",\"links\":\"$bb\"}\nc0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/revision_user?resourceVersion=id%3A31\"}\nc1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/revision_user?resourceVersion=id%3A31\"}\nbf:{\"related\":\"$c0\",\"self\":\"$c1\"}\nbe:{\"data\":null,\"links\":\"$bf\"}\nc8:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc7:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c8\"}\nc6:{\"help\":\"$c7\"}\nc5:{\"links\":\"$c6\"}\nc4:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$c5\"}\nc3:[\"$c4\"]\nca:{\"href\":\"https://c"])</script><script>self.__next_f.push([1,"ybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/parent?resourceVersion=id%3A31\"}\ncb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/parent?resourceVersion=id%3A31\"}\nc9:{\"related\":\"$ca\",\"self\":\"$cb\"}\nc2:{\"data\":\"$c3\",\"links\":\"$c9\"}\nb7:{\"vid\":\"$b8\",\"revision_user\":\"$be\",\"parent\":\"$c2\"}\nb2:{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"links\":\"$b3\",\"attributes\":\"$b5\",\"relationships\":\"$b7\"}\nce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6a7003c0-dd34-424b-abe5-dcdbb4ae4e21?resourceVersion=id%3A18109\"}\ncd:{\"self\":\"$ce\"}\nd0:[]\nd2:T6f0,\u003ch2\u003e\u003cstrong\u003eWhat is a Privacy Impact Assessment (PIA)?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. The purpose of a PIA is to demonstrate that system owners have consciously incorporated privacy protections within their systems for information supplied by the public.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePIAs are required by the E-Government Act of 2002, which Congress enacted to improve the management of Federal electronic government services and processes. Section 208 of the E-Government Act specifically requires PIAs to be created when a federal agency develops or procures new information technology that involves the collection, maintenance, or dissemination of information in identifiable form.\u0026nbsp;\u003c/p\u003e\u003cp\u003eFurther, because the E-Government Act also includes a provision requiring PIAs to be published publicly on agency websites, they allow CMS to communicate more clearly with the public about how we handle information, including how we address privacy concerns and safeguard information. Copies of completed PIAs are\u0026nbsp;\u003ca href=\"https://www.hhs.gov/pia/index.html\"\u003eposted on the HHS website\u003c/a\u003e upon completion to offer transparency to the public.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho completes Privacy Impact Assessments (PIAs)?\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePrivacy Impac"])</script><script>self.__next_f.push([1,"t Assessments (PIAs) are a team effort. The Information System Security Officer (ISSO) leads the effort on behalf of the System/Business Owner to complete the questions required to submit a compliant assessment. The ISSO receives support from the ISPG Division of Security, Privacy, Policy \u0026amp; Oversight (DSPPO) and works in partnership with ISPG Cyber Risk Advisors (CRAs) to accurately complete the PIA.\u0026nbsp;\u003c/p\u003ed3:T6f0,\u003ch2\u003e\u003cstrong\u003eWhat is a Privacy Impact Assessment (PIA)?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. The purpose of a PIA is to demonstrate that system owners have consciously incorporated privacy protections within their systems for information supplied by the public.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePIAs are required by the E-Government Act of 2002, which Congress enacted to improve the management of Federal electronic government services and processes. Section 208 of the E-Government Act specifically requires PIAs to be created when a federal agency develops or procures new information technology that involves the collection, maintenance, or dissemination of information in identifiable form.\u0026nbsp;\u003c/p\u003e\u003cp\u003eFurther, because the E-Government Act also includes a provision requiring PIAs to be published publicly on agency websites, they allow CMS to communicate more clearly with the public about how we handle information, including how we address privacy concerns and safeguard information. Copies of completed PIAs are\u0026nbsp;\u003ca href=\"https://www.hhs.gov/pia/index.html\"\u003eposted on the HHS website\u003c/a\u003e upon completion to offer transparency to the public.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho completes Privacy Impact Assessments (PIAs)?\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePrivacy Impact Assessments (PIAs) are a team effort. The Information System Security Officer (ISSO) leads the effort on behalf of the System/Business Owner to complete the questions required to submit a compliant assessment. The ISSO receives support from the ISPG Division of "])</script><script>self.__next_f.push([1,"Security, Privacy, Policy \u0026amp; Oversight (DSPPO) and works in partnership with ISPG Cyber Risk Advisors (CRAs) to accurately complete the PIA.\u0026nbsp;\u003c/p\u003ed1:{\"value\":\"$d2\",\"format\":\"body_text\",\"processed\":\"$d3\"}\ncf:{\"drupal_internal__id\":511,\"drupal_internal__revision_id\":18109,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-02T16:51:44+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$d0\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$d1\"}\nd7:{\"drupal_internal__target_id\":\"page_section\"}\nd6:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$d7\"}\nd9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6a7003c0-dd34-424b-abe5-dcdbb4ae4e21/paragraph_type?resourceVersion=id%3A18109\"}\nda:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6a7003c0-dd34-424b-abe5-dcdbb4ae4e21/relationships/paragraph_type?resourceVersion=id%3A18109\"}\nd8:{\"related\":\"$d9\",\"self\":\"$da\"}\nd5:{\"data\":\"$d6\",\"links\":\"$d8\"}\ndd:{\"target_revision_id\":18108,\"drupal_internal__target_id\":3445}\ndc:{\"type\":\"paragraph--call_out_box\",\"id\":\"f80019c4-4d24-4380-b378-2dfc808c692a\",\"meta\":\"$dd\"}\ndf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6a7003c0-dd34-424b-abe5-dcdbb4ae4e21/field_specialty_item?resourceVersion=id%3A18109\"}\ne0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6a7003c0-dd34-424b-abe5-dcdbb4ae4e21/relationships/field_specialty_item?resourceVersion=id%3A18109\"}\nde:{\"related\":\"$df\",\"self\":\"$e0\"}\ndb:{\"data\":\"$dc\",\"links\":\"$de\"}\nd4:{\"paragraph_type\":\"$d5\",\"field_specialty_item\":\"$db\"}\ncc:{\"type\":\"paragraph--page_section\",\"id\":\"6a7003c0-dd34-424b-abe5-dcdbb4ae4e21\",\"links\":\"$cd\",\"attributes\":\"$cf\",\"relationships\":\"$d4\"}\ne3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/0a3e39c3-11df-48ee-acda-d4be29d1eb91?resourceVersion=id%3A18116\"}\ne2:{\"self\":\"$e3\"}\ne5:[]\ne7:T1eae,"])</script><script>self.__next_f.push([1,"\u003ch2 id=\"types-of-privacy-assessments\"\u003e\u003cstrong\u003eTypes of privacy assessments\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eProtecting user privacy through system security is a core mission of CMS. The type of information collected by a system determines what kind of assessment is required. The HHS PIA \u0026amp; PTA Writers Handbook provides guidance and questions to help system owners and ISSOs determine which privacy assessment is right for their specific needs.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThere are four main types of privacy assessments:\u0026nbsp;\u003c/p\u003e\u003ch3 id=\"privacy-impact-assessments-pias\"\u003e\u003cstrong\u003ePrivacy Impact Assessments (PIAs)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePIAs are an analysis of how personally identifiable information is handled. PIAs are important because they help system owners:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDetermine the risks of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of PII within FISMA systems.\u003c/li\u003e\u003cli\u003eExamine and evaluate protections for handling information to mitigate potential privacy concerns.\u003c/li\u003e\u003cli\u003eDevelop new solutions to manage PII if current collection methods arent optimized.\u003c/li\u003e\u003cli\u003eEnsure that information is handled in a manner that supports all applicable legal, regulatory, and policy requirements regarding privacy.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ePIAs must be completed in the following situations:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor all new systems that collect PII from 10 or more members of the general public, a PIA is required to be completed as part of the broader Authority to Operate (ATO) process.\u003c/li\u003e\u003cli\u003eFor every existing system that collects PII from 10 or more members of the general public, a PIA must be reviewed and re-approved once every three years. System/Business Owners and Information System Security Officers (ISSOs) must review and revise as necessary and submit PIAs for re-approval no later than three years from the last HHS approval date.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor any existing system undergoing a major change, an updated PIA is required.\u003c/li\u003e\u003cli\u003eAn existing system going through the ATO process may need to update its PIA paperwork if its close to expiring; an ATO cannot be completed with an expired or incomplete PIA.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your FISMA system does not meet the requirements above, it may not require a traditional PIA. In these instances, there may be other Privacy compliance requirements for your system or application. If youre unsure which assessment is right for you, the Privacy Office can help you make the right choice from the following options:\u003c/p\u003e\u003ch3 id=\"internal-privacy-impact-assessments\"\u003e\u003cstrong\u003eInternal Privacy Impact Assessments\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eInternal PIAs are similar to the PIAs described above but are only conducted for systems that collect PII of CMS employees and direct contractors only. Like a PIA, an internal PIA must be updated when a major change is planned for an IT system or electronic information collection. Unlike a traditional PIA, an internal PIA is not published on the HHS website and is not subject to the three-year review requirement.\u0026nbsp;\u003c/p\u003e\u003ch3 id=\"privacy-threshold-analysis-pta\"\u003e\u003cstrong\u003ePrivacy Threshold Analysis (PTA)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA PTA is an analysis performed in lieu of a formal PIA for systems that do not collect, disseminate, maintain, or dispose of PII. The PTA must be updated during a major change or if the manner in which electronic information is collected is changed. It is possible that a major change (e.g., the addition of PII) could result in a PTA meeting the threshold to be a PIA. Since HHS uses an interactive form for PIAs, a separate document is not necessary to complete a PTA. PTAs are not published on the HHS website and are not subject to the three-year review requirement.\u0026nbsp;\u003c/p\u003e\u003ch3 id=\"third-party-website-application-tpwa-privacy-impact-assessment\"\u003e\u003cstrong\u003eThird-Party Website Application (TPWA) Privacy Impact Assessment\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA TPWA is an analysis of third-party websites or application technologies (like social media platforms) used by CMS to communicate and engage with members of the public. The TPWA PIA has different questions based on the specific risks and compliance requirements for TPWAs as outlined by \u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf\"\u003eOMB M-10-23\u003c/a\u003e. However, the PIA and TPWA PIA require approval from HHS and are published on the HHS public web page.\u003c/p\u003e\u003ch2 id=\"what-is-considered-a-major-change\"\u003e\u003cstrong\u003eWhat is considered a major change?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA major change is something that alters the privacy risk associated with the use of a particular IT system. An example of a major change that would require an update to the PIA is a decision to collect social security numbers for an information system that previously was not collecting social security numbers. According to \u003ca href=\"https://obamawhitehouse.archives.gov/omb/memoranda_m03-22/\"\u003eOMB M-03-22\u003c/a\u003e, PIAs should be reviewed following the major changes including, but not limited to:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eConversions: \u003c/strong\u003eA conversion from paper-based information collection methods to electronic systems (e.g. records currently in paper form will be scanned or otherwise added into a system).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAnonymous to Non-Anonymous: \u003c/strong\u003eWhen the system previously collected information about users that did not identify them, but has changed to collect information that makes anonymity impossible.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSignificant System Management Changes:\u003c/strong\u003e The introduction of new applications or technologies to an existing system significantly changes the process of how PII is managed within the system.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSignificant Merging:\u003c/strong\u003e When agency and/or government databases holding PII are merged, centralized, matched with other databases, or otherwise significantly manipulated.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNew Public Access: \u003c/strong\u003eWhen user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system that can be accessed by the public.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCommercial Sources: \u003c/strong\u003eWhen PII is obtained from commercial or public sources and is integrated into the existing government information systems databases.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNew Interagency Uses: \u003c/strong\u003eWhen agencies work together on shared functions involving significant new uses or exchanges of PII.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInternal Flow or Collection: \u003c/strong\u003eWhen alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional PII.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAlteration in Character of Data: \u003c/strong\u003eWhen a new type of PII is added to a pre-existing collection and raises the risk to personal privacy, such as the addition of health or privacy information.\u0026nbsp;\u003c/p\u003e\u003ch2 id=\"how-to-complete-a-privacy-impact-assessment-pia\"\u003e\u003cstrong\u003eHow to complete a Privacy Impact Assessment (PIA)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eHHS issues the master guidance for the completion of PIAs. ISPG has taken the guidance provided by HHS and translated it into a questionnaire that can be found on \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCFACTS\u003c/a\u003e. ISSOs can log in to CFACTS to complete the questionnaire with guidance from the System/Business Owner and the assigned Cyber Risk Advisor (CRA).\u0026nbsp;\u003c/p\u003e\u003cp\u003eA step by step guide to answering the questions required to complete the PIA can be found within the PIA \u0026amp; PTA Writers Handbook, which is written by HHS and can be found as a resource on the front page of each individual question in CFACTS. You can also check out the CMS Privacy Impact Assessment Handbook for guidance and tips to ensure that your PIA is written correctly.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe procedures below give a summary review of the actions necessary to complete a new PIA or modify an existing PIA.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"e8:T1eae,"])</script><script>self.__next_f.push([1,"\u003ch2 id=\"types-of-privacy-assessments\"\u003e\u003cstrong\u003eTypes of privacy assessments\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eProtecting user privacy through system security is a core mission of CMS. The type of information collected by a system determines what kind of assessment is required. The HHS PIA \u0026amp; PTA Writers Handbook provides guidance and questions to help system owners and ISSOs determine which privacy assessment is right for their specific needs.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThere are four main types of privacy assessments:\u0026nbsp;\u003c/p\u003e\u003ch3 id=\"privacy-impact-assessments-pias\"\u003e\u003cstrong\u003ePrivacy Impact Assessments (PIAs)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePIAs are an analysis of how personally identifiable information is handled. PIAs are important because they help system owners:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDetermine the risks of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of PII within FISMA systems.\u003c/li\u003e\u003cli\u003eExamine and evaluate protections for handling information to mitigate potential privacy concerns.\u003c/li\u003e\u003cli\u003eDevelop new solutions to manage PII if current collection methods arent optimized.\u003c/li\u003e\u003cli\u003eEnsure that information is handled in a manner that supports all applicable legal, regulatory, and policy requirements regarding privacy.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ePIAs must be completed in the following situations:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor all new systems that collect PII from 10 or more members of the general public, a PIA is required to be completed as part of the broader Authority to Operate (ATO) process.\u003c/li\u003e\u003cli\u003eFor every existing system that collects PII from 10 or more members of the general public, a PIA must be reviewed and re-approved once every three years. System/Business Owners and Information System Security Officers (ISSOs) must review and revise as necessary and submit PIAs for re-approval no later than three years from the last HHS approval date.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor any existing system undergoing a major change, an updated PIA is required.\u003c/li\u003e\u003cli\u003eAn existing system going through the ATO process may need to update its PIA paperwork if its close to expiring; an ATO cannot be completed with an expired or incomplete PIA.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your FISMA system does not meet the requirements above, it may not require a traditional PIA. In these instances, there may be other Privacy compliance requirements for your system or application. If youre unsure which assessment is right for you, the Privacy Office can help you make the right choice from the following options:\u003c/p\u003e\u003ch3 id=\"internal-privacy-impact-assessments\"\u003e\u003cstrong\u003eInternal Privacy Impact Assessments\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eInternal PIAs are similar to the PIAs described above but are only conducted for systems that collect PII of CMS employees and direct contractors only. Like a PIA, an internal PIA must be updated when a major change is planned for an IT system or electronic information collection. Unlike a traditional PIA, an internal PIA is not published on the HHS website and is not subject to the three-year review requirement.\u0026nbsp;\u003c/p\u003e\u003ch3 id=\"privacy-threshold-analysis-pta\"\u003e\u003cstrong\u003ePrivacy Threshold Analysis (PTA)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA PTA is an analysis performed in lieu of a formal PIA for systems that do not collect, disseminate, maintain, or dispose of PII. The PTA must be updated during a major change or if the manner in which electronic information is collected is changed. It is possible that a major change (e.g., the addition of PII) could result in a PTA meeting the threshold to be a PIA. Since HHS uses an interactive form for PIAs, a separate document is not necessary to complete a PTA. PTAs are not published on the HHS website and are not subject to the three-year review requirement.\u0026nbsp;\u003c/p\u003e\u003ch3 id=\"third-party-website-application-tpwa-privacy-impact-assessment\"\u003e\u003cstrong\u003eThird-Party Website Application (TPWA) Privacy Impact Assessment\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA TPWA is an analysis of third-party websites or application technologies (like social media platforms) used by CMS to communicate and engage with members of the public. The TPWA PIA has different questions based on the specific risks and compliance requirements for TPWAs as outlined by \u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf\"\u003eOMB M-10-23\u003c/a\u003e. However, the PIA and TPWA PIA require approval from HHS and are published on the HHS public web page.\u003c/p\u003e\u003ch2 id=\"what-is-considered-a-major-change\"\u003e\u003cstrong\u003eWhat is considered a major change?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA major change is something that alters the privacy risk associated with the use of a particular IT system. An example of a major change that would require an update to the PIA is a decision to collect social security numbers for an information system that previously was not collecting social security numbers. According to \u003ca href=\"https://obamawhitehouse.archives.gov/omb/memoranda_m03-22/\"\u003eOMB M-03-22\u003c/a\u003e, PIAs should be reviewed following the major changes including, but not limited to:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eConversions: \u003c/strong\u003eA conversion from paper-based information collection methods to electronic systems (e.g. records currently in paper form will be scanned or otherwise added into a system).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAnonymous to Non-Anonymous: \u003c/strong\u003eWhen the system previously collected information about users that did not identify them, but has changed to collect information that makes anonymity impossible.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSignificant System Management Changes:\u003c/strong\u003e The introduction of new applications or technologies to an existing system significantly changes the process of how PII is managed within the system.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSignificant Merging:\u003c/strong\u003e When agency and/or government databases holding PII are merged, centralized, matched with other databases, or otherwise significantly manipulated.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNew Public Access: \u003c/strong\u003eWhen user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system that can be accessed by the public.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCommercial Sources: \u003c/strong\u003eWhen PII is obtained from commercial or public sources and is integrated into the existing government information systems databases.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNew Interagency Uses: \u003c/strong\u003eWhen agencies work together on shared functions involving significant new uses or exchanges of PII.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInternal Flow or Collection: \u003c/strong\u003eWhen alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional PII.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAlteration in Character of Data: \u003c/strong\u003eWhen a new type of PII is added to a pre-existing collection and raises the risk to personal privacy, such as the addition of health or privacy information.\u0026nbsp;\u003c/p\u003e\u003ch2 id=\"how-to-complete-a-privacy-impact-assessment-pia\"\u003e\u003cstrong\u003eHow to complete a Privacy Impact Assessment (PIA)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eHHS issues the master guidance for the completion of PIAs. ISPG has taken the guidance provided by HHS and translated it into a questionnaire that can be found on \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCFACTS\u003c/a\u003e. ISSOs can log in to CFACTS to complete the questionnaire with guidance from the System/Business Owner and the assigned Cyber Risk Advisor (CRA).\u0026nbsp;\u003c/p\u003e\u003cp\u003eA step by step guide to answering the questions required to complete the PIA can be found within the PIA \u0026amp; PTA Writers Handbook, which is written by HHS and can be found as a resource on the front page of each individual question in CFACTS. You can also check out the CMS Privacy Impact Assessment Handbook for guidance and tips to ensure that your PIA is written correctly.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe procedures below give a summary review of the actions necessary to complete a new PIA or modify an existing PIA.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"e6:{\"value\":\"$e7\",\"format\":\"body_text\",\"processed\":\"$e8\"}\ne4:{\"drupal_internal__id\":3452,\"drupal_internal__revision_id\":18116,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:08:06+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$e5\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$e6\"}\nec:{\"drupal_internal__target_id\":\"page_section\"}\neb:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$ec\"}\nee:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/0a3e39c3-11df-48ee-acda-d4be29d1eb91/paragraph_type?resourceVersion=id%3A18116\"}\nef:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/0a3e39c3-11df-48ee-acda-d4be29d1eb91/relationships/paragraph_type?resourceVersion=id%3A18116\"}\ned:{\"related\":\"$ee\",\"self\":\"$ef\"}\nea:{\"data\":\"$eb\",\"links\":\"$ed\"}\nf2:{\"target_revision_id\":18115,\"drupal_internal__target_id\":3451}\nf1:{\"type\":\"paragraph--process_list\",\"id\":\"fdc1b5d6-f626-4532-b6d5-30fce76bc7e0\",\"meta\":\"$f2\"}\nf4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/0a3e39c3-11df-48ee-acda-d4be29d1eb91/field_specialty_item?resourceVersion=id%3A18116\"}\nf5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/0a3e39c3-11df-48ee-acda-d4be29d1eb91/relationships/field_specialty_item?resourceVersion=id%3A18116\"}\nf3:{\"related\":\"$f4\",\"self\":\"$f5\"}\nf0:{\"data\":\"$f1\",\"links\":\"$f3\"}\ne9:{\"paragraph_type\":\"$ea\",\"field_specialty_item\":\"$f0\"}\ne1:{\"type\":\"paragraph--page_section\",\"id\":\"0a3e39c3-11df-48ee-acda-d4be29d1eb91\",\"links\":\"$e2\",\"attributes\":\"$e4\",\"relationships\":\"$e9\"}\nf8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cd0b41ba-9490-40c4-b79f-df959006794c?resourceVersion=id%3A18117\"}\nf7:{\"self\":\"$f8\"}\nfa:[]\nfb:{\"value\":\"\u003cp\u003eWe are here to help if you have questions about your PIA. You can send an email to the Privacy Office: \u003ca href=\\\"mailto:privacy@cms.hhs.gov\\\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e. Or check in the CMS Slack community: \u003cs"])</script><script>self.__next_f.push([1,"trong\u003e#ispg-sec_privacy-policy\u003c/strong\u003e.\u003c/p\u003e\u003cp\u003eYou can also review the \u003ca href=\\\"https://security.cms.gov/policy-guidance/cms-privacy-impact-assessment-pia-handbook\\\"\u003eCMS Privacy Impact Assessment Handbook\u003c/a\u003e for tips and guidance on completing your PIA.\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003cp\u003eWe are here to help if you have questions about your PIA. You can send an email to the Privacy Office: \u003ca href=\\\"mailto:privacy@cms.hhs.gov\\\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e. Or check in the CMS Slack community: \u003cstrong\u003e#ispg-sec_privacy-policy\u003c/strong\u003e.\u003c/p\u003e\u003cp\u003eYou can also review the \u003ca href=\\\"https://security.cms.gov/policy-guidance/cms-privacy-impact-assessment-pia-handbook\\\"\u003eCMS Privacy Impact Assessment Handbook\u003c/a\u003e for tips and guidance on completing your PIA.\u003c/p\u003e\"}\nf9:{\"drupal_internal__id\":3495,\"drupal_internal__revision_id\":18117,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-01-12T15:53:24+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$fa\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$fb\"}\nff:{\"drupal_internal__target_id\":\"page_section\"}\nfe:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$ff\"}\n101:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cd0b41ba-9490-40c4-b79f-df959006794c/paragraph_type?resourceVersion=id%3A18117\"}\n102:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cd0b41ba-9490-40c4-b79f-df959006794c/relationships/paragraph_type?resourceVersion=id%3A18117\"}\n100:{\"related\":\"$101\",\"self\":\"$102\"}\nfd:{\"data\":\"$fe\",\"links\":\"$100\"}\n105:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cd0b41ba-9490-40c4-b79f-df959006794c/field_specialty_item?resourceVersion=id%3A18117\"}\n106:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cd0b41ba-9490-40c4-b79f-df959006794c/relationships/field_specialty_item?resourceVersion=id%3A18117\"}\n104:{\"related\":\"$105\",\"self\":\"$106\"}\n103:{\"data\":null,\"links\":\"$104\"}\nfc:{\"paragraph_t"])</script><script>self.__next_f.push([1,"ype\":\"$fd\",\"field_specialty_item\":\"$103\"}\nf6:{\"type\":\"paragraph--page_section\",\"id\":\"cd0b41ba-9490-40c4-b79f-df959006794c\",\"links\":\"$f7\",\"attributes\":\"$f9\",\"relationships\":\"$fc\"}\n109:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/f80019c4-4d24-4380-b378-2dfc808c692a?resourceVersion=id%3A18108\"}\n108:{\"self\":\"$109\"}\n10b:[]\n10d:[]\n10c:{\"uri\":\"https://security.cms.gov/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"title\":\"\",\"options\":\"$10d\",\"url\":\"https://security.cms.gov/policy-guidance/cms-privacy-impact-assessment-pia-handbook\"}\n10e:{\"value\":\"The CMS Privacy Impact Assessment Handbook has all the steps and instructions for successfully completing a PIA.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThe CMS Privacy Impact Assessment Handbook has all the steps and instructions for successfully completing a PIA.\u003c/p\u003e\\n\"}\n10a:{\"drupal_internal__id\":3445,\"drupal_internal__revision_id\":18108,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:06:37+00:00\",\"parent_id\":\"511\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$10b\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":\"$10c\",\"field_call_out_link_text\":\"Go to the Handbook\",\"field_call_out_text\":\"$10e\",\"field_header\":\"PIA Handbook\"}\n112:{\"drupal_internal__target_id\":\"call_out_box\"}\n111:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$112\"}\n114:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/f80019c4-4d24-4380-b378-2dfc808c692a/paragraph_type?resourceVersion=id%3A18108\"}\n115:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/f80019c4-4d24-4380-b378-2dfc808c692a/relationships/paragraph_type?resourceVersion=id%3A18108\"}\n113:{\"related\":\"$114\",\"self\":\"$115\"}\n110:{\"data\":\"$111\",\"links\":\"$113\"}\n10f:{\"paragraph_type\":\"$110\"}\n107:{\"type\":\"paragraph--call_out_box\",\"id\":\"f80019c4-4d24-4380-b378-2dfc808c692a\",\"links\":\"$108\",\"attributes\":\"$10a\",\"relationships\":\"$10f\"}\n118:{\"href\":\"https://cybergeek"])</script><script>self.__next_f.push([1,".cms.gov/jsonapi/paragraph/process_list/fdc1b5d6-f626-4532-b6d5-30fce76bc7e0?resourceVersion=id%3A18115\"}\n117:{\"self\":\"$118\"}\n11a:[]\n119:{\"drupal_internal__id\":3451,\"drupal_internal__revision_id\":18115,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:08:56+00:00\",\"parent_id\":\"3452\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$11a\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null}\n11e:{\"drupal_internal__target_id\":\"process_list\"}\n11d:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":\"$11e\"}\n120:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/fdc1b5d6-f626-4532-b6d5-30fce76bc7e0/paragraph_type?resourceVersion=id%3A18115\"}\n121:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/fdc1b5d6-f626-4532-b6d5-30fce76bc7e0/relationships/paragraph_type?resourceVersion=id%3A18115\"}\n11f:{\"related\":\"$120\",\"self\":\"$121\"}\n11c:{\"data\":\"$11d\",\"links\":\"$11f\"}\n125:{\"target_revision_id\":18110,\"drupal_internal__target_id\":3446}\n124:{\"type\":\"paragraph--process_list_item\",\"id\":\"bf3c612b-c439-43d0-95da-a1a6e159e2eb\",\"meta\":\"$125\"}\n127:{\"target_revision_id\":18111,\"drupal_internal__target_id\":3447}\n126:{\"type\":\"paragraph--process_list_item\",\"id\":\"bdd69606-1a9f-48de-9393-db2424228d59\",\"meta\":\"$127\"}\n129:{\"target_revision_id\":18112,\"drupal_internal__target_id\":3448}\n128:{\"type\":\"paragraph--process_list_item\",\"id\":\"8b1a44b9-642e-4b9b-935a-40e25cf67060\",\"meta\":\"$129\"}\n12b:{\"target_revision_id\":18113,\"drupal_internal__target_id\":3449}\n12a:{\"type\":\"paragraph--process_list_item\",\"id\":\"0cd75987-c788-45bf-b07b-4bc6d679e712\",\"meta\":\"$12b\"}\n12d:{\"target_revision_id\":18114,\"drupal_internal__target_id\":3450}\n12c:{\"type\":\"paragraph--process_list_item\",\"id\":\"b77ca506-f10b-4574-8783-5500c35ff2ee\",\"meta\":\"$12d\"}\n123:[\"$124\",\"$126\",\"$128\",\"$12a\",\"$12c\"]\n12f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/fdc1b5d6-f626-4532-b6d5-30fce76bc7e0/field_process_list_item?res"])</script><script>self.__next_f.push([1,"ourceVersion=id%3A18115\"}\n130:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/fdc1b5d6-f626-4532-b6d5-30fce76bc7e0/relationships/field_process_list_item?resourceVersion=id%3A18115\"}\n12e:{\"related\":\"$12f\",\"self\":\"$130\"}\n122:{\"data\":\"$123\",\"links\":\"$12e\"}\n11b:{\"paragraph_type\":\"$11c\",\"field_process_list_item\":\"$122\"}\n116:{\"type\":\"paragraph--process_list\",\"id\":\"fdc1b5d6-f626-4532-b6d5-30fce76bc7e0\",\"links\":\"$117\",\"attributes\":\"$119\",\"relationships\":\"$11b\"}\n133:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/bf3c612b-c439-43d0-95da-a1a6e159e2eb?resourceVersion=id%3A18110\"}\n132:{\"self\":\"$133\"}\n135:[]\n136:{\"value\":\"\u003cp\u003e\u003cstrong\u003eProduced by: SO/BO, ISSO, Cyber Risk Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eFollowing any of the scenarios or major changes that would require the completion of a PIA, the System/Business Owner works with the ISSO to draft a new or revised PIA in CFACTS. Upon completion of the new or revised PIA, the System/Business Owner or ISSO will contact the CRA for review. In CFACTS, the queue for the System/Business owner or ISSO is “ISSO Submitter '' for the PIA.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003e\u003cstrong\u003eProduced by: SO/BO, ISSO, Cyber Risk Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eFollowing any of the scenarios or major changes that would require the completion of a PIA, the System/Business Owner works with the ISSO to draft a new or revised PIA in CFACTS. Upon completion of the new or revised PIA, the System/Business Owner or ISSO will contact the CRA for review. In CFACTS, the queue for the System/Business owner or ISSO is “ISSO Submitter '' for the PIA.\u003c/p\u003e\"}\n134:{\"drupal_internal__id\":3446,\"drupal_internal__revision_id\":18110,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:08:56+00:00\",\"parent_id\":\"3451\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$135\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$136\",\"field_list_item_title\":\"PIA initial draft\"}\n13a:{\"drupal_internal__target"])</script><script>self.__next_f.push([1,"_id\":\"process_list_item\"}\n139:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$13a\"}\n13c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/bf3c612b-c439-43d0-95da-a1a6e159e2eb/paragraph_type?resourceVersion=id%3A18110\"}\n13d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/bf3c612b-c439-43d0-95da-a1a6e159e2eb/relationships/paragraph_type?resourceVersion=id%3A18110\"}\n13b:{\"related\":\"$13c\",\"self\":\"$13d\"}\n138:{\"data\":\"$139\",\"links\":\"$13b\"}\n137:{\"paragraph_type\":\"$138\"}\n131:{\"type\":\"paragraph--process_list_item\",\"id\":\"bf3c612b-c439-43d0-95da-a1a6e159e2eb\",\"links\":\"$132\",\"attributes\":\"$134\",\"relationships\":\"$137\"}\n140:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/bdd69606-1a9f-48de-9393-db2424228d59?resourceVersion=id%3A18111\"}\n13f:{\"self\":\"$140\"}\n142:[]\n143:{\"value\":\"\u003cp\u003e\u003cstrong\u003eProduced by: CRA, Privacy Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CRA reviews the PIA in collaboration with the Privacy Advisor and coordinates recommended changes with the system/business owner or ISSO. Any identified privacy risks or compliance issues should be resolved before submission to the Senior Official for Privacy (SOP) for approval. If the SOP or Senior Agency Official for Privacy (SAOP) recommends changes, the review process will continue from this step as needed until the PIA is approved and finalized by the SAOP.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003e\u003cstrong\u003eProduced by: CRA, Privacy Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CRA reviews the PIA in collaboration with the Privacy Advisor and coordinates recommended changes with the system/business owner or ISSO. Any identified privacy risks or compliance issues should be resolved before submission to the Senior Official for Privacy (SOP) for approval. If the SOP or Senior Agency Official for Privacy (SAOP) recommends changes, the review process will continue from this step as needed until the PIA is approved and finalized by the SAOP.\u003c/p\u003e\"}\n141:{\"drupal_internal__id\":3447,\"drupal_interna"])</script><script>self.__next_f.push([1,"l__revision_id\":18111,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:09:21+00:00\",\"parent_id\":\"3451\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$142\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$143\",\"field_list_item_title\":\"PIA review / revision\"}\n147:{\"drupal_internal__target_id\":\"process_list_item\"}\n146:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$147\"}\n149:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/bdd69606-1a9f-48de-9393-db2424228d59/paragraph_type?resourceVersion=id%3A18111\"}\n14a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/bdd69606-1a9f-48de-9393-db2424228d59/relationships/paragraph_type?resourceVersion=id%3A18111\"}\n148:{\"related\":\"$149\",\"self\":\"$14a\"}\n145:{\"data\":\"$146\",\"links\":\"$148\"}\n144:{\"paragraph_type\":\"$145\"}\n13e:{\"type\":\"paragraph--process_list_item\",\"id\":\"bdd69606-1a9f-48de-9393-db2424228d59\",\"links\":\"$13f\",\"attributes\":\"$141\",\"relationships\":\"$144\"}\n14d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8b1a44b9-642e-4b9b-935a-40e25cf67060?resourceVersion=id%3A18112\"}\n14c:{\"self\":\"$14d\"}\n14f:[]\n150:{\"value\":\"\u003cp\u003e\u003cstrong\u003eProduced by: CMS Senior Official for Privacy (SOP), Final Approver\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SOP or designated Final Approver will review the PIA and recommend approval to HHS if no changes are recommended.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003e\u003cstrong\u003eProduced by: CMS Senior Official for Privacy (SOP), Final Approver\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SOP or designated Final Approver will review the PIA and recommend approval to HHS if no changes are recommended.\u003c/p\u003e\"}\n14e:{\"drupal_internal__id\":3448,\"drupal_internal__revision_id\":18112,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:09:48+00:00\",\"parent_id\":\"3451\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$14f\",\"default_langcode\":true,\"revision_translation_af"])</script><script>self.__next_f.push([1,"fected\":true,\"field_list_item_description\":\"$150\",\"field_list_item_title\":\"PIA approval\"}\n154:{\"drupal_internal__target_id\":\"process_list_item\"}\n153:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$154\"}\n156:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8b1a44b9-642e-4b9b-935a-40e25cf67060/paragraph_type?resourceVersion=id%3A18112\"}\n157:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8b1a44b9-642e-4b9b-935a-40e25cf67060/relationships/paragraph_type?resourceVersion=id%3A18112\"}\n155:{\"related\":\"$156\",\"self\":\"$157\"}\n152:{\"data\":\"$153\",\"links\":\"$155\"}\n151:{\"paragraph_type\":\"$152\"}\n14b:{\"type\":\"paragraph--process_list_item\",\"id\":\"8b1a44b9-642e-4b9b-935a-40e25cf67060\",\"links\":\"$14c\",\"attributes\":\"$14e\",\"relationships\":\"$151\"}\n15a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/0cd75987-c788-45bf-b07b-4bc6d679e712?resourceVersion=id%3A18113\"}\n159:{\"self\":\"$15a\"}\n15c:[]\n15d:{\"value\":\"\u003cp\u003e\u003cstrong\u003eProduced by: Senior Agency Official for Privacy (SAOP)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SAOP will designate staff to review all PIAs before approval for signature. If no changes are recommended, the SOP and SAOP will digitally sign the PIA. Once signed by the SOP and SAOP, the PIA is approved and complete for a length of time as discussed above.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003e\u003cstrong\u003eProduced by: Senior Agency Official for Privacy (SAOP)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SAOP will designate staff to review all PIAs before approval for signature. If no changes are recommended, the SOP and SAOP will digitally sign the PIA. Once signed by the SOP and SAOP, the PIA is approved and complete for a length of time as discussed above.\u003c/p\u003e\"}\n15b:{\"drupal_internal__id\":3449,\"drupal_internal__revision_id\":18113,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:10:10+00:00\",\"parent_id\":\"3451\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$15c\",\"default_langcode\":true,\"revision_translation"])</script><script>self.__next_f.push([1,"_affected\":true,\"field_list_item_description\":\"$15d\",\"field_list_item_title\":\"PIA signing\"}\n161:{\"drupal_internal__target_id\":\"process_list_item\"}\n160:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$161\"}\n163:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/0cd75987-c788-45bf-b07b-4bc6d679e712/paragraph_type?resourceVersion=id%3A18113\"}\n164:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/0cd75987-c788-45bf-b07b-4bc6d679e712/relationships/paragraph_type?resourceVersion=id%3A18113\"}\n162:{\"related\":\"$163\",\"self\":\"$164\"}\n15f:{\"data\":\"$160\",\"links\":\"$162\"}\n15e:{\"paragraph_type\":\"$15f\"}\n158:{\"type\":\"paragraph--process_list_item\",\"id\":\"0cd75987-c788-45bf-b07b-4bc6d679e712\",\"links\":\"$159\",\"attributes\":\"$15b\",\"relationships\":\"$15e\"}\n167:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b77ca506-f10b-4574-8783-5500c35ff2ee?resourceVersion=id%3A18114\"}\n166:{\"self\":\"$167\"}\n169:[]\n16a:{\"value\":\"\u003cp\u003eHHS will submit the final PIA for publication to the \u003ca href=\\\"https://www.hhs.gov/pia\\\"\u003eHHS PIA internet site\u003c/a\u003e.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eHHS will submit the final PIA for publication to the \u003ca href=\\\"https://www.hhs.gov/pia\\\"\u003eHHS PIA internet site\u003c/a\u003e.\u003c/p\u003e\"}\n168:{\"drupal_internal__id\":3450,\"drupal_internal__revision_id\":18114,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:10:38+00:00\",\"parent_id\":\"3451\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$169\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$16a\",\"field_list_item_title\":\"PIA posting\"}\n16e:{\"drupal_internal__target_id\":\"process_list_item\"}\n16d:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$16e\"}\n170:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b77ca506-f10b-4574-8783-5500c35ff2ee/paragraph_type?resourceVersion=id%3A18114\"}\n171:{\"href\":\"https://cybergeek.cms.gov/js"])</script><script>self.__next_f.push([1,"onapi/paragraph/process_list_item/b77ca506-f10b-4574-8783-5500c35ff2ee/relationships/paragraph_type?resourceVersion=id%3A18114\"}\n16f:{\"related\":\"$170\",\"self\":\"$171\"}\n16c:{\"data\":\"$16d\",\"links\":\"$16f\"}\n16b:{\"paragraph_type\":\"$16c\"}\n165:{\"type\":\"paragraph--process_list_item\",\"id\":\"b77ca506-f10b-4574-8783-5500c35ff2ee\",\"links\":\"$166\",\"attributes\":\"$168\",\"relationships\":\"$16b\"}\n174:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/06f52736-42ef-4a3e-a5a5-239887c37d8f?resourceVersion=id%3A18118\"}\n173:{\"self\":\"$174\"}\n176:[]\n175:{\"drupal_internal__id\":2066,\"drupal_internal__revision_id\":18118,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-16T14:54:27+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$176\",\"default_langcode\":true,\"revision_translation_affected\":true}\n17a:{\"drupal_internal__target_id\":\"internal_link\"}\n179:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$17a\"}\n17c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/06f52736-42ef-4a3e-a5a5-239887c37d8f/paragraph_type?resourceVersion=id%3A18118\"}\n17d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/06f52736-42ef-4a3e-a5a5-239887c37d8f/relationships/paragraph_type?resourceVersion=id%3A18118\"}\n17b:{\"related\":\"$17c\",\"self\":\"$17d\"}\n178:{\"data\":\"$179\",\"links\":\"$17b\"}\n180:{\"drupal_internal__target_id\":421}\n17f:{\"type\":\"node--library\",\"id\":\"ddb65a30-0e50-44c7-a6bd-084b9a7e6f06\",\"meta\":\"$180\"}\n182:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/06f52736-42ef-4a3e-a5a5-239887c37d8f/field_link?resourceVersion=id%3A18118\"}\n183:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/06f52736-42ef-4a3e-a5a5-239887c37d8f/relationships/field_link?resourceVersion=id%3A18118\"}\n181:{\"related\":\"$182\",\"self\":\"$183\"}\n17e:{\"data\":\"$17f\",\"links\":\"$181\"}\n177:{\"paragraph_type\":\"$178\",\"field_link\":\"$17e\"}\n172:{\"type\":\"paragraph--internal_link\",\"id\":\"06f52736-42ef-4a3e-a5a5-239887c37d8f\",\"links\""])</script><script>self.__next_f.push([1,":\"$173\",\"attributes\":\"$175\",\"relationships\":\"$177\"}\n186:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d2e8289-04d9-4f94-a59e-ea72edc28a57?resourceVersion=id%3A18119\"}\n185:{\"self\":\"$186\"}\n188:[]\n187:{\"drupal_internal__id\":2071,\"drupal_internal__revision_id\":18119,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-16T14:54:37+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$188\",\"default_langcode\":true,\"revision_translation_affected\":true}\n18c:{\"drupal_internal__target_id\":\"internal_link\"}\n18b:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$18c\"}\n18e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d2e8289-04d9-4f94-a59e-ea72edc28a57/paragraph_type?resourceVersion=id%3A18119\"}\n18f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d2e8289-04d9-4f94-a59e-ea72edc28a57/relationships/paragraph_type?resourceVersion=id%3A18119\"}\n18d:{\"related\":\"$18e\",\"self\":\"$18f\"}\n18a:{\"data\":\"$18b\",\"links\":\"$18d\"}\n192:{\"drupal_internal__target_id\":261}\n191:{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"meta\":\"$192\"}\n194:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d2e8289-04d9-4f94-a59e-ea72edc28a57/field_link?resourceVersion=id%3A18119\"}\n195:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d2e8289-04d9-4f94-a59e-ea72edc28a57/relationships/field_link?resourceVersion=id%3A18119\"}\n193:{\"related\":\"$194\",\"self\":\"$195\"}\n190:{\"data\":\"$191\",\"links\":\"$193\"}\n189:{\"paragraph_type\":\"$18a\",\"field_link\":\"$190\"}\n184:{\"type\":\"paragraph--internal_link\",\"id\":\"8d2e8289-04d9-4f94-a59e-ea72edc28a57\",\"links\":\"$185\",\"attributes\":\"$187\",\"relationships\":\"$189\"}\n198:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f809e191-d1ff-4924-8b94-9e0f705b1620?resourceVersion=id%3A18120\"}\n197:{\"self\":\"$198\"}\n19a:[]\n199:{\"drupal_internal__id\":2076,\"drupal_internal__revision_id\":18120,\"langcode\":\"en\",\"status\":true,\"created"])</script><script>self.__next_f.push([1,"\":\"2023-02-16T14:54:49+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$19a\",\"default_langcode\":true,\"revision_translation_affected\":true}\n19e:{\"drupal_internal__target_id\":\"internal_link\"}\n19d:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$19e\"}\n1a0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f809e191-d1ff-4924-8b94-9e0f705b1620/paragraph_type?resourceVersion=id%3A18120\"}\n1a1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f809e191-d1ff-4924-8b94-9e0f705b1620/relationships/paragraph_type?resourceVersion=id%3A18120\"}\n19f:{\"related\":\"$1a0\",\"self\":\"$1a1\"}\n19c:{\"data\":\"$19d\",\"links\":\"$19f\"}\n1a4:{\"drupal_internal__target_id\":206}\n1a3:{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"meta\":\"$1a4\"}\n1a6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f809e191-d1ff-4924-8b94-9e0f705b1620/field_link?resourceVersion=id%3A18120\"}\n1a7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f809e191-d1ff-4924-8b94-9e0f705b1620/relationships/field_link?resourceVersion=id%3A18120\"}\n1a5:{\"related\":\"$1a6\",\"self\":\"$1a7\"}\n1a2:{\"data\":\"$1a3\",\"links\":\"$1a5\"}\n19b:{\"paragraph_type\":\"$19c\",\"field_link\":\"$1a2\"}\n196:{\"type\":\"paragraph--internal_link\",\"id\":\"f809e191-d1ff-4924-8b94-9e0f705b1620\",\"links\":\"$197\",\"attributes\":\"$199\",\"relationships\":\"$19b\"}\n1aa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fe146104-4cdc-4270-80c9-3cf6b03f6f4b?resourceVersion=id%3A18121\"}\n1a9:{\"self\":\"$1aa\"}\n1ac:[]\n1ab:{\"drupal_internal__id\":2081,\"drupal_internal__revision_id\":18121,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-16T14:55:33+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1ac\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1b0:{\"drupal_internal__target_id\":\"internal_link\"}\n1af:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-"])</script><script>self.__next_f.push([1,"40e2-8ffa-700ec8c17167\",\"meta\":\"$1b0\"}\n1b2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fe146104-4cdc-4270-80c9-3cf6b03f6f4b/paragraph_type?resourceVersion=id%3A18121\"}\n1b3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fe146104-4cdc-4270-80c9-3cf6b03f6f4b/relationships/paragraph_type?resourceVersion=id%3A18121\"}\n1b1:{\"related\":\"$1b2\",\"self\":\"$1b3\"}\n1ae:{\"data\":\"$1af\",\"links\":\"$1b1\"}\n1b6:{\"drupal_internal__target_id\":641}\n1b5:{\"type\":\"node--explainer\",\"id\":\"9086328f-ae1d-4345-a435-8300071aae86\",\"meta\":\"$1b6\"}\n1b8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fe146104-4cdc-4270-80c9-3cf6b03f6f4b/field_link?resourceVersion=id%3A18121\"}\n1b9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fe146104-4cdc-4270-80c9-3cf6b03f6f4b/relationships/field_link?resourceVersion=id%3A18121\"}\n1b7:{\"related\":\"$1b8\",\"self\":\"$1b9\"}\n1b4:{\"data\":\"$1b5\",\"links\":\"$1b7\"}\n1ad:{\"paragraph_type\":\"$1ae\",\"field_link\":\"$1b4\"}\n1a8:{\"type\":\"paragraph--internal_link\",\"id\":\"fe146104-4cdc-4270-80c9-3cf6b03f6f4b\",\"links\":\"$1a9\",\"attributes\":\"$1ab\",\"relationships\":\"$1ad\"}\n1bc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9d66b298-b9ef-4ae5-8a79-b1613b838eb6?resourceVersion=id%3A18122\"}\n1bb:{\"self\":\"$1bc\"}\n1be:[]\n1bd:{\"drupal_internal__id\":2086,\"drupal_internal__revision_id\":18122,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-16T14:55:39+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1be\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1c2:{\"drupal_internal__target_id\":\"internal_link\"}\n1c1:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1c2\"}\n1c4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9d66b298-b9ef-4ae5-8a79-b1613b838eb6/paragraph_type?resourceVersion=id%3A18122\"}\n1c5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9d66b298-b9ef-4ae5-8a79-b1613b838eb6/relationships/paragraph_"])</script><script>self.__next_f.push([1,"type?resourceVersion=id%3A18122\"}\n1c3:{\"related\":\"$1c4\",\"self\":\"$1c5\"}\n1c0:{\"data\":\"$1c1\",\"links\":\"$1c3\"}\n1cb:{\"about\":\"Usage and meaning of the 'missing' resource identifier.\"}\n1ca:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#missing\",\"meta\":\"$1cb\"}\n1c9:{\"help\":\"$1ca\"}\n1c8:{\"links\":\"$1c9\"}\n1c7:{\"type\":\"unknown\",\"id\":\"missing\",\"meta\":\"$1c8\"}\n1cd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9d66b298-b9ef-4ae5-8a79-b1613b838eb6/field_link?resourceVersion=id%3A18122\"}\n1ce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9d66b298-b9ef-4ae5-8a79-b1613b838eb6/relationships/field_link?resourceVersion=id%3A18122\"}\n1cc:{\"related\":\"$1cd\",\"self\":\"$1ce\"}\n1c6:{\"data\":\"$1c7\",\"links\":\"$1cc\"}\n1bf:{\"paragraph_type\":\"$1c0\",\"field_link\":\"$1c6\"}\n1ba:{\"type\":\"paragraph--internal_link\",\"id\":\"9d66b298-b9ef-4ae5-8a79-b1613b838eb6\",\"links\":\"$1bb\",\"attributes\":\"$1bd\",\"relationships\":\"$1bf\"}\n1d1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71620d65-13f9-45f3-b8fb-0108fba8c4b0?resourceVersion=id%3A18123\"}\n1d0:{\"self\":\"$1d1\"}\n1d3:[]\n1d2:{\"drupal_internal__id\":2091,\"drupal_internal__revision_id\":18123,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-16T14:55:45+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1d3\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1d7:{\"drupal_internal__target_id\":\"internal_link\"}\n1d6:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1d7\"}\n1d9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71620d65-13f9-45f3-b8fb-0108fba8c4b0/paragraph_type?resourceVersion=id%3A18123\"}\n1da:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71620d65-13f9-45f3-b8fb-0108fba8c4b0/relationships/paragraph_type?resourceVersion=id%3A18123\"}\n1d8:{\"related\":\"$1d9\",\"self\":\"$1da\"}\n1d5:{\"data\":\"$1d6\",\"links\":\"$1d8\"}\n1dd:{\"drupal_internal__target_id\":361}\n1dc:{\"type\":\"node--explainer\",\"id\":\"5b6426b"])</script><script>self.__next_f.push([1,"9-0294-40a7-9777-28b1e5871345\",\"meta\":\"$1dd\"}\n1df:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71620d65-13f9-45f3-b8fb-0108fba8c4b0/field_link?resourceVersion=id%3A18123\"}\n1e0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71620d65-13f9-45f3-b8fb-0108fba8c4b0/relationships/field_link?resourceVersion=id%3A18123\"}\n1de:{\"related\":\"$1df\",\"self\":\"$1e0\"}\n1db:{\"data\":\"$1dc\",\"links\":\"$1de\"}\n1d4:{\"paragraph_type\":\"$1d5\",\"field_link\":\"$1db\"}\n1cf:{\"type\":\"paragraph--internal_link\",\"id\":\"71620d65-13f9-45f3-b8fb-0108fba8c4b0\",\"links\":\"$1d0\",\"attributes\":\"$1d2\",\"relationships\":\"$1d4\"}\n1e3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06?resourceVersion=id%3A5561\"}\n1e2:{\"self\":\"$1e3\"}\n1e5:{\"alias\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"pid\":411,\"langcode\":\"en\"}\n1e7:T5673,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the purpose of a Privacy Impact Assessment (PIA)?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. The purpose of a PIA is to demonstrate that system owners have consciously incorporated privacy protections within their systems for information supplied for by the public.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePIAs are required by the E-Government Act of 2002, which was enacted by Congress in order to improve the management of Federal electronic government services and processes. Section 208 of the E-Government Act specifically requires PIAs to be created when a federal agency develops or procures new information technology that involves the collection, maintenance, or dissemination of information in identifiable form.\u003c/p\u003e\u003cp\u003eFurther, because the E-Government Act also includes a provision requiring PIAs to be published publicly on agency websites, they allow CMS to communicate more clearly with the public about how we handle information, including how we address privacy concerns and safeguard information. Copies of completed PIAs are\u003ca href=\"https://www.hhs.gov/pia/index.html\"\u003e posted on the HHS website\u003c/a\u003e upon completion to offer transparency to the public.\u003c/p\u003e\u003cp\u003ePIAs must be completed in the following situations:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor all new systems that collect PII from 10 or more members of the general public, a PIA is required to be completed as part of the broader Authority to Operate (ATO) process.\u003c/li\u003e\u003cli\u003eFor every existing system that collects PII from 10 or more members of the general public, a PIA must be reviewed and re-approved once every three years. System/Business Owners and Information System Security Officers (ISSOs) must review and revise as necessary, and submit PIAs for re-approval no later than three years from the last HHS approval date.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor any existing system undergoing a \u003cstrong\u003emajor change\u003c/strong\u003e, an updated PIA is required.\u003c/li\u003e\u003cli\u003eAn existing system that is going through the ATO process may need to update their PIA paperwork if its close to expiring; an ATO cannot be completed with an expired or incomplete PIA.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your FISMA system does not meet the requirements above, it may not require a traditional PIA. In these instances, there may be other Privacy compliance requirements for your system or application. For example, you may be required to complete a different type of assessment (such as a Privacy Threshold Analysis (PTA), Third Party Website Application (TPWA) Privacy Impact Assessment, or Internal Privacy Impact Assessment).\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePIA roles and responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eHHS Chief Information Officer (CIO)/Senior Agency Official for Privacy (SAOP)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAt HHS, the Chief Information Officer (CIO) is designated as the Senior Agency Official for Privacy (SAOP) and provides the overall program structure for the completion of PIAs across all operating divisions. Responsibilities for the SAOP include, but are not limited to the following:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop a standard form for HHS PIAs\u003c/li\u003e\u003cli\u003eReview PIAs from all operating divisions for adequacy, consistency, and compliance with federal and HHS requirements\u003c/li\u003e\u003cli\u003eIf the PIA meets HHSs requirements, the PIA is signed by the SAOP, which finalizes the PIA for a period depending on the type of PIA\u003c/li\u003e\u003cli\u003eEnsure all PIAs are published and made publicly available on HHS.gov\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Senior Official for Privacy (SOP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAt CMS, the Senior Official for Privacy (SOP) is the lead privacy official responsible for administering the agency PIA process and providing direction for the CMS privacy program. Unresolved privacy risks and other potential issues should be addressed before submission to the CMS SOP for final review. Responsibilities of the CMS SOP include, but are not limited to the following:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eEstablish a CMS specific framework for the development and completion of PIAs in accordance with federal and HHS requirements\u003c/li\u003e\u003cli\u003eReview and approve all PIAs for completion and consistency prior to submission to the HHS SAOP in coordination with the CMS Final Approver\u003c/li\u003e\u003cli\u003eSigning the PIA on behalf of CMS once the PIA satisfies federal and HHS requirements (The PIA will still require HHSs final signature before publication to the HHS website)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS System Owner/Business Owner\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eInformation System Owners or Business Owners are individuals who are responsible for CMS FISMA systems or electronic information collections. System/Business Owners:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview, revise, and submit PIAs for approval for new systems or re-approval whenever a change to an IT system, a change in CMS practice, or another factor alters the privacy risks associated with the use of the IT system or electronic information collection.\u0026nbsp;\u003c/li\u003e\u003cli\u003eAllocate proper resources to permit identification and remediation of privacy risks and weaknesses identified on PIAs.\u0026nbsp;\u003c/li\u003e\u003cli\u003eReview, revise, and submit PIAs for re-approval three years from the last approval date, and as part of the authorization process as required.\u0026nbsp;\u003c/li\u003e\u003cli\u003eComply with all relevant Privacy Act requirements regarding any system of records, including, but not limited to, providing individuals with procedures for access and amendment of records.\u003c/li\u003e\u003cli\u003eEnsure all artifacts are in place as needed such as a Computer Matching Agreement (CMA), Information Exchange Agreements (IEA), or any other agreement when sharing information.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDepending on the structure of your specific team, some System/Business Owner responsibilities will be completed by the trained ISSO. Alternatively, some teams may utilize their System/Business Owner to complete ISSO tasks. Your team will decide what structure works best for your unique needs.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Privacy Advisor\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Privacy Advisor has in-depth knowledge of privacy risks and can help your team meet the requirements for your PIA. The Privacy Advisor will complete the following tasks:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview component PIAs for accuracy, consistency and compliance; coordinating with the Cyber Risk Advisor (CRA) to identify any outstanding privacy risks prior to submission to the CMS SOP.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEnsure answers provided in the PIA are consistent with the HHS PTA and PIA Writers Handbook.\u0026nbsp;\u003c/li\u003e\u003cli\u003eCheck each PIA for other Privacy-related requirements (e.g. Privacy Act implications).\u0026nbsp;\u003c/li\u003e\u003cli\u003eReview and edit each PIA for grammatical mistakes or incomplete responses.\u0026nbsp;\u003c/li\u003e\u003cli\u003eProvide input and guidance as needed regarding any other privacy weaknesses as identified.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Cyber Risk Advisor (CRA)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CRA is responsible for coordinating the drafting and review process of the PIA with the CMS office or center in which they are representing. The CRA will:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eCommunicate with System/Business Owners through the authorization process, and ensure that the PIA is included in the authorization package.\u003c/li\u003e\u003cli\u003eReview PIAs submitted by the ISSO or System Owner for potential security and privacy risk, this can include:\u003cul\u003e\u003cli\u003eChecking that information in the PIA matches other artifacts in the ATO package as needed, including checking for grammatical mistakes or incomplete responses.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEnsuring the answers provided in the PIA are consistent with the HHS PTA and PIA Writers Handbook.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the Privacy Advisor to identify any potential privacy risks during the review of the PIA.\u0026nbsp;\u003c/li\u003e\u003cli\u003eReview PIAs sent back from the SOP and/or HHS and coordinate with the ISSO and Privacy Advisor to resolve the outstanding comments as needed.\u0026nbsp;\u003c/li\u003e\u003cli\u003eCoordinate with the Privacy Advisor to submit completed PIAs for approval to the CMS SOP.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Information System Security Officer (ISSO)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO provides oversight and develops documentation to ensure the completion of the Security Assessment and Authorization (SA\u0026amp;A) process for their information systems. The ISSO typically performs this function on behalf of the System/Business Owner for the FISMA system. The PIA is included as one of the artifacts in the Security Assessment and Authorization package. The ISSO will:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDraft a new PIA or modify a PIA in coordination with the System Owner and CRA to address major changes or PIA requirements.\u003c/li\u003e\u003cli\u003eContact the CRA to obtain either HHS or CMS PIA guidance when required.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEngage with the System/Business Owner, CRA, Privacy Advisor, and CMS leadership to ensure all comments and suggestions are included in the PIA\u003c/li\u003e\u003cli\u003eAssist in identifying and remediating potential privacy risks and notify System/Business Owners of PIA requirements;\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eInform the CRA when a planned, new or existing system will require a PIA\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSteps for completing your PIA\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Department of Health and Human Services (HHS) issues the master guidance for completing PIAs. ISPG has taken the guidance provided by HHS and translated it into a questionnaire found on\u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003e CFACTS\u003c/a\u003e. ISSOs can log in to CFACTS to complete the questionnaire with guidance from the System/Business Owner and the assigned Cyber Risk Advisor (CRA). A step-by-step guide to answering the questions required to complete the PIA can be found within the PIA \u0026amp; PTA Writers Handbook, which is written by HHS and can be found as a resource on the front page of each question in CFACTS. If you would like a copy of the PIA \u0026amp; PTA Writers Handbook, please contact the Privacy Office. The procedures below give a summary review of the actions necessary to complete a new PIA or modify an existing PIA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 1: PIA initial draft\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: SO/BO, ISSO, Cyber Risk Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eFollowing any of the scenarios or major changes that would require the completion of a PIA, the System/Business Owner works with the ISSO to draft a new or revised PIA in CFACTS. Upon completion of the new or revised PIA, the System/Business Owner or ISSO will contact the CRA for review. In CFACTS, the queue for the System/Business owner or ISSO is “ISSO Submitter” for the PIA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 2: PIA review / revision\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: CRA, Privacy Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CRA reviews the PIA in collaboration with the Privacy Advisor and coordinates recommended changes with the system/business owner or ISSO. Any identified privacy risks or compliance issues should be resolved before submission to the SOP for approval. If the SOP or SAOP recommends changes, the review process will return to this step as needed until the PIA is approved and finalized by the Senior Agency Official for Privacy (SAOP).\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 3: PIA approval\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: CMS Senior Official for Privacy (SOP), Final Approver\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SOP or designated Final Approver will review the PIA and recommend approval to HHS if no changes are recommended.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 4: PIA signing\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: Senior Agency Official for Privacy (SAOP)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SAOP will designate staff to review all PIAs before approval for signature. If no changes are recommended, the SOP and SAOP will digitally sign the PIA. Once signed by the SOP and SAOP, the PIA is approved and complete for a length of time as discussed above.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 5: PIA posting\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: Senior Agency Official for Privacy (SAOP)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SAOP will send the completed PIA to HHS\u003cstrong\u003e. \u003c/strong\u003eHHS will submit the final PIA for publication to the HHS PIA internet site at\u003ca href=\"https://www.hhs.gov/pia\"\u003e https://www.hhs.gov/pia\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTips for completing your PIA\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBefore starting to fill out your PIA, obtain and review any available program and system documentation. This may include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWebsites that explain the service or business process supported by the system;\u003c/li\u003e\u003cli\u003eInformation Collection Requests (ICRs) if the system collects information from the public and is subject to the Paperwork Reduction Act (PRA); if unsure, please reach out to the PRA office.\u0026nbsp;\u003c/li\u003e\u003cli\u003ePrivacy Act Statements (PASs) and System of Records Notices (SORNs) if records in the system are subject to the Privacy Act;\u003c/li\u003e\u003cli\u003eAgency IT Portfolio Summaries (formerly called Exhibit 53s) or any Major IT Investment Business Cases (formerly called Exhibit 300s);\u003c/li\u003e\u003cli\u003eEnterprise Program Lifecycle Artifacts such as a System Security and Privacy Plan (SSPP); and\u003c/li\u003e\u003cli\u003eAny handbooks or other guidance on how to use the system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIt may be possible to reuse language from these documents to respond to questions. However, make sure you review all copied text to verify that it is specific to the system being reviewed, is complete, and makes sense absent the rest of the document. Text copied from marketing materials and system planning documents may discuss functions that were never purchased or implemented. Text copied from a SORN or budget document may describe more than one system.\u003c/p\u003e\u003cp\u003eThe purpose of a PIA is to provide the general public with information about how CMS systems collect and share user data. The general public is the audience for PIAs, so its essential to keep your end users in mind when drafting your PIA.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAnswer each question briefly; text fields have a limited capacity when translated to the final documentation in CFACTS\u003c/li\u003e\u003cli\u003eWrite in a way that is easily understood by the general public; avoid using overly technical language, and clearly define technical terms and references if needed to describe a system.\u003c/li\u003e\u003cli\u003eDefine each acronym the first time it is used; use the acronym alone in all subsequent references.\u003c/li\u003e\u003cli\u003eDo not include sensitive or confidential system information or information that could allow a potential threat source to gain unauthorized access into the system (e.g., do not provide detailed information on technical security controls)\u003c/li\u003e\u003cli\u003eProvide information about authentication credentials. Reviewers need to know if the system is accessed using system-specific login information such as a username and password or if the system uses only PIV access and single sign-on authentication. The login method determines how user credentials are stored outside the system boundary. Please include a statement indicating whether login information is stored in the system.\u003c/li\u003e\u003cli\u003eMake it clear who the “users” are for your system. In some cases, it may be confusing whether “users” refers to individuals creating records about themselves or whether “users” are CMS staff members receiving and acting on this information. Please make this distinction clear the first time the term “users” is used. If contractors are listed as users, please cite if contractors are “direct” or “indirect”.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eGuidance for specific PIA questions\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCompleting a Privacy Impact Assessment (PIA) can be a challenge. Its essential to provide all the relevant information while ensuring it is correct and up to date. The following guidance comes from the Privacy Office, as well as a number of ISSOs and System/Business Owners who have experience completing successful PIAs in CFACTS.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor PIA question 6b, make sure the ISSO information is correct and up to date.\u003c/li\u003e\u003cli\u003eWhen answering question 10, consider all changes that have occurred since the PIA was last finalized, as well as the changes that will occur when the PIA is finalized. All changes, whether or not they pose a new privacy risk, should be documented. Examples of changes include changing the physical location of a server or adding additional collection of new PII elements.\u003c/li\u003e\u003cli\u003eFor PIA question 11, you should include what HHS functions are supported by the system and how the system completes those functions. Your response should be concise and specific, and should not contain jargon or overly technical terms so that a reader with no prior knowledge of the system will understand the response. Dont forget to spell out all acronyms on first usage.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor PIA question 12, list and describe all types of information collected by the system regardless of whether that information is considered PII. Make sure to include how long information is stored in the system. If the system holds system-specific access credentials, e.g., username, password, please describe those components in the response to this question. Specify whether the username and/or password are created by the individual, generated by the system, provided by a system administrator, or established through some other process.\u0026nbsp; Reminder: Any types of PII listed in this response also need to be listed in PIA question 15.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor PIA question 12, describe why the information listed in the question is collected. The response to this question should consider all information, whether or not it is PII. The response to this question should also specify what information is collected about each category of individual and should document and discuss if records are retrieved by PII elements.\u003c/li\u003e\u003cli\u003eFor PIA question13, include a brief description of the method of record retrieval, if you answered “Yes'' to PIA question 22 regarding System of Record Notification (SORN). Note the PII used and categories of individuals to whom the PII relates.\u0026nbsp;\u003cul\u003e\u003cli\u003eAn example is: The Physical Security System (PSS) regularly uses PII to retrieve system records including using the last name, employee ID number, and/or work phone number of CMS employees, contractors, and members of the public authorized to access the main campus and satellite offices.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePIA question 14 is calculated by the system. Reminder: If the response to this question is No, PIA questions 15 through 38 should no longer appear on the form.\u0026nbsp;\u003c/li\u003e\u003cli\u003eIf PIA question 15 is shown, check all the boxes that apply. If the information collected by the system is not described by any of the items in the list, there is a text field under Other where you can list additional information. Your response should include all types of PII regardless of type sensitivity, or whether it is from employees or the public. Reminder: PII elements need to be accounted for in both PIA question 12 and PIA question 15.\u003c/li\u003e\u003cli\u003ePIA question 20 should describe all the ways Social Security Numbers (SSNS) are used in the system (if applicable). Youll need to share when, where, and why an SSN is disclosed or shared; and why the SSN is used rather than another identifier.\u0026nbsp;\u003cul\u003e\u003cli\u003eNOTE: Employer Identification Number (EIN) also known as Federal Employer Identification Number (FEIN) or Tax Identification Number (TIN) or Federal Tax Identification Number (FTIN).\u0026nbsp; Individuals may choose to use their SSN as their EIN or FTIN. Typically, this would be sole proprietors or other small business owners who use SSN as EIN for tax purposes. EIN often appears in the format XX-XXXXXXX and may not stand out as a SSN. Any time that Social Security Numbers are involved, examine whether the collection and/or use of the SSN can be eliminated.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eReminder: If the response to this question states that SSNs are collected, SSNs should also be listed in the response to PIA question 15.\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePIA question 21 asks for the legal authorities governing information collection. Every system with PII must have an authority to collect this information. This will be a statute or Executive Order that either (a) permits or requires collection of the PII, or (b) permits or requires the underlying activity, for which it is necessary to collect PII.\u003c/li\u003e\u003cli\u003ePIA questions 22 and 22a are relevant to System of Record Notifications (SORNs). If the\u003c/li\u003e\u003cli\u003esystem uses PII to retrieve records, it may need to be covered by a SORN. Any system that has already received Privacy Office signatures should already reference a SORN. If not, you may need to seek guidance from ISPG or DSPPG to determine whether a SORN is required and in identifying an existing SORN that might apply. Please also review your response to PIA question 13 to ensure that it matches with your response here in question 22.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEach system has unique functions and answers to questions will be different for different systems. Question 23 determines whether your system needs an Information Collection Approval number from the White House Office of Management and Budget (OMB). In some cases, when you answer question 23, question 23a will appear. It asks about an OMB Information Collection Approval number. Under the Paperwork Reduction Act (PRA), the System/Business Owner or ISSO may need to obtain an information collection approval number from the OMB. Use the information in the CMS guidance and HHS PIA Writers Handbook regarding this question to contact subject matter experts as needed.\u003c/li\u003e\u003cli\u003eFor PIA question 27, please state that any system that utilizes information obtained from the Enterprise Portal (EIDM) must provide individuals the option to opt-out of information sharing. And similar to PIA question 25, if EIDM has its own PIA for CMS please add this statement.\u003c/li\u003e\u003cli\u003eFor PIA question 29, Identify System Acronym\u003c/li\u003e\u003cli\u003eFor PIA question 37, NARA Disposition Schedule ID, and the retention period described by the schedule, should be included\u003c/li\u003e\u003cli\u003ePIA question 37 asks about the system retention schedule. Every system (whether it contains PII or not) should have been made subject to an information retention schedule. Check with the Records Officer to identify the appropriate retention schedule.\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1e8:T5673,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the purpose of a Privacy Impact Assessment (PIA)?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. The purpose of a PIA is to demonstrate that system owners have consciously incorporated privacy protections within their systems for information supplied for by the public.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePIAs are required by the E-Government Act of 2002, which was enacted by Congress in order to improve the management of Federal electronic government services and processes. Section 208 of the E-Government Act specifically requires PIAs to be created when a federal agency develops or procures new information technology that involves the collection, maintenance, or dissemination of information in identifiable form.\u003c/p\u003e\u003cp\u003eFurther, because the E-Government Act also includes a provision requiring PIAs to be published publicly on agency websites, they allow CMS to communicate more clearly with the public about how we handle information, including how we address privacy concerns and safeguard information. Copies of completed PIAs are\u003ca href=\"https://www.hhs.gov/pia/index.html\"\u003e posted on the HHS website\u003c/a\u003e upon completion to offer transparency to the public.\u003c/p\u003e\u003cp\u003ePIAs must be completed in the following situations:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor all new systems that collect PII from 10 or more members of the general public, a PIA is required to be completed as part of the broader Authority to Operate (ATO) process.\u003c/li\u003e\u003cli\u003eFor every existing system that collects PII from 10 or more members of the general public, a PIA must be reviewed and re-approved once every three years. System/Business Owners and Information System Security Officers (ISSOs) must review and revise as necessary, and submit PIAs for re-approval no later than three years from the last HHS approval date.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor any existing system undergoing a \u003cstrong\u003emajor change\u003c/strong\u003e, an updated PIA is required.\u003c/li\u003e\u003cli\u003eAn existing system that is going through the ATO process may need to update their PIA paperwork if its close to expiring; an ATO cannot be completed with an expired or incomplete PIA.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your FISMA system does not meet the requirements above, it may not require a traditional PIA. In these instances, there may be other Privacy compliance requirements for your system or application. For example, you may be required to complete a different type of assessment (such as a Privacy Threshold Analysis (PTA), Third Party Website Application (TPWA) Privacy Impact Assessment, or Internal Privacy Impact Assessment).\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003ePIA roles and responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eHHS Chief Information Officer (CIO)/Senior Agency Official for Privacy (SAOP)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAt HHS, the Chief Information Officer (CIO) is designated as the Senior Agency Official for Privacy (SAOP) and provides the overall program structure for the completion of PIAs across all operating divisions. Responsibilities for the SAOP include, but are not limited to the following:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop a standard form for HHS PIAs\u003c/li\u003e\u003cli\u003eReview PIAs from all operating divisions for adequacy, consistency, and compliance with federal and HHS requirements\u003c/li\u003e\u003cli\u003eIf the PIA meets HHSs requirements, the PIA is signed by the SAOP, which finalizes the PIA for a period depending on the type of PIA\u003c/li\u003e\u003cli\u003eEnsure all PIAs are published and made publicly available on HHS.gov\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Senior Official for Privacy (SOP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAt CMS, the Senior Official for Privacy (SOP) is the lead privacy official responsible for administering the agency PIA process and providing direction for the CMS privacy program. Unresolved privacy risks and other potential issues should be addressed before submission to the CMS SOP for final review. Responsibilities of the CMS SOP include, but are not limited to the following:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eEstablish a CMS specific framework for the development and completion of PIAs in accordance with federal and HHS requirements\u003c/li\u003e\u003cli\u003eReview and approve all PIAs for completion and consistency prior to submission to the HHS SAOP in coordination with the CMS Final Approver\u003c/li\u003e\u003cli\u003eSigning the PIA on behalf of CMS once the PIA satisfies federal and HHS requirements (The PIA will still require HHSs final signature before publication to the HHS website)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS System Owner/Business Owner\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eInformation System Owners or Business Owners are individuals who are responsible for CMS FISMA systems or electronic information collections. System/Business Owners:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview, revise, and submit PIAs for approval for new systems or re-approval whenever a change to an IT system, a change in CMS practice, or another factor alters the privacy risks associated with the use of the IT system or electronic information collection.\u0026nbsp;\u003c/li\u003e\u003cli\u003eAllocate proper resources to permit identification and remediation of privacy risks and weaknesses identified on PIAs.\u0026nbsp;\u003c/li\u003e\u003cli\u003eReview, revise, and submit PIAs for re-approval three years from the last approval date, and as part of the authorization process as required.\u0026nbsp;\u003c/li\u003e\u003cli\u003eComply with all relevant Privacy Act requirements regarding any system of records, including, but not limited to, providing individuals with procedures for access and amendment of records.\u003c/li\u003e\u003cli\u003eEnsure all artifacts are in place as needed such as a Computer Matching Agreement (CMA), Information Exchange Agreements (IEA), or any other agreement when sharing information.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDepending on the structure of your specific team, some System/Business Owner responsibilities will be completed by the trained ISSO. Alternatively, some teams may utilize their System/Business Owner to complete ISSO tasks. Your team will decide what structure works best for your unique needs.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Privacy Advisor\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Privacy Advisor has in-depth knowledge of privacy risks and can help your team meet the requirements for your PIA. The Privacy Advisor will complete the following tasks:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview component PIAs for accuracy, consistency and compliance; coordinating with the Cyber Risk Advisor (CRA) to identify any outstanding privacy risks prior to submission to the CMS SOP.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEnsure answers provided in the PIA are consistent with the HHS PTA and PIA Writers Handbook.\u0026nbsp;\u003c/li\u003e\u003cli\u003eCheck each PIA for other Privacy-related requirements (e.g. Privacy Act implications).\u0026nbsp;\u003c/li\u003e\u003cli\u003eReview and edit each PIA for grammatical mistakes or incomplete responses.\u0026nbsp;\u003c/li\u003e\u003cli\u003eProvide input and guidance as needed regarding any other privacy weaknesses as identified.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Cyber Risk Advisor (CRA)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CRA is responsible for coordinating the drafting and review process of the PIA with the CMS office or center in which they are representing. The CRA will:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eCommunicate with System/Business Owners through the authorization process, and ensure that the PIA is included in the authorization package.\u003c/li\u003e\u003cli\u003eReview PIAs submitted by the ISSO or System Owner for potential security and privacy risk, this can include:\u003cul\u003e\u003cli\u003eChecking that information in the PIA matches other artifacts in the ATO package as needed, including checking for grammatical mistakes or incomplete responses.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEnsuring the answers provided in the PIA are consistent with the HHS PTA and PIA Writers Handbook.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the Privacy Advisor to identify any potential privacy risks during the review of the PIA.\u0026nbsp;\u003c/li\u003e\u003cli\u003eReview PIAs sent back from the SOP and/or HHS and coordinate with the ISSO and Privacy Advisor to resolve the outstanding comments as needed.\u0026nbsp;\u003c/li\u003e\u003cli\u003eCoordinate with the Privacy Advisor to submit completed PIAs for approval to the CMS SOP.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Information System Security Officer (ISSO)\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO provides oversight and develops documentation to ensure the completion of the Security Assessment and Authorization (SA\u0026amp;A) process for their information systems. The ISSO typically performs this function on behalf of the System/Business Owner for the FISMA system. The PIA is included as one of the artifacts in the Security Assessment and Authorization package. The ISSO will:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDraft a new PIA or modify a PIA in coordination with the System Owner and CRA to address major changes or PIA requirements.\u003c/li\u003e\u003cli\u003eContact the CRA to obtain either HHS or CMS PIA guidance when required.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEngage with the System/Business Owner, CRA, Privacy Advisor, and CMS leadership to ensure all comments and suggestions are included in the PIA\u003c/li\u003e\u003cli\u003eAssist in identifying and remediating potential privacy risks and notify System/Business Owners of PIA requirements;\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eInform the CRA when a planned, new or existing system will require a PIA\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSteps for completing your PIA\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Department of Health and Human Services (HHS) issues the master guidance for completing PIAs. ISPG has taken the guidance provided by HHS and translated it into a questionnaire found on\u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003e CFACTS\u003c/a\u003e. ISSOs can log in to CFACTS to complete the questionnaire with guidance from the System/Business Owner and the assigned Cyber Risk Advisor (CRA). A step-by-step guide to answering the questions required to complete the PIA can be found within the PIA \u0026amp; PTA Writers Handbook, which is written by HHS and can be found as a resource on the front page of each question in CFACTS. If you would like a copy of the PIA \u0026amp; PTA Writers Handbook, please contact the Privacy Office. The procedures below give a summary review of the actions necessary to complete a new PIA or modify an existing PIA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 1: PIA initial draft\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: SO/BO, ISSO, Cyber Risk Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eFollowing any of the scenarios or major changes that would require the completion of a PIA, the System/Business Owner works with the ISSO to draft a new or revised PIA in CFACTS. Upon completion of the new or revised PIA, the System/Business Owner or ISSO will contact the CRA for review. In CFACTS, the queue for the System/Business owner or ISSO is “ISSO Submitter” for the PIA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 2: PIA review / revision\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: CRA, Privacy Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CRA reviews the PIA in collaboration with the Privacy Advisor and coordinates recommended changes with the system/business owner or ISSO. Any identified privacy risks or compliance issues should be resolved before submission to the SOP for approval. If the SOP or SAOP recommends changes, the review process will return to this step as needed until the PIA is approved and finalized by the Senior Agency Official for Privacy (SAOP).\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 3: PIA approval\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: CMS Senior Official for Privacy (SOP), Final Approver\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SOP or designated Final Approver will review the PIA and recommend approval to HHS if no changes are recommended.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 4: PIA signing\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: Senior Agency Official for Privacy (SAOP)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SAOP will designate staff to review all PIAs before approval for signature. If no changes are recommended, the SOP and SAOP will digitally sign the PIA. Once signed by the SOP and SAOP, the PIA is approved and complete for a length of time as discussed above.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eStep 5: PIA posting\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePrimary Responsibility: Senior Agency Official for Privacy (SAOP)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SAOP will send the completed PIA to HHS\u003cstrong\u003e. \u003c/strong\u003eHHS will submit the final PIA for publication to the HHS PIA internet site at\u003ca href=\"https://www.hhs.gov/pia\"\u003e https://www.hhs.gov/pia\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTips for completing your PIA\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBefore starting to fill out your PIA, obtain and review any available program and system documentation. This may include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWebsites that explain the service or business process supported by the system;\u003c/li\u003e\u003cli\u003eInformation Collection Requests (ICRs) if the system collects information from the public and is subject to the Paperwork Reduction Act (PRA); if unsure, please reach out to the PRA office.\u0026nbsp;\u003c/li\u003e\u003cli\u003ePrivacy Act Statements (PASs) and System of Records Notices (SORNs) if records in the system are subject to the Privacy Act;\u003c/li\u003e\u003cli\u003eAgency IT Portfolio Summaries (formerly called Exhibit 53s) or any Major IT Investment Business Cases (formerly called Exhibit 300s);\u003c/li\u003e\u003cli\u003eEnterprise Program Lifecycle Artifacts such as a System Security and Privacy Plan (SSPP); and\u003c/li\u003e\u003cli\u003eAny handbooks or other guidance on how to use the system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIt may be possible to reuse language from these documents to respond to questions. However, make sure you review all copied text to verify that it is specific to the system being reviewed, is complete, and makes sense absent the rest of the document. Text copied from marketing materials and system planning documents may discuss functions that were never purchased or implemented. Text copied from a SORN or budget document may describe more than one system.\u003c/p\u003e\u003cp\u003eThe purpose of a PIA is to provide the general public with information about how CMS systems collect and share user data. The general public is the audience for PIAs, so its essential to keep your end users in mind when drafting your PIA.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAnswer each question briefly; text fields have a limited capacity when translated to the final documentation in CFACTS\u003c/li\u003e\u003cli\u003eWrite in a way that is easily understood by the general public; avoid using overly technical language, and clearly define technical terms and references if needed to describe a system.\u003c/li\u003e\u003cli\u003eDefine each acronym the first time it is used; use the acronym alone in all subsequent references.\u003c/li\u003e\u003cli\u003eDo not include sensitive or confidential system information or information that could allow a potential threat source to gain unauthorized access into the system (e.g., do not provide detailed information on technical security controls)\u003c/li\u003e\u003cli\u003eProvide information about authentication credentials. Reviewers need to know if the system is accessed using system-specific login information such as a username and password or if the system uses only PIV access and single sign-on authentication. The login method determines how user credentials are stored outside the system boundary. Please include a statement indicating whether login information is stored in the system.\u003c/li\u003e\u003cli\u003eMake it clear who the “users” are for your system. In some cases, it may be confusing whether “users” refers to individuals creating records about themselves or whether “users” are CMS staff members receiving and acting on this information. Please make this distinction clear the first time the term “users” is used. If contractors are listed as users, please cite if contractors are “direct” or “indirect”.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eGuidance for specific PIA questions\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCompleting a Privacy Impact Assessment (PIA) can be a challenge. Its essential to provide all the relevant information while ensuring it is correct and up to date. The following guidance comes from the Privacy Office, as well as a number of ISSOs and System/Business Owners who have experience completing successful PIAs in CFACTS.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor PIA question 6b, make sure the ISSO information is correct and up to date.\u003c/li\u003e\u003cli\u003eWhen answering question 10, consider all changes that have occurred since the PIA was last finalized, as well as the changes that will occur when the PIA is finalized. All changes, whether or not they pose a new privacy risk, should be documented. Examples of changes include changing the physical location of a server or adding additional collection of new PII elements.\u003c/li\u003e\u003cli\u003eFor PIA question 11, you should include what HHS functions are supported by the system and how the system completes those functions. Your response should be concise and specific, and should not contain jargon or overly technical terms so that a reader with no prior knowledge of the system will understand the response. Dont forget to spell out all acronyms on first usage.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor PIA question 12, list and describe all types of information collected by the system regardless of whether that information is considered PII. Make sure to include how long information is stored in the system. If the system holds system-specific access credentials, e.g., username, password, please describe those components in the response to this question. Specify whether the username and/or password are created by the individual, generated by the system, provided by a system administrator, or established through some other process.\u0026nbsp; Reminder: Any types of PII listed in this response also need to be listed in PIA question 15.\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor PIA question 12, describe why the information listed in the question is collected. The response to this question should consider all information, whether or not it is PII. The response to this question should also specify what information is collected about each category of individual and should document and discuss if records are retrieved by PII elements.\u003c/li\u003e\u003cli\u003eFor PIA question13, include a brief description of the method of record retrieval, if you answered “Yes'' to PIA question 22 regarding System of Record Notification (SORN). Note the PII used and categories of individuals to whom the PII relates.\u0026nbsp;\u003cul\u003e\u003cli\u003eAn example is: The Physical Security System (PSS) regularly uses PII to retrieve system records including using the last name, employee ID number, and/or work phone number of CMS employees, contractors, and members of the public authorized to access the main campus and satellite offices.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePIA question 14 is calculated by the system. Reminder: If the response to this question is No, PIA questions 15 through 38 should no longer appear on the form.\u0026nbsp;\u003c/li\u003e\u003cli\u003eIf PIA question 15 is shown, check all the boxes that apply. If the information collected by the system is not described by any of the items in the list, there is a text field under Other where you can list additional information. Your response should include all types of PII regardless of type sensitivity, or whether it is from employees or the public. Reminder: PII elements need to be accounted for in both PIA question 12 and PIA question 15.\u003c/li\u003e\u003cli\u003ePIA question 20 should describe all the ways Social Security Numbers (SSNS) are used in the system (if applicable). Youll need to share when, where, and why an SSN is disclosed or shared; and why the SSN is used rather than another identifier.\u0026nbsp;\u003cul\u003e\u003cli\u003eNOTE: Employer Identification Number (EIN) also known as Federal Employer Identification Number (FEIN) or Tax Identification Number (TIN) or Federal Tax Identification Number (FTIN).\u0026nbsp; Individuals may choose to use their SSN as their EIN or FTIN. Typically, this would be sole proprietors or other small business owners who use SSN as EIN for tax purposes. EIN often appears in the format XX-XXXXXXX and may not stand out as a SSN. Any time that Social Security Numbers are involved, examine whether the collection and/or use of the SSN can be eliminated.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eReminder: If the response to this question states that SSNs are collected, SSNs should also be listed in the response to PIA question 15.\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePIA question 21 asks for the legal authorities governing information collection. Every system with PII must have an authority to collect this information. This will be a statute or Executive Order that either (a) permits or requires collection of the PII, or (b) permits or requires the underlying activity, for which it is necessary to collect PII.\u003c/li\u003e\u003cli\u003ePIA questions 22 and 22a are relevant to System of Record Notifications (SORNs). If the\u003c/li\u003e\u003cli\u003esystem uses PII to retrieve records, it may need to be covered by a SORN. Any system that has already received Privacy Office signatures should already reference a SORN. If not, you may need to seek guidance from ISPG or DSPPG to determine whether a SORN is required and in identifying an existing SORN that might apply. Please also review your response to PIA question 13 to ensure that it matches with your response here in question 22.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEach system has unique functions and answers to questions will be different for different systems. Question 23 determines whether your system needs an Information Collection Approval number from the White House Office of Management and Budget (OMB). In some cases, when you answer question 23, question 23a will appear. It asks about an OMB Information Collection Approval number. Under the Paperwork Reduction Act (PRA), the System/Business Owner or ISSO may need to obtain an information collection approval number from the OMB. Use the information in the CMS guidance and HHS PIA Writers Handbook regarding this question to contact subject matter experts as needed.\u003c/li\u003e\u003cli\u003eFor PIA question 27, please state that any system that utilizes information obtained from the Enterprise Portal (EIDM) must provide individuals the option to opt-out of information sharing. And similar to PIA question 25, if EIDM has its own PIA for CMS please add this statement.\u003c/li\u003e\u003cli\u003eFor PIA question 29, Identify System Acronym\u003c/li\u003e\u003cli\u003eFor PIA question 37, NARA Disposition Schedule ID, and the retention period described by the schedule, should be included\u003c/li\u003e\u003cli\u003ePIA question 37 asks about the system retention schedule. Every system (whether it contains PII or not) should have been made subject to an information retention schedule. Check with the Records Officer to identify the appropriate retention schedule.\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1e6:{\"value\":\"$1e7\",\"format\":\"body_text\",\"processed\":\"$1e8\",\"summary\":\"\"}\n1eb:[]\n1ea:{\"uri\":\"entity:node/206\",\"title\":\"Authorization to Operate (ATO) \",\"options\":\"$1eb\",\"url\":\"/learn/authorization-operate-ato\"}\n1ed:[]\n1ec:{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2)\",\"options\":\"$1ed\",\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"}\n1ef:[]\n1ee:{\"uri\":\"https://www.hhs.gov/pia/index.html\",\"title\":\"HHS Privacy Impact Assessment (PIA) information\",\"options\":\"$1ef\",\"url\":\"https://www.hhs.gov/pia/index.html\"}\n1e9:[\"$1ea\",\"$1ec\",\"$1ee\"]\n1f0:{\"value\":\"Information, tips, and tricks for writing your Privacy Impact Assessment (PIA) concisely and correctly\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eInformation, tips, and tricks for writing your Privacy Impact Assessment (PIA) concisely and correctly\u003c/p\u003e\\n\"}\n1e4:{\"drupal_internal__nid\":421,\"drupal_internal__vid\":5561,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-07T20:11:35+00:00\",\"status\":true,\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"created\":\"2022-08-29T17:13:40+00:00\",\"changed\":\"2024-06-06T17:47:05+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1e5\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$1e6\",\"field_contact_email\":\"privacy@cms.hhs.gov\",\"field_contact_name\":\"Privacy Office\",\"field_last_reviewed\":\"2023-01-20\",\"field_related_resources\":\"$1e9\",\"field_short_description\":\"$1f0\"}\n1f4:{\"drupal_internal__target_id\":\"library\"}\n1f3:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":\"$1f4\"}\n1f6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/node_type?resourceVersion=id%3A5561\"}\n1f7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/relationships/node_type?resourceVersion=id%3A5561\"}\n1"])</script><script>self.__next_f.push([1,"f5:{\"related\":\"$1f6\",\"self\":\"$1f7\"}\n1f2:{\"data\":\"$1f3\",\"links\":\"$1f5\"}\n1fa:{\"drupal_internal__target_id\":110}\n1f9:{\"type\":\"user--user\",\"id\":\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\",\"meta\":\"$1fa\"}\n1fc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/revision_uid?resourceVersion=id%3A5561\"}\n1fd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/relationships/revision_uid?resourceVersion=id%3A5561\"}\n1fb:{\"related\":\"$1fc\",\"self\":\"$1fd\"}\n1f8:{\"data\":\"$1f9\",\"links\":\"$1fb\"}\n200:{\"drupal_internal__target_id\":26}\n1ff:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$200\"}\n202:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/uid?resourceVersion=id%3A5561\"}\n203:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/relationships/uid?resourceVersion=id%3A5561\"}\n201:{\"related\":\"$202\",\"self\":\"$203\"}\n1fe:{\"data\":\"$1ff\",\"links\":\"$201\"}\n206:{\"drupal_internal__target_id\":91}\n205:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":\"$206\"}\n208:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/field_resource_type?resourceVersion=id%3A5561\"}\n209:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/relationships/field_resource_type?resourceVersion=id%3A5561\"}\n207:{\"related\":\"$208\",\"self\":\"$209\"}\n204:{\"data\":\"$205\",\"links\":\"$207\"}\n20d:{\"drupal_internal__target_id\":66}\n20c:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$20d\"}\n20f:{\"drupal_internal__target_id\":61}\n20e:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$20f\"}\n211:{\"drupal_internal__target_id\":76}\n210:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$211\"}\n20b:[\"$20c\",\"$20e\",\"$210\"]\n213:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084"])</script><script>self.__next_f.push([1,"b9a7e6f06/field_roles?resourceVersion=id%3A5561\"}\n214:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/relationships/field_roles?resourceVersion=id%3A5561\"}\n212:{\"related\":\"$213\",\"self\":\"$214\"}\n20a:{\"data\":\"$20b\",\"links\":\"$212\"}\n218:{\"drupal_internal__target_id\":16}\n217:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$218\"}\n21a:{\"drupal_internal__target_id\":31}\n219:{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":\"$21a\"}\n216:[\"$217\",\"$219\"]\n21c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/field_topics?resourceVersion=id%3A5561\"}\n21d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/relationships/field_topics?resourceVersion=id%3A5561\"}\n21b:{\"related\":\"$21c\",\"self\":\"$21d\"}\n215:{\"data\":\"$216\",\"links\":\"$21b\"}\n1f1:{\"node_type\":\"$1f2\",\"revision_uid\":\"$1f8\",\"uid\":\"$1fe\",\"field_resource_type\":\"$204\",\"field_roles\":\"$20a\",\"field_topics\":\"$215\"}\n1e1:{\"type\":\"node--library\",\"id\":\"ddb65a30-0e50-44c7-a6bd-084b9a7e6f06\",\"links\":\"$1e2\",\"attributes\":\"$1e4\",\"relationships\":\"$1f1\"}\n220:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b?resourceVersion=id%3A5999\"}\n21f:{\"self\":\"$220\"}\n222:{\"alias\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"pid\":251,\"langcode\":\"en\"}\n223:{\"value\":\"CFACTS is a CMS database that tracks application security deficiencies and POA\u0026Ms, and supports the ATO process\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCFACTS is a CMS database that tracks application security deficiencies and POA\u0026amp;Ms, and supports the ATO process\u003c/p\u003e\\n\"}\n224:[\"#cfacts_community\"]\n221:{\"drupal_internal__nid\":261,\"drupal_internal__vid\":5999,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-05T18:41:37+00:00\",\"status\":true,\"title\":\"CMS FISMA Continuous Tracking System (CFACTS)\",\"created\":\"2022-08-26T14:57:02+00:00\",\"changed\":\"2024-12-05T18:41:37+00:00\",\"promote\":false,\"sticky\":false,\"defaul"])</script><script>self.__next_f.push([1,"t_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$222\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ciso@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":\"$223\",\"field_slack_channel\":\"$224\"}\n228:{\"drupal_internal__target_id\":\"explainer\"}\n227:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$228\"}\n22a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/node_type?resourceVersion=id%3A5999\"}\n22b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/node_type?resourceVersion=id%3A5999\"}\n229:{\"related\":\"$22a\",\"self\":\"$22b\"}\n226:{\"data\":\"$227\",\"links\":\"$229\"}\n22e:{\"drupal_internal__target_id\":159}\n22d:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":\"$22e\"}\n230:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/revision_uid?resourceVersion=id%3A5999\"}\n231:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/revision_uid?resourceVersion=id%3A5999\"}\n22f:{\"related\":\"$230\",\"self\":\"$231\"}\n22c:{\"data\":\"$22d\",\"links\":\"$22f\"}\n234:{\"drupal_internal__target_id\":26}\n233:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$234\"}\n236:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/uid?resourceVersion=id%3A5999\"}\n237:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/uid?resourceVersion=id%3A5999\"}\n235:{\"related\":\"$236\",\"self\":\"$237\"}\n232:{\"data\":\"$233\",\"links\":\"$235\"}\n23b:{\"target_revision_id\":19655,\"drupal_internal__target_id\":2101}\n23a:{\"type\":\"paragraph--page_section\",\"id\":\"963db416-cca0-421d-8c3e-40c8e2ce190f\",\"meta\":\"$23b\"}\n23d:{\"target_revision_id\":19660,\"dru"])</script><script>self.__next_f.push([1,"pal_internal__target_id\":446}\n23c:{\"type\":\"paragraph--page_section\",\"id\":\"9b87eb1d-cb43-472b-9b5b-8618d2688563\",\"meta\":\"$23d\"}\n23f:{\"target_revision_id\":19666,\"drupal_internal__target_id\":1781}\n23e:{\"type\":\"paragraph--page_section\",\"id\":\"122a8de9-c38d-492b-bc93-b43b270f2933\",\"meta\":\"$23f\"}\n241:{\"target_revision_id\":19667,\"drupal_internal__target_id\":3468}\n240:{\"type\":\"paragraph--page_section\",\"id\":\"594617c8-824a-4962-aa08-fdf8dd4677fb\",\"meta\":\"$241\"}\n239:[\"$23a\",\"$23c\",\"$23e\",\"$240\"]\n243:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_page_section?resourceVersion=id%3A5999\"}\n244:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_page_section?resourceVersion=id%3A5999\"}\n242:{\"related\":\"$243\",\"self\":\"$244\"}\n238:{\"data\":\"$239\",\"links\":\"$242\"}\n248:{\"target_revision_id\":19668,\"drupal_internal__target_id\":1816}\n247:{\"type\":\"paragraph--internal_link\",\"id\":\"76dcb171-ae0a-42ba-b330-b93b63633cdd\",\"meta\":\"$248\"}\n24a:{\"target_revision_id\":19669,\"drupal_internal__target_id\":1821}\n249:{\"type\":\"paragraph--internal_link\",\"id\":\"7f340091-9774-491a-817d-0cdfaf0c72d1\",\"meta\":\"$24a\"}\n24c:{\"target_revision_id\":19670,\"drupal_internal__target_id\":1826}\n24b:{\"type\":\"paragraph--internal_link\",\"id\":\"4b7486bb-57c5-440b-b07c-54deb80f1ca1\",\"meta\":\"$24c\"}\n24e:{\"target_revision_id\":19671,\"drupal_internal__target_id\":1831}\n24d:{\"type\":\"paragraph--internal_link\",\"id\":\"d72a41d1-1d17-452f-9375-aea58d84e8e7\",\"meta\":\"$24e\"}\n250:{\"target_revision_id\":19672,\"drupal_internal__target_id\":3462}\n24f:{\"type\":\"paragraph--internal_link\",\"id\":\"726e3057-d549-4d7d-80c7-0f4c5d5f8007\",\"meta\":\"$250\"}\n252:{\"target_revision_id\":19673,\"drupal_internal__target_id\":3463}\n251:{\"type\":\"paragraph--internal_link\",\"id\":\"dbde5fa8-5137-4df4-af83-a4330e0778c7\",\"meta\":\"$252\"}\n246:[\"$247\",\"$249\",\"$24b\",\"$24d\",\"$24f\",\"$251\"]\n254:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_related_collection?resourceVersion=id%"])</script><script>self.__next_f.push([1,"3A5999\"}\n255:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_related_collection?resourceVersion=id%3A5999\"}\n253:{\"related\":\"$254\",\"self\":\"$255\"}\n245:{\"data\":\"$246\",\"links\":\"$253\"}\n258:{\"drupal_internal__target_id\":121}\n257:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$258\"}\n25a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_resource_type?resourceVersion=id%3A5999\"}\n25b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_resource_type?resourceVersion=id%3A5999\"}\n259:{\"related\":\"$25a\",\"self\":\"$25b\"}\n256:{\"data\":\"$257\",\"links\":\"$259\"}\n25f:{\"drupal_internal__target_id\":66}\n25e:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$25f\"}\n261:{\"drupal_internal__target_id\":61}\n260:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$261\"}\n263:{\"drupal_internal__target_id\":76}\n262:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$263\"}\n265:{\"drupal_internal__target_id\":71}\n264:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$265\"}\n25d:[\"$25e\",\"$260\",\"$262\",\"$264\"]\n267:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_roles?resourceVersion=id%3A5999\"}\n268:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_roles?resourceVersion=id%3A5999\"}\n266:{\"related\":\"$267\",\"self\":\"$268\"}\n25c:{\"data\":\"$25d\",\"links\":\"$266\"}\n26c:{\"drupal_internal__target_id\":36}\n26b:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$26c\"}\n26e:{\"drupal_internal__target_id\":11}\n26d:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$26e\"}\n26a:[\"$26b\",\"$26d\"]\n270:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901"])</script><script>self.__next_f.push([1,"ae-4ea5-491c-badd-90a32da3989b/field_topics?resourceVersion=id%3A5999\"}\n271:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_topics?resourceVersion=id%3A5999\"}\n26f:{\"related\":\"$270\",\"self\":\"$271\"}\n269:{\"data\":\"$26a\",\"links\":\"$26f\"}\n225:{\"node_type\":\"$226\",\"revision_uid\":\"$22c\",\"uid\":\"$232\",\"field_page_section\":\"$238\",\"field_related_collection\":\"$245\",\"field_resource_type\":\"$256\",\"field_roles\":\"$25c\",\"field_topics\":\"$269\"}\n21e:{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"links\":\"$21f\",\"attributes\":\"$221\",\"relationships\":\"$225\"}\n274:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2?resourceVersion=id%3A5737\"}\n273:{\"self\":\"$274\"}\n276:{\"alias\":\"/learn/authorization-operate-ato\",\"pid\":196,\"langcode\":\"en\"}\n277:{\"value\":\"Testing and documenting system security and compliance to gain approval to operate the system at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting and documenting system security and compliance to gain approval to operate the system at CMS\u003c/p\u003e\\n\"}\n278:[\"#cra-help\"]\n275:{\"drupal_internal__nid\":206,\"drupal_internal__vid\":5737,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-31T17:37:48+00:00\",\"status\":true,\"title\":\"Authorization to Operate (ATO)\",\"created\":\"2022-08-25T19:06:37+00:00\",\"changed\":\"2024-07-31T17:37:48+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$276\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$277\",\"field_slack_channel\":\"$278\"}\n27c:{\"drupal_internal__target_id\":\"explainer\"}\n27b:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$27c\"}\n27e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e1"])</script><script>self.__next_f.push([1,"21df2/node_type?resourceVersion=id%3A5737\"}\n27f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/node_type?resourceVersion=id%3A5737\"}\n27d:{\"related\":\"$27e\",\"self\":\"$27f\"}\n27a:{\"data\":\"$27b\",\"links\":\"$27d\"}\n282:{\"drupal_internal__target_id\":6}\n281:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$282\"}\n284:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/revision_uid?resourceVersion=id%3A5737\"}\n285:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/revision_uid?resourceVersion=id%3A5737\"}\n283:{\"related\":\"$284\",\"self\":\"$285\"}\n280:{\"data\":\"$281\",\"links\":\"$283\"}\n288:{\"drupal_internal__target_id\":26}\n287:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$288\"}\n28a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/uid?resourceVersion=id%3A5737\"}\n28b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/uid?resourceVersion=id%3A5737\"}\n289:{\"related\":\"$28a\",\"self\":\"$28b\"}\n286:{\"data\":\"$287\",\"links\":\"$289\"}\n28f:{\"target_revision_id\":18928,\"drupal_internal__target_id\":711}\n28e:{\"type\":\"paragraph--page_section\",\"id\":\"d94629f9-9668-41dd-bce7-a4f267239c07\",\"meta\":\"$28f\"}\n291:{\"target_revision_id\":18929,\"drupal_internal__target_id\":736}\n290:{\"type\":\"paragraph--page_section\",\"id\":\"243e2d3f-f903-438c-8b1f-aee53390b1df\",\"meta\":\"$291\"}\n28d:[\"$28e\",\"$290\"]\n293:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_page_section?resourceVersion=id%3A5737\"}\n294:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_page_section?resourceVersion=id%3A5737\"}\n292:{\"related\":\"$293\",\"self\":\"$294\"}\n28c:{\"data\":\"$28d\",\"links\":\"$292\"}\n298:{\"target_revision_id\":18930,\"drupal_internal__target_id\":3376}\n297:{\"type\":\"paragraph--internal_"])</script><script>self.__next_f.push([1,"link\",\"id\":\"6f904ac4-c80e-47d9-b786-ee79256befed\",\"meta\":\"$298\"}\n29a:{\"target_revision_id\":18931,\"drupal_internal__target_id\":1306}\n299:{\"type\":\"paragraph--internal_link\",\"id\":\"e20959d7-2a7b-4a01-b985-cfa5363233f5\",\"meta\":\"$29a\"}\n29c:{\"target_revision_id\":18932,\"drupal_internal__target_id\":1316}\n29b:{\"type\":\"paragraph--internal_link\",\"id\":\"dba9b926-f657-43ce-bc94-0a2d803430c6\",\"meta\":\"$29c\"}\n29e:{\"target_revision_id\":18933,\"drupal_internal__target_id\":2521}\n29d:{\"type\":\"paragraph--internal_link\",\"id\":\"44f7083e-9341-42a5-85dc-a9043cdccdce\",\"meta\":\"$29e\"}\n2a0:{\"target_revision_id\":18934,\"drupal_internal__target_id\":3444}\n29f:{\"type\":\"paragraph--internal_link\",\"id\":\"bd0366d9-64ce-401f-9453-bf38aa8054a1\",\"meta\":\"$2a0\"}\n296:[\"$297\",\"$299\",\"$29b\",\"$29d\",\"$29f\"]\n2a2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_related_collection?resourceVersion=id%3A5737\"}\n2a3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_related_collection?resourceVersion=id%3A5737\"}\n2a1:{\"related\":\"$2a2\",\"self\":\"$2a3\"}\n295:{\"data\":\"$296\",\"links\":\"$2a1\"}\n2a6:{\"drupal_internal__target_id\":131}\n2a5:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$2a6\"}\n2a8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_resource_type?resourceVersion=id%3A5737\"}\n2a9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_resource_type?resourceVersion=id%3A5737\"}\n2a7:{\"related\":\"$2a8\",\"self\":\"$2a9\"}\n2a4:{\"data\":\"$2a5\",\"links\":\"$2a7\"}\n2ad:{\"drupal_internal__target_id\":66}\n2ac:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$2ad\"}\n2af:{\"drupal_internal__target_id\":61}\n2ae:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$2af\"}\n2b1:{\"drupal_internal__target_id\":76}\n2b0:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998"])</script><script>self.__next_f.push([1,"a3329f34\",\"meta\":\"$2b1\"}\n2ab:[\"$2ac\",\"$2ae\",\"$2b0\"]\n2b3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_roles?resourceVersion=id%3A5737\"}\n2b4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_roles?resourceVersion=id%3A5737\"}\n2b2:{\"related\":\"$2b3\",\"self\":\"$2b4\"}\n2aa:{\"data\":\"$2ab\",\"links\":\"$2b2\"}\n2b8:{\"drupal_internal__target_id\":11}\n2b7:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$2b8\"}\n2b6:[\"$2b7\"]\n2ba:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_topics?resourceVersion=id%3A5737\"}\n2bb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_topics?resourceVersion=id%3A5737\"}\n2b9:{\"related\":\"$2ba\",\"self\":\"$2bb\"}\n2b5:{\"data\":\"$2b6\",\"links\":\"$2b9\"}\n279:{\"node_type\":\"$27a\",\"revision_uid\":\"$280\",\"uid\":\"$286\",\"field_page_section\":\"$28c\",\"field_related_collection\":\"$295\",\"field_resource_type\":\"$2a4\",\"field_roles\":\"$2aa\",\"field_topics\":\"$2b5\"}\n272:{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"links\":\"$273\",\"attributes\":\"$275\",\"relationships\":\"$279\"}\n2be:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86?resourceVersion=id%3A6121\"}\n2bd:{\"self\":\"$2be\"}\n2c0:{\"alias\":\"/learn/cms-computer-matching-agreement-cma\",\"pid\":631,\"langcode\":\"en\"}\n2c1:{\"value\":\"Written agreement used in the comparison of automated systems of record between federal or state agencies\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eWritten agreement used in the comparison of automated systems of record between federal or state agencies\u003c/p\u003e\\n\"}\n2c2:[\"#ispg-privacy-agreement-consults\"]\n2bf:{\"drupal_internal__nid\":641,\"drupal_internal__vid\":6121,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-16T20:56:12+00:00\",\"status\":true,\"title\":\"CMS Computer Matching Agreement (CMA)\",\"created\":\"2023-02-02T14:59:22+00:00\",\"changed\":\"2025-01-16T"])</script><script>self.__next_f.push([1,"20:56:12+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$2c0\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"privacy@cms.hhs.gov\",\"field_contact_name\":\"Privacy Office\",\"field_short_description\":\"$2c1\",\"field_slack_channel\":\"$2c2\"}\n2c6:{\"drupal_internal__target_id\":\"explainer\"}\n2c5:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$2c6\"}\n2c8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/node_type?resourceVersion=id%3A6121\"}\n2c9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/node_type?resourceVersion=id%3A6121\"}\n2c7:{\"related\":\"$2c8\",\"self\":\"$2c9\"}\n2c4:{\"data\":\"$2c5\",\"links\":\"$2c7\"}\n2cc:{\"drupal_internal__target_id\":6}\n2cb:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$2cc\"}\n2ce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/revision_uid?resourceVersion=id%3A6121\"}\n2cf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/revision_uid?resourceVersion=id%3A6121\"}\n2cd:{\"related\":\"$2ce\",\"self\":\"$2cf\"}\n2ca:{\"data\":\"$2cb\",\"links\":\"$2cd\"}\n2d2:{\"drupal_internal__target_id\":26}\n2d1:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$2d2\"}\n2d4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/uid?resourceVersion=id%3A6121\"}\n2d5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/uid?resourceVersion=id%3A6121\"}\n2d3:{\"related\":\"$2d4\",\"self\":\"$2d5\"}\n2d0:{\"data\":\"$2d1\",\"links\":\"$2d3\"}\n2d9:{\"target_revision_id\":20081,\"drupal_internal__target_id\":451}\n2d8:{\"type\":\"paragraph--page_section\",\"id\":\"ebf079d8-dd73-43d4-b270-1dffecde6"])</script><script>self.__next_f.push([1,"88b\",\"meta\":\"$2d9\"}\n2d7:[\"$2d8\"]\n2db:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/field_page_section?resourceVersion=id%3A6121\"}\n2dc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/field_page_section?resourceVersion=id%3A6121\"}\n2da:{\"related\":\"$2db\",\"self\":\"$2dc\"}\n2d6:{\"data\":\"$2d7\",\"links\":\"$2da\"}\n2e0:{\"target_revision_id\":20086,\"drupal_internal__target_id\":1876}\n2df:{\"type\":\"paragraph--internal_link\",\"id\":\"5fc47ff1-39bd-4c95-b001-ad89e85cd007\",\"meta\":\"$2e0\"}\n2e2:{\"target_revision_id\":20091,\"drupal_internal__target_id\":3576}\n2e1:{\"type\":\"paragraph--internal_link\",\"id\":\"7f569b2e-5e41-45c0-954e-df9128d24e6e\",\"meta\":\"$2e2\"}\n2e4:{\"target_revision_id\":20096,\"drupal_internal__target_id\":3581}\n2e3:{\"type\":\"paragraph--internal_link\",\"id\":\"8dde78c3-a853-4117-b100-c1c97b47829c\",\"meta\":\"$2e4\"}\n2de:[\"$2df\",\"$2e1\",\"$2e3\"]\n2e6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/field_related_collection?resourceVersion=id%3A6121\"}\n2e7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/field_related_collection?resourceVersion=id%3A6121\"}\n2e5:{\"related\":\"$2e6\",\"self\":\"$2e7\"}\n2dd:{\"data\":\"$2de\",\"links\":\"$2e5\"}\n2ea:{\"drupal_internal__target_id\":131}\n2e9:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$2ea\"}\n2ec:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/field_resource_type?resourceVersion=id%3A6121\"}\n2ed:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/field_resource_type?resourceVersion=id%3A6121\"}\n2eb:{\"related\":\"$2ec\",\"self\":\"$2ed\"}\n2e8:{\"data\":\"$2e9\",\"links\":\"$2eb\"}\n2f1:{\"drupal_internal__target_id\":61}\n2f0:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$2f1\"}\n2f3:{\"drupal_internal__target_id\":76}\n2f2:{\"type\":\"taxonomy_term--roles\""])</script><script>self.__next_f.push([1,",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$2f3\"}\n2ef:[\"$2f0\",\"$2f2\"]\n2f5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/field_roles?resourceVersion=id%3A6121\"}\n2f6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/field_roles?resourceVersion=id%3A6121\"}\n2f4:{\"related\":\"$2f5\",\"self\":\"$2f6\"}\n2ee:{\"data\":\"$2ef\",\"links\":\"$2f4\"}\n2fa:{\"drupal_internal__target_id\":31}\n2f9:{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":\"$2fa\"}\n2f8:[\"$2f9\"]\n2fc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/field_topics?resourceVersion=id%3A6121\"}\n2fd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/field_topics?resourceVersion=id%3A6121\"}\n2fb:{\"related\":\"$2fc\",\"self\":\"$2fd\"}\n2f7:{\"data\":\"$2f8\",\"links\":\"$2fb\"}\n2c3:{\"node_type\":\"$2c4\",\"revision_uid\":\"$2ca\",\"uid\":\"$2d0\",\"field_page_section\":\"$2d6\",\"field_related_collection\":\"$2dd\",\"field_resource_type\":\"$2e8\",\"field_roles\":\"$2ee\",\"field_topics\":\"$2f7\"}\n2bc:{\"type\":\"node--explainer\",\"id\":\"9086328f-ae1d-4345-a435-8300071aae86\",\"links\":\"$2bd\",\"attributes\":\"$2bf\",\"relationships\":\"$2c3\"}\n300:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345?resourceVersion=id%3A5569\"}\n2ff:{\"self\":\"$300\"}\n302:{\"alias\":\"/learn/cms-information-system-risk-assessment-isra\",\"pid\":351,\"langcode\":\"en\"}\n303:{\"value\":\"Documentation of a systems vulnerabilities, security controls, risk levels, and recommended safeguards for keeping information safe\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eDocumentation of a systems vulnerabilities, security controls, risk levels, and recommended safeguards for keeping information safe\u003c/p\u003e\\n\"}\n304:[\"#cfacts_community \"]\n301:{\"drupal_internal__nid\":361,\"drupal_internal__vid\":5569,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-07T20:13:41+00:00\",\"status\":true,\"title\":\"CMS Information Sys"])</script><script>self.__next_f.push([1,"tem Risk Assessment (ISRA)\",\"created\":\"2022-08-29T16:38:23+00:00\",\"changed\":\"2024-06-06T16:33:51+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$302\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":\"$303\",\"field_slack_channel\":\"$304\"}\n308:{\"drupal_internal__target_id\":\"explainer\"}\n307:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$308\"}\n30a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/node_type?resourceVersion=id%3A5569\"}\n30b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/node_type?resourceVersion=id%3A5569\"}\n309:{\"related\":\"$30a\",\"self\":\"$30b\"}\n306:{\"data\":\"$307\",\"links\":\"$309\"}\n30e:{\"drupal_internal__target_id\":110}\n30d:{\"type\":\"user--user\",\"id\":\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\",\"meta\":\"$30e\"}\n310:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/revision_uid?resourceVersion=id%3A5569\"}\n311:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/revision_uid?resourceVersion=id%3A5569\"}\n30f:{\"related\":\"$310\",\"self\":\"$311\"}\n30c:{\"data\":\"$30d\",\"links\":\"$30f\"}\n314:{\"drupal_internal__target_id\":26}\n313:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$314\"}\n316:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/uid?resourceVersion=id%3A5569\"}\n317:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/uid?resourceVersion=id%3A5569\"}\n315:{\"related\":\"$316\",\"self\":\"$317\"}\n312:{\"data\":\"$313\",\"links\":\"$315\"}\n31b:{\"target_revision_id\":18217,\"drupal_internal__target_i"])</script><script>self.__next_f.push([1,"d\":476}\n31a:{\"type\":\"paragraph--page_section\",\"id\":\"feb4d8d9-ed3e-43c2-b62b-f77023f548e9\",\"meta\":\"$31b\"}\n31d:{\"target_revision_id\":18218,\"drupal_internal__target_id\":3477}\n31c:{\"type\":\"paragraph--page_section\",\"id\":\"b08b1d31-0c03-4be6-8cf9-f50c60301736\",\"meta\":\"$31d\"}\n319:[\"$31a\",\"$31c\"]\n31f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_page_section?resourceVersion=id%3A5569\"}\n320:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_page_section?resourceVersion=id%3A5569\"}\n31e:{\"related\":\"$31f\",\"self\":\"$320\"}\n318:{\"data\":\"$319\",\"links\":\"$31e\"}\n324:{\"target_revision_id\":18219,\"drupal_internal__target_id\":1856}\n323:{\"type\":\"paragraph--internal_link\",\"id\":\"15c0be8e-28f3-4243-81c4-b3fde7bfe552\",\"meta\":\"$324\"}\n326:{\"target_revision_id\":18220,\"drupal_internal__target_id\":1861}\n325:{\"type\":\"paragraph--internal_link\",\"id\":\"944c647d-37f9-4d4d-8a1e-f5e9983042c4\",\"meta\":\"$326\"}\n328:{\"target_revision_id\":18221,\"drupal_internal__target_id\":1866}\n327:{\"type\":\"paragraph--internal_link\",\"id\":\"8719d442-16f0-42ef-a4c6-2c807896ddb8\",\"meta\":\"$328\"}\n322:[\"$323\",\"$325\",\"$327\"]\n32a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_related_collection?resourceVersion=id%3A5569\"}\n32b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_related_collection?resourceVersion=id%3A5569\"}\n329:{\"related\":\"$32a\",\"self\":\"$32b\"}\n321:{\"data\":\"$322\",\"links\":\"$329\"}\n32e:{\"drupal_internal__target_id\":131}\n32d:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$32e\"}\n330:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_resource_type?resourceVersion=id%3A5569\"}\n331:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_resource_type?resourceVersion=id%3A5569\"}\n32f:{\"related\":\"$330"])</script><script>self.__next_f.push([1,"\",\"self\":\"$331\"}\n32c:{\"data\":\"$32d\",\"links\":\"$32f\"}\n335:{\"drupal_internal__target_id\":66}\n334:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$335\"}\n337:{\"drupal_internal__target_id\":61}\n336:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$337\"}\n339:{\"drupal_internal__target_id\":76}\n338:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$339\"}\n33b:{\"drupal_internal__target_id\":71}\n33a:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$33b\"}\n333:[\"$334\",\"$336\",\"$338\",\"$33a\"]\n33d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_roles?resourceVersion=id%3A5569\"}\n33e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_roles?resourceVersion=id%3A5569\"}\n33c:{\"related\":\"$33d\",\"self\":\"$33e\"}\n332:{\"data\":\"$333\",\"links\":\"$33c\"}\n342:{\"drupal_internal__target_id\":36}\n341:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$342\"}\n344:{\"drupal_internal__target_id\":11}\n343:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$344\"}\n340:[\"$341\",\"$343\"]\n346:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_topics?resourceVersion=id%3A5569\"}\n347:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_topics?resourceVersion=id%3A5569\"}\n345:{\"related\":\"$346\",\"self\":\"$347\"}\n33f:{\"data\":\"$340\",\"links\":\"$345\"}\n305:{\"node_type\":\"$306\",\"revision_uid\":\"$30c\",\"uid\":\"$312\",\"field_page_section\":\"$318\",\"field_related_collection\":\"$321\",\"field_resource_type\":\"$32c\",\"field_roles\":\"$332\",\"field_topics\":\"$33f\"}\n2fe:{\"type\":\"node--explainer\",\"id\":\"5b6426b9-0294-40a7-9777-28b1e5871345\",\"links\":\"$2ff\",\"attributes\":\"$301\",\"relationships\":\"$305\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"fb20ba48-336f-4acc-b27a-55e07c1766df\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df?resourceVersion=id%3A5565\"}},\"attributes\":{\"drupal_internal__nid\":426,\"drupal_internal__vid\":5565,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-07T20:12:34+00:00\",\"status\":true,\"title\":\"Privacy Impact Assessment (PIA)\",\"created\":\"2022-08-29T17:16:06+00:00\",\"changed\":\"2024-06-06T17:13:30+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/privacy-impact-assessment-pia\",\"pid\":416,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"privacy@cms.hhs.gov\",\"field_contact_name\":\"Privacy Office\",\"field_short_description\":{\"value\":\"Process that identifies and mitigates privacy risks for CMS systems regarding the use of Personally Identifiable Information (PII)\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProcess that identifies and mitigates privacy risks for CMS systems regarding the use of Personally Identifiable Information (PII)\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-sec_privacy-policy\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/node_type?resourceVersion=id%3A5565\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/relationships/node_type?resourceVersion=id%3A5565\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\",\"meta\":{\"drupal_internal__target_id\":110}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/revision_uid?resourceVersion=id%3A5565\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/relationships/revision_uid?resourceVersion=id%3A5565\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/uid?resourceVersion=id%3A5565\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/relationships/uid?resourceVersion=id%3A5565\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"6a7003c0-dd34-424b-abe5-dcdbb4ae4e21\",\"meta\":{\"target_revision_id\":18109,\"drupal_internal__target_id\":511}},{\"type\":\"paragraph--page_section\",\"id\":\"0a3e39c3-11df-48ee-acda-d4be29d1eb91\",\"meta\":{\"target_revision_id\":18116,\"drupal_internal__target_id\":3452}},{\"type\":\"paragraph--page_section\",\"id\":\"cd0b41ba-9490-40c4-b79f-df959006794c\",\"meta\":{\"target_revision_id\":18117,\"drupal_internal__target_id\":3495}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/field_page_section?resourceVersion=id%3A5565\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/relationships/field_page_section?resourceVersion=id%3A5565\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"06f52736-42ef-4a3e-a5a5-239887c37d8f\",\"meta\":{\"target_revision_id\":18118,\"drupal_internal__target_id\":2066}},{\"type\":\"paragraph--internal_link\",\"id\":\"8d2e8289-04d9-4f94-a59e-ea72edc28a57\",\"meta\":{\"target_revision_id\":18119,\"drupal_internal__target_id\":2071}},{\"type\":\"paragraph--internal_link\",\"id\":\"f809e191-d1ff-4924-8b94-9e0f705b1620\",\"meta\":{\"target_revision_id\":18120,\"drupal_internal__target_id\":2076}},{\"type\":\"paragraph--internal_link\",\"id\":\"fe146104-4cdc-4270-80c9-3cf6b03f6f4b\",\"meta\":{\"target_revision_id\":18121,\"drupal_internal__target_id\":2081}},{\"type\":\"paragraph--internal_link\",\"id\":\"9d66b298-b9ef-4ae5-8a79-b1613b838eb6\",\"meta\":{\"target_revision_id\":18122,\"drupal_internal__target_id\":2086}},{\"type\":\"paragraph--internal_link\",\"id\":\"71620d65-13f9-45f3-b8fb-0108fba8c4b0\",\"meta\":{\"target_revision_id\":18123,\"drupal_internal__target_id\":2091}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/field_related_collection?resourceVersion=id%3A5565\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/relationships/field_related_collection?resourceVersion=id%3A5565\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/field_resource_type?resourceVersion=id%3A5565\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/relationships/field_resource_type?resourceVersion=id%3A5565\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/field_roles?resourceVersion=id%3A5565\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/relationships/field_roles?resourceVersion=id%3A5565\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":{\"drupal_internal__target_id\":31}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/field_topics?resourceVersion=id%3A5565\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/fb20ba48-336f-4acc-b27a-55e07c1766df/relationships/field_topics?resourceVersion=id%3A5565\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/a54cc91d-d38c-4158-9cf3-d7bcda34fc84\"}},\"attributes\":{\"display_name\":\"lnettles\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}},\"attributes\":{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674?resourceVersion=id%3A6\"}},\"attributes\":{\"drupal_internal__tid\":6,\"drupal_internal__revision_id\":6,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:04:59+00:00\",\"status\":true,\"name\":\"Assessments \u0026 Audits\",\"description\":null,\"weight\":1,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/vid?resourceVersion=id%3A6\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/vid?resourceVersion=id%3A6\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/revision_user?resourceVersion=id%3A6\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/revision_user?resourceVersion=id%3A6\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/parent?resourceVersion=id%3A6\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/parent?resourceVersion=id%3A6\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf?resourceVersion=id%3A31\"}},\"attributes\":{\"drupal_internal__tid\":31,\"drupal_internal__revision_id\":31,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:48+00:00\",\"status\":true,\"name\":\"Privacy\",\"description\":null,\"weight\":4,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/vid?resourceVersion=id%3A31\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/vid?resourceVersion=id%3A31\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/revision_user?resourceVersion=id%3A31\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/revision_user?resourceVersion=id%3A31\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/parent?resourceVersion=id%3A31\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/parent?resourceVersion=id%3A31\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"6a7003c0-dd34-424b-abe5-dcdbb4ae4e21\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6a7003c0-dd34-424b-abe5-dcdbb4ae4e21?resourceVersion=id%3A18109\"}},\"attributes\":{\"drupal_internal__id\":511,\"drupal_internal__revision_id\":18109,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-02T16:51:44+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6a7003c0-dd34-424b-abe5-dcdbb4ae4e21/paragraph_type?resourceVersion=id%3A18109\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6a7003c0-dd34-424b-abe5-dcdbb4ae4e21/relationships/paragraph_type?resourceVersion=id%3A18109\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"f80019c4-4d24-4380-b378-2dfc808c692a\",\"meta\":{\"target_revision_id\":18108,\"drupal_internal__target_id\":3445}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6a7003c0-dd34-424b-abe5-dcdbb4ae4e21/field_specialty_item?resourceVersion=id%3A18109\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6a7003c0-dd34-424b-abe5-dcdbb4ae4e21/relationships/field_specialty_item?resourceVersion=id%3A18109\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"0a3e39c3-11df-48ee-acda-d4be29d1eb91\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/0a3e39c3-11df-48ee-acda-d4be29d1eb91?resourceVersion=id%3A18116\"}},\"attributes\":{\"drupal_internal__id\":3452,\"drupal_internal__revision_id\":18116,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:08:06+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/0a3e39c3-11df-48ee-acda-d4be29d1eb91/paragraph_type?resourceVersion=id%3A18116\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/0a3e39c3-11df-48ee-acda-d4be29d1eb91/relationships/paragraph_type?resourceVersion=id%3A18116\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--process_list\",\"id\":\"fdc1b5d6-f626-4532-b6d5-30fce76bc7e0\",\"meta\":{\"target_revision_id\":18115,\"drupal_internal__target_id\":3451}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/0a3e39c3-11df-48ee-acda-d4be29d1eb91/field_specialty_item?resourceVersion=id%3A18116\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/0a3e39c3-11df-48ee-acda-d4be29d1eb91/relationships/field_specialty_item?resourceVersion=id%3A18116\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"cd0b41ba-9490-40c4-b79f-df959006794c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cd0b41ba-9490-40c4-b79f-df959006794c?resourceVersion=id%3A18117\"}},\"attributes\":{\"drupal_internal__id\":3495,\"drupal_internal__revision_id\":18117,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-01-12T15:53:24+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"\u003cp\u003eWe are here to help if you have questions about your PIA. You can send an email to the Privacy Office: \u003ca href=\\\"mailto:privacy@cms.hhs.gov\\\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e. Or check in the CMS Slack community: \u003cstrong\u003e#ispg-sec_privacy-policy\u003c/strong\u003e.\u003c/p\u003e\u003cp\u003eYou can also review the \u003ca href=\\\"https://security.cms.gov/policy-guidance/cms-privacy-impact-assessment-pia-handbook\\\"\u003eCMS Privacy Impact Assessment Handbook\u003c/a\u003e for tips and guidance on completing your PIA.\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003cp\u003eWe are here to help if you have questions about your PIA. You can send an email to the Privacy Office: \u003ca href=\\\"mailto:privacy@cms.hhs.gov\\\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e. Or check in the CMS Slack community: \u003cstrong\u003e#ispg-sec_privacy-policy\u003c/strong\u003e.\u003c/p\u003e\u003cp\u003eYou can also review the \u003ca href=\\\"https://security.cms.gov/policy-guidance/cms-privacy-impact-assessment-pia-handbook\\\"\u003eCMS Privacy Impact Assessment Handbook\u003c/a\u003e for tips and guidance on completing your PIA.\u003c/p\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cd0b41ba-9490-40c4-b79f-df959006794c/paragraph_type?resourceVersion=id%3A18117\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cd0b41ba-9490-40c4-b79f-df959006794c/relationships/paragraph_type?resourceVersion=id%3A18117\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cd0b41ba-9490-40c4-b79f-df959006794c/field_specialty_item?resourceVersion=id%3A18117\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cd0b41ba-9490-40c4-b79f-df959006794c/relationships/field_specialty_item?resourceVersion=id%3A18117\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"f80019c4-4d24-4380-b378-2dfc808c692a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/f80019c4-4d24-4380-b378-2dfc808c692a?resourceVersion=id%3A18108\"}},\"attributes\":{\"drupal_internal__id\":3445,\"drupal_internal__revision_id\":18108,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:06:37+00:00\",\"parent_id\":\"511\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":{\"uri\":\"https://security.cms.gov/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"title\":\"\",\"options\":[],\"url\":\"https://security.cms.gov/policy-guidance/cms-privacy-impact-assessment-pia-handbook\"},\"field_call_out_link_text\":\"Go to the Handbook\",\"field_call_out_text\":{\"value\":\"The CMS Privacy Impact Assessment Handbook has all the steps and instructions for successfully completing a PIA.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThe CMS Privacy Impact Assessment Handbook has all the steps and instructions for successfully completing a PIA.\u003c/p\u003e\\n\"},\"field_header\":\"PIA Handbook\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/f80019c4-4d24-4380-b378-2dfc808c692a/paragraph_type?resourceVersion=id%3A18108\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/f80019c4-4d24-4380-b378-2dfc808c692a/relationships/paragraph_type?resourceVersion=id%3A18108\"}}}}},{\"type\":\"paragraph--process_list\",\"id\":\"fdc1b5d6-f626-4532-b6d5-30fce76bc7e0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/fdc1b5d6-f626-4532-b6d5-30fce76bc7e0?resourceVersion=id%3A18115\"}},\"attributes\":{\"drupal_internal__id\":3451,\"drupal_internal__revision_id\":18115,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:08:56+00:00\",\"parent_id\":\"3452\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":{\"drupal_internal__target_id\":\"process_list\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/fdc1b5d6-f626-4532-b6d5-30fce76bc7e0/paragraph_type?resourceVersion=id%3A18115\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/fdc1b5d6-f626-4532-b6d5-30fce76bc7e0/relationships/paragraph_type?resourceVersion=id%3A18115\"}}},\"field_process_list_item\":{\"data\":[{\"type\":\"paragraph--process_list_item\",\"id\":\"bf3c612b-c439-43d0-95da-a1a6e159e2eb\",\"meta\":{\"target_revision_id\":18110,\"drupal_internal__target_id\":3446}},{\"type\":\"paragraph--process_list_item\",\"id\":\"bdd69606-1a9f-48de-9393-db2424228d59\",\"meta\":{\"target_revision_id\":18111,\"drupal_internal__target_id\":3447}},{\"type\":\"paragraph--process_list_item\",\"id\":\"8b1a44b9-642e-4b9b-935a-40e25cf67060\",\"meta\":{\"target_revision_id\":18112,\"drupal_internal__target_id\":3448}},{\"type\":\"paragraph--process_list_item\",\"id\":\"0cd75987-c788-45bf-b07b-4bc6d679e712\",\"meta\":{\"target_revision_id\":18113,\"drupal_internal__target_id\":3449}},{\"type\":\"paragraph--process_list_item\",\"id\":\"b77ca506-f10b-4574-8783-5500c35ff2ee\",\"meta\":{\"target_revision_id\":18114,\"drupal_internal__target_id\":3450}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/fdc1b5d6-f626-4532-b6d5-30fce76bc7e0/field_process_list_item?resourceVersion=id%3A18115\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/fdc1b5d6-f626-4532-b6d5-30fce76bc7e0/relationships/field_process_list_item?resourceVersion=id%3A18115\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"bf3c612b-c439-43d0-95da-a1a6e159e2eb\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/bf3c612b-c439-43d0-95da-a1a6e159e2eb?resourceVersion=id%3A18110\"}},\"attributes\":{\"drupal_internal__id\":3446,\"drupal_internal__revision_id\":18110,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:08:56+00:00\",\"parent_id\":\"3451\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003e\u003cstrong\u003eProduced by: SO/BO, ISSO, Cyber Risk Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eFollowing any of the scenarios or major changes that would require the completion of a PIA, the System/Business Owner works with the ISSO to draft a new or revised PIA in CFACTS. Upon completion of the new or revised PIA, the System/Business Owner or ISSO will contact the CRA for review. In CFACTS, the queue for the System/Business owner or ISSO is “ISSO Submitter '' for the PIA.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003e\u003cstrong\u003eProduced by: SO/BO, ISSO, Cyber Risk Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eFollowing any of the scenarios or major changes that would require the completion of a PIA, the System/Business Owner works with the ISSO to draft a new or revised PIA in CFACTS. Upon completion of the new or revised PIA, the System/Business Owner or ISSO will contact the CRA for review. In CFACTS, the queue for the System/Business owner or ISSO is “ISSO Submitter '' for the PIA.\u003c/p\u003e\"},\"field_list_item_title\":\"PIA initial draft\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/bf3c612b-c439-43d0-95da-a1a6e159e2eb/paragraph_type?resourceVersion=id%3A18110\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/bf3c612b-c439-43d0-95da-a1a6e159e2eb/relationships/paragraph_type?resourceVersion=id%3A18110\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"bdd69606-1a9f-48de-9393-db2424228d59\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/bdd69606-1a9f-48de-9393-db2424228d59?resourceVersion=id%3A18111\"}},\"attributes\":{\"drupal_internal__id\":3447,\"drupal_internal__revision_id\":18111,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:09:21+00:00\",\"parent_id\":\"3451\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003e\u003cstrong\u003eProduced by: CRA, Privacy Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CRA reviews the PIA in collaboration with the Privacy Advisor and coordinates recommended changes with the system/business owner or ISSO. Any identified privacy risks or compliance issues should be resolved before submission to the Senior Official for Privacy (SOP) for approval. If the SOP or Senior Agency Official for Privacy (SAOP) recommends changes, the review process will continue from this step as needed until the PIA is approved and finalized by the SAOP.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003e\u003cstrong\u003eProduced by: CRA, Privacy Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CRA reviews the PIA in collaboration with the Privacy Advisor and coordinates recommended changes with the system/business owner or ISSO. Any identified privacy risks or compliance issues should be resolved before submission to the Senior Official for Privacy (SOP) for approval. If the SOP or Senior Agency Official for Privacy (SAOP) recommends changes, the review process will continue from this step as needed until the PIA is approved and finalized by the SAOP.\u003c/p\u003e\"},\"field_list_item_title\":\"PIA review / revision\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/bdd69606-1a9f-48de-9393-db2424228d59/paragraph_type?resourceVersion=id%3A18111\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/bdd69606-1a9f-48de-9393-db2424228d59/relationships/paragraph_type?resourceVersion=id%3A18111\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"8b1a44b9-642e-4b9b-935a-40e25cf67060\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8b1a44b9-642e-4b9b-935a-40e25cf67060?resourceVersion=id%3A18112\"}},\"attributes\":{\"drupal_internal__id\":3448,\"drupal_internal__revision_id\":18112,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:09:48+00:00\",\"parent_id\":\"3451\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003e\u003cstrong\u003eProduced by: CMS Senior Official for Privacy (SOP), Final Approver\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SOP or designated Final Approver will review the PIA and recommend approval to HHS if no changes are recommended.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003e\u003cstrong\u003eProduced by: CMS Senior Official for Privacy (SOP), Final Approver\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SOP or designated Final Approver will review the PIA and recommend approval to HHS if no changes are recommended.\u003c/p\u003e\"},\"field_list_item_title\":\"PIA approval\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8b1a44b9-642e-4b9b-935a-40e25cf67060/paragraph_type?resourceVersion=id%3A18112\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8b1a44b9-642e-4b9b-935a-40e25cf67060/relationships/paragraph_type?resourceVersion=id%3A18112\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"0cd75987-c788-45bf-b07b-4bc6d679e712\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/0cd75987-c788-45bf-b07b-4bc6d679e712?resourceVersion=id%3A18113\"}},\"attributes\":{\"drupal_internal__id\":3449,\"drupal_internal__revision_id\":18113,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:10:10+00:00\",\"parent_id\":\"3451\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003e\u003cstrong\u003eProduced by: Senior Agency Official for Privacy (SAOP)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SAOP will designate staff to review all PIAs before approval for signature. If no changes are recommended, the SOP and SAOP will digitally sign the PIA. Once signed by the SOP and SAOP, the PIA is approved and complete for a length of time as discussed above.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003e\u003cstrong\u003eProduced by: Senior Agency Official for Privacy (SAOP)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe SAOP will designate staff to review all PIAs before approval for signature. If no changes are recommended, the SOP and SAOP will digitally sign the PIA. Once signed by the SOP and SAOP, the PIA is approved and complete for a length of time as discussed above.\u003c/p\u003e\"},\"field_list_item_title\":\"PIA signing\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/0cd75987-c788-45bf-b07b-4bc6d679e712/paragraph_type?resourceVersion=id%3A18113\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/0cd75987-c788-45bf-b07b-4bc6d679e712/relationships/paragraph_type?resourceVersion=id%3A18113\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"b77ca506-f10b-4574-8783-5500c35ff2ee\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b77ca506-f10b-4574-8783-5500c35ff2ee?resourceVersion=id%3A18114\"}},\"attributes\":{\"drupal_internal__id\":3450,\"drupal_internal__revision_id\":18114,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-25T13:10:38+00:00\",\"parent_id\":\"3451\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eHHS will submit the final PIA for publication to the \u003ca href=\\\"https://www.hhs.gov/pia\\\"\u003eHHS PIA internet site\u003c/a\u003e.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eHHS will submit the final PIA for publication to the \u003ca href=\\\"https://www.hhs.gov/pia\\\"\u003eHHS PIA internet site\u003c/a\u003e.\u003c/p\u003e\"},\"field_list_item_title\":\"PIA posting\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b77ca506-f10b-4574-8783-5500c35ff2ee/paragraph_type?resourceVersion=id%3A18114\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b77ca506-f10b-4574-8783-5500c35ff2ee/relationships/paragraph_type?resourceVersion=id%3A18114\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"06f52736-42ef-4a3e-a5a5-239887c37d8f\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/06f52736-42ef-4a3e-a5a5-239887c37d8f?resourceVersion=id%3A18118\"}},\"attributes\":{\"drupal_internal__id\":2066,\"drupal_internal__revision_id\":18118,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-16T14:54:27+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/06f52736-42ef-4a3e-a5a5-239887c37d8f/paragraph_type?resourceVersion=id%3A18118\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/06f52736-42ef-4a3e-a5a5-239887c37d8f/relationships/paragraph_type?resourceVersion=id%3A18118\"}}},\"field_link\":{\"data\":{\"type\":\"node--library\",\"id\":\"ddb65a30-0e50-44c7-a6bd-084b9a7e6f06\",\"meta\":{\"drupal_internal__target_id\":421}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/06f52736-42ef-4a3e-a5a5-239887c37d8f/field_link?resourceVersion=id%3A18118\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/06f52736-42ef-4a3e-a5a5-239887c37d8f/relationships/field_link?resourceVersion=id%3A18118\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"8d2e8289-04d9-4f94-a59e-ea72edc28a57\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d2e8289-04d9-4f94-a59e-ea72edc28a57?resourceVersion=id%3A18119\"}},\"attributes\":{\"drupal_internal__id\":2071,\"drupal_internal__revision_id\":18119,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-16T14:54:37+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d2e8289-04d9-4f94-a59e-ea72edc28a57/paragraph_type?resourceVersion=id%3A18119\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d2e8289-04d9-4f94-a59e-ea72edc28a57/relationships/paragraph_type?resourceVersion=id%3A18119\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"meta\":{\"drupal_internal__target_id\":261}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d2e8289-04d9-4f94-a59e-ea72edc28a57/field_link?resourceVersion=id%3A18119\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8d2e8289-04d9-4f94-a59e-ea72edc28a57/relationships/field_link?resourceVersion=id%3A18119\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"f809e191-d1ff-4924-8b94-9e0f705b1620\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f809e191-d1ff-4924-8b94-9e0f705b1620?resourceVersion=id%3A18120\"}},\"attributes\":{\"drupal_internal__id\":2076,\"drupal_internal__revision_id\":18120,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-16T14:54:49+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f809e191-d1ff-4924-8b94-9e0f705b1620/paragraph_type?resourceVersion=id%3A18120\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f809e191-d1ff-4924-8b94-9e0f705b1620/relationships/paragraph_type?resourceVersion=id%3A18120\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"meta\":{\"drupal_internal__target_id\":206}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f809e191-d1ff-4924-8b94-9e0f705b1620/field_link?resourceVersion=id%3A18120\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f809e191-d1ff-4924-8b94-9e0f705b1620/relationships/field_link?resourceVersion=id%3A18120\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"fe146104-4cdc-4270-80c9-3cf6b03f6f4b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fe146104-4cdc-4270-80c9-3cf6b03f6f4b?resourceVersion=id%3A18121\"}},\"attributes\":{\"drupal_internal__id\":2081,\"drupal_internal__revision_id\":18121,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-16T14:55:33+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fe146104-4cdc-4270-80c9-3cf6b03f6f4b/paragraph_type?resourceVersion=id%3A18121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fe146104-4cdc-4270-80c9-3cf6b03f6f4b/relationships/paragraph_type?resourceVersion=id%3A18121\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"9086328f-ae1d-4345-a435-8300071aae86\",\"meta\":{\"drupal_internal__target_id\":641}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fe146104-4cdc-4270-80c9-3cf6b03f6f4b/field_link?resourceVersion=id%3A18121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fe146104-4cdc-4270-80c9-3cf6b03f6f4b/relationships/field_link?resourceVersion=id%3A18121\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"9d66b298-b9ef-4ae5-8a79-b1613b838eb6\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9d66b298-b9ef-4ae5-8a79-b1613b838eb6?resourceVersion=id%3A18122\"}},\"attributes\":{\"drupal_internal__id\":2086,\"drupal_internal__revision_id\":18122,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-16T14:55:39+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9d66b298-b9ef-4ae5-8a79-b1613b838eb6/paragraph_type?resourceVersion=id%3A18122\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9d66b298-b9ef-4ae5-8a79-b1613b838eb6/relationships/paragraph_type?resourceVersion=id%3A18122\"}}},\"field_link\":{\"data\":{\"type\":\"unknown\",\"id\":\"missing\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#missing\",\"meta\":{\"about\":\"Usage and meaning of the 'missing' resource identifier.\"}}}}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9d66b298-b9ef-4ae5-8a79-b1613b838eb6/field_link?resourceVersion=id%3A18122\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9d66b298-b9ef-4ae5-8a79-b1613b838eb6/relationships/field_link?resourceVersion=id%3A18122\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"71620d65-13f9-45f3-b8fb-0108fba8c4b0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71620d65-13f9-45f3-b8fb-0108fba8c4b0?resourceVersion=id%3A18123\"}},\"attributes\":{\"drupal_internal__id\":2091,\"drupal_internal__revision_id\":18123,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-16T14:55:45+00:00\",\"parent_id\":\"426\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71620d65-13f9-45f3-b8fb-0108fba8c4b0/paragraph_type?resourceVersion=id%3A18123\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71620d65-13f9-45f3-b8fb-0108fba8c4b0/relationships/paragraph_type?resourceVersion=id%3A18123\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"5b6426b9-0294-40a7-9777-28b1e5871345\",\"meta\":{\"drupal_internal__target_id\":361}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71620d65-13f9-45f3-b8fb-0108fba8c4b0/field_link?resourceVersion=id%3A18123\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/71620d65-13f9-45f3-b8fb-0108fba8c4b0/relationships/field_link?resourceVersion=id%3A18123\"}}}}},{\"type\":\"node--library\",\"id\":\"ddb65a30-0e50-44c7-a6bd-084b9a7e6f06\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06?resourceVersion=id%3A5561\"}},\"attributes\":{\"drupal_internal__nid\":421,\"drupal_internal__vid\":5561,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-07T20:11:35+00:00\",\"status\":true,\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"created\":\"2022-08-29T17:13:40+00:00\",\"changed\":\"2024-06-06T17:47:05+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"pid\":411,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1c\",\"format\":\"body_text\",\"processed\":\"$1d\",\"summary\":\"\"},\"field_contact_email\":\"privacy@cms.hhs.gov\",\"field_contact_name\":\"Privacy Office\",\"field_last_reviewed\":\"2023-01-20\",\"field_related_resources\":[{\"uri\":\"entity:node/206\",\"title\":\"Authorization to Operate (ATO) \",\"options\":[],\"url\":\"/learn/authorization-operate-ato\"},{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2)\",\"options\":[],\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"},{\"uri\":\"https://www.hhs.gov/pia/index.html\",\"title\":\"HHS Privacy Impact Assessment (PIA) information\",\"options\":[],\"url\":\"https://www.hhs.gov/pia/index.html\"}],\"field_short_description\":{\"value\":\"Information, tips, and tricks for writing your Privacy Impact Assessment (PIA) concisely and correctly\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eInformation, tips, and tricks for writing your Privacy Impact Assessment (PIA) concisely and correctly\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/node_type?resourceVersion=id%3A5561\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/relationships/node_type?resourceVersion=id%3A5561\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\",\"meta\":{\"drupal_internal__target_id\":110}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/revision_uid?resourceVersion=id%3A5561\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/relationships/revision_uid?resourceVersion=id%3A5561\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/uid?resourceVersion=id%3A5561\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/relationships/uid?resourceVersion=id%3A5561\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/field_resource_type?resourceVersion=id%3A5561\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/relationships/field_resource_type?resourceVersion=id%3A5561\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/field_roles?resourceVersion=id%3A5561\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/relationships/field_roles?resourceVersion=id%3A5561\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":{\"drupal_internal__target_id\":31}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/field_topics?resourceVersion=id%3A5561\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ddb65a30-0e50-44c7-a6bd-084b9a7e6f06/relationships/field_topics?resourceVersion=id%3A5561\"}}}}},{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b?resourceVersion=id%3A5999\"}},\"attributes\":{\"drupal_internal__nid\":261,\"drupal_internal__vid\":5999,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-05T18:41:37+00:00\",\"status\":true,\"title\":\"CMS FISMA Continuous Tracking System (CFACTS)\",\"created\":\"2022-08-26T14:57:02+00:00\",\"changed\":\"2024-12-05T18:41:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"pid\":251,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ciso@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":{\"value\":\"CFACTS is a CMS database that tracks application security deficiencies and POA\u0026Ms, and supports the ATO process\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCFACTS is a CMS database that tracks application security deficiencies and POA\u0026amp;Ms, and supports the ATO process\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cfacts_community\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/node_type?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/node_type?resourceVersion=id%3A5999\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/revision_uid?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/revision_uid?resourceVersion=id%3A5999\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/uid?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/uid?resourceVersion=id%3A5999\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"963db416-cca0-421d-8c3e-40c8e2ce190f\",\"meta\":{\"target_revision_id\":19655,\"drupal_internal__target_id\":2101}},{\"type\":\"paragraph--page_section\",\"id\":\"9b87eb1d-cb43-472b-9b5b-8618d2688563\",\"meta\":{\"target_revision_id\":19660,\"drupal_internal__target_id\":446}},{\"type\":\"paragraph--page_section\",\"id\":\"122a8de9-c38d-492b-bc93-b43b270f2933\",\"meta\":{\"target_revision_id\":19666,\"drupal_internal__target_id\":1781}},{\"type\":\"paragraph--page_section\",\"id\":\"594617c8-824a-4962-aa08-fdf8dd4677fb\",\"meta\":{\"target_revision_id\":19667,\"drupal_internal__target_id\":3468}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_page_section?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_page_section?resourceVersion=id%3A5999\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"76dcb171-ae0a-42ba-b330-b93b63633cdd\",\"meta\":{\"target_revision_id\":19668,\"drupal_internal__target_id\":1816}},{\"type\":\"paragraph--internal_link\",\"id\":\"7f340091-9774-491a-817d-0cdfaf0c72d1\",\"meta\":{\"target_revision_id\":19669,\"drupal_internal__target_id\":1821}},{\"type\":\"paragraph--internal_link\",\"id\":\"4b7486bb-57c5-440b-b07c-54deb80f1ca1\",\"meta\":{\"target_revision_id\":19670,\"drupal_internal__target_id\":1826}},{\"type\":\"paragraph--internal_link\",\"id\":\"d72a41d1-1d17-452f-9375-aea58d84e8e7\",\"meta\":{\"target_revision_id\":19671,\"drupal_internal__target_id\":1831}},{\"type\":\"paragraph--internal_link\",\"id\":\"726e3057-d549-4d7d-80c7-0f4c5d5f8007\",\"meta\":{\"target_revision_id\":19672,\"drupal_internal__target_id\":3462}},{\"type\":\"paragraph--internal_link\",\"id\":\"dbde5fa8-5137-4df4-af83-a4330e0778c7\",\"meta\":{\"target_revision_id\":19673,\"drupal_internal__target_id\":3463}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_related_collection?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_related_collection?resourceVersion=id%3A5999\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_resource_type?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_resource_type?resourceVersion=id%3A5999\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_roles?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_roles?resourceVersion=id%3A5999\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_topics?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_topics?resourceVersion=id%3A5999\"}}}}},{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2?resourceVersion=id%3A5737\"}},\"attributes\":{\"drupal_internal__nid\":206,\"drupal_internal__vid\":5737,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-31T17:37:48+00:00\",\"status\":true,\"title\":\"Authorization to Operate (ATO)\",\"created\":\"2022-08-25T19:06:37+00:00\",\"changed\":\"2024-07-31T17:37:48+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/authorization-operate-ato\",\"pid\":196,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Testing and documenting system security and compliance to gain approval to operate the system at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting and documenting system security and compliance to gain approval to operate the system at CMS\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cra-help\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/node_type?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/node_type?resourceVersion=id%3A5737\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/revision_uid?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/revision_uid?resourceVersion=id%3A5737\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/uid?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/uid?resourceVersion=id%3A5737\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"d94629f9-9668-41dd-bce7-a4f267239c07\",\"meta\":{\"target_revision_id\":18928,\"drupal_internal__target_id\":711}},{\"type\":\"paragraph--page_section\",\"id\":\"243e2d3f-f903-438c-8b1f-aee53390b1df\",\"meta\":{\"target_revision_id\":18929,\"drupal_internal__target_id\":736}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_page_section?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_page_section?resourceVersion=id%3A5737\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"6f904ac4-c80e-47d9-b786-ee79256befed\",\"meta\":{\"target_revision_id\":18930,\"drupal_internal__target_id\":3376}},{\"type\":\"paragraph--internal_link\",\"id\":\"e20959d7-2a7b-4a01-b985-cfa5363233f5\",\"meta\":{\"target_revision_id\":18931,\"drupal_internal__target_id\":1306}},{\"type\":\"paragraph--internal_link\",\"id\":\"dba9b926-f657-43ce-bc94-0a2d803430c6\",\"meta\":{\"target_revision_id\":18932,\"drupal_internal__target_id\":1316}},{\"type\":\"paragraph--internal_link\",\"id\":\"44f7083e-9341-42a5-85dc-a9043cdccdce\",\"meta\":{\"target_revision_id\":18933,\"drupal_internal__target_id\":2521}},{\"type\":\"paragraph--internal_link\",\"id\":\"bd0366d9-64ce-401f-9453-bf38aa8054a1\",\"meta\":{\"target_revision_id\":18934,\"drupal_internal__target_id\":3444}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_related_collection?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_related_collection?resourceVersion=id%3A5737\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_resource_type?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_resource_type?resourceVersion=id%3A5737\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_roles?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_roles?resourceVersion=id%3A5737\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_topics?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_topics?resourceVersion=id%3A5737\"}}}}},{\"type\":\"node--explainer\",\"id\":\"9086328f-ae1d-4345-a435-8300071aae86\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86?resourceVersion=id%3A6121\"}},\"attributes\":{\"drupal_internal__nid\":641,\"drupal_internal__vid\":6121,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-16T20:56:12+00:00\",\"status\":true,\"title\":\"CMS Computer Matching Agreement (CMA)\",\"created\":\"2023-02-02T14:59:22+00:00\",\"changed\":\"2025-01-16T20:56:12+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-computer-matching-agreement-cma\",\"pid\":631,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"privacy@cms.hhs.gov\",\"field_contact_name\":\"Privacy Office\",\"field_short_description\":{\"value\":\"Written agreement used in the comparison of automated systems of record between federal or state agencies\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eWritten agreement used in the comparison of automated systems of record between federal or state agencies\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-privacy-agreement-consults\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/node_type?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/node_type?resourceVersion=id%3A6121\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/revision_uid?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/revision_uid?resourceVersion=id%3A6121\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/uid?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/uid?resourceVersion=id%3A6121\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"ebf079d8-dd73-43d4-b270-1dffecde688b\",\"meta\":{\"target_revision_id\":20081,\"drupal_internal__target_id\":451}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/field_page_section?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/field_page_section?resourceVersion=id%3A6121\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"5fc47ff1-39bd-4c95-b001-ad89e85cd007\",\"meta\":{\"target_revision_id\":20086,\"drupal_internal__target_id\":1876}},{\"type\":\"paragraph--internal_link\",\"id\":\"7f569b2e-5e41-45c0-954e-df9128d24e6e\",\"meta\":{\"target_revision_id\":20091,\"drupal_internal__target_id\":3576}},{\"type\":\"paragraph--internal_link\",\"id\":\"8dde78c3-a853-4117-b100-c1c97b47829c\",\"meta\":{\"target_revision_id\":20096,\"drupal_internal__target_id\":3581}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/field_related_collection?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/field_related_collection?resourceVersion=id%3A6121\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/field_resource_type?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/field_resource_type?resourceVersion=id%3A6121\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/field_roles?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/field_roles?resourceVersion=id%3A6121\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":{\"drupal_internal__target_id\":31}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/field_topics?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/field_topics?resourceVersion=id%3A6121\"}}}}},{\"type\":\"node--explainer\",\"id\":\"5b6426b9-0294-40a7-9777-28b1e5871345\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345?resourceVersion=id%3A5569\"}},\"attributes\":{\"drupal_internal__nid\":361,\"drupal_internal__vid\":5569,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-07T20:13:41+00:00\",\"status\":true,\"title\":\"CMS Information System Risk Assessment (ISRA)\",\"created\":\"2022-08-29T16:38:23+00:00\",\"changed\":\"2024-06-06T16:33:51+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-information-system-risk-assessment-isra\",\"pid\":351,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":{\"value\":\"Documentation of a systems vulnerabilities, security controls, risk levels, and recommended safeguards for keeping information safe\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eDocumentation of a systems vulnerabilities, security controls, risk levels, and recommended safeguards for keeping information safe\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cfacts_community \"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/node_type?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/node_type?resourceVersion=id%3A5569\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\",\"meta\":{\"drupal_internal__target_id\":110}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/revision_uid?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/revision_uid?resourceVersion=id%3A5569\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/uid?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/uid?resourceVersion=id%3A5569\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"feb4d8d9-ed3e-43c2-b62b-f77023f548e9\",\"meta\":{\"target_revision_id\":18217,\"drupal_internal__target_id\":476}},{\"type\":\"paragraph--page_section\",\"id\":\"b08b1d31-0c03-4be6-8cf9-f50c60301736\",\"meta\":{\"target_revision_id\":18218,\"drupal_internal__target_id\":3477}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_page_section?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_page_section?resourceVersion=id%3A5569\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"15c0be8e-28f3-4243-81c4-b3fde7bfe552\",\"meta\":{\"target_revision_id\":18219,\"drupal_internal__target_id\":1856}},{\"type\":\"paragraph--internal_link\",\"id\":\"944c647d-37f9-4d4d-8a1e-f5e9983042c4\",\"meta\":{\"target_revision_id\":18220,\"drupal_internal__target_id\":1861}},{\"type\":\"paragraph--internal_link\",\"id\":\"8719d442-16f0-42ef-a4c6-2c807896ddb8\",\"meta\":{\"target_revision_id\":18221,\"drupal_internal__target_id\":1866}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_related_collection?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_related_collection?resourceVersion=id%3A5569\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_resource_type?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_resource_type?resourceVersion=id%3A5569\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_roles?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_roles?resourceVersion=id%3A5569\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_topics?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_topics?resourceVersion=id%3A5569\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1e\",\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\":\"$28\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$2c\",\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\":\"$30\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$4a\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$64\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$7e\",\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\":\"$98\",\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\":\"$b2\",\"6a7003c0-dd34-424b-abe5-dcdbb4ae4e21\":\"$cc\",\"0a3e39c3-11df-48ee-acda-d4be29d1eb91\":\"$e1\",\"cd0b41ba-9490-40c4-b79f-df959006794c\":\"$f6\",\"f80019c4-4d24-4380-b378-2dfc808c692a\":\"$107\",\"fdc1b5d6-f626-4532-b6d5-30fce76bc7e0\":\"$116\",\"bf3c612b-c439-43d0-95da-a1a6e159e2eb\":\"$131\",\"bdd69606-1a9f-48de-9393-db2424228d59\":\"$13e\",\"8b1a44b9-642e-4b9b-935a-40e25cf67060\":\"$14b\",\"0cd75987-c788-45bf-b07b-4bc6d679e712\":\"$158\",\"b77ca506-f10b-4574-8783-5500c35ff2ee\":\"$165\",\"06f52736-42ef-4a3e-a5a5-239887c37d8f\":\"$172\",\"8d2e8289-04d9-4f94-a59e-ea72edc28a57\":\"$184\",\"f809e191-d1ff-4924-8b94-9e0f705b1620\":\"$196\",\"fe146104-4cdc-4270-80c9-3cf6b03f6f4b\":\"$1a8\",\"9d66b298-b9ef-4ae5-8a79-b1613b838eb6\":\"$1ba\",\"71620d65-13f9-45f3-b8fb-0108fba8c4b0\":\"$1cf\",\"ddb65a30-0e50-44c7-a6bd-084b9a7e6f06\":\"$1e1\",\"de0901ae-4ea5-491c-badd-90a32da3989b\":\"$21e\",\"defa7277-790b-4bbd-b6ee-cc539e121df2\":\"$272\",\"9086328f-ae1d-4345-a435-8300071aae86\":\"$2bc\",\"5b6426b9-0294-40a7-9777-28b1e5871345\":\"$2fe\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Privacy Impact Assessment (PIA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Process that identifies and mitigates privacy risks for CMS systems regarding the use of Personally Identifiable Information (PII)\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/privacy-impact-assessment-pia\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"Privacy Impact Assessment (PIA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Process that identifies and mitigates privacy risks for CMS systems regarding the use of Personally Identifiable Information (PII)\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/privacy-impact-assessment-pia\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/privacy-impact-assessment-pia/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"Privacy Impact Assessment (PIA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Process that identifies and mitigates privacy risks for CMS systems regarding the use of Personally Identifiable Information (PII)\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/privacy-impact-assessment-pia/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink