1 line
No EOL
326 KiB
Text
1 line
No EOL
326 KiB
Text
<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>SaaS Governance (SaaSG) | CMS Information Security & Privacy Group</title><meta name="description" content="Considerations and guidelines for CMS business units wanting to use SaaS applications"/><link rel="canonical" href="https://security.cms.gov/learn/saas-governance-saasg"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="SaaS Governance (SaaSG) | CMS Information Security & Privacy Group"/><meta property="og:description" content="Considerations and guidelines for CMS business units wanting to use SaaS applications"/><meta property="og:url" content="https://security.cms.gov/learn/saas-governance-saasg"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/saas-governance-saasg/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="SaaS Governance (SaaSG) | CMS Information Security & Privacy Group"/><meta name="twitter:description" content="Considerations and guidelines for CMS business units wanting to use SaaS applications"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/saas-governance-saasg/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=16&q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=32&q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=32&q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here's how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here's how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance & Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance & Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments & Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy & Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy & Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools & Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools & Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting & Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests & Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">SaaS Governance (SaaSG)</h1><p class="hero__description">Considerations and guidelines for CMS business units wanting to use SaaS applications</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">SaaSG Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:saasg@cms.hhs.gov">saasg@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#ispg-saas-governance</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What is SaaS Governance at CMS?</h2><p>Using Software-as-a-Service (SaaS), where an application is delivered as a service via the Internet, is increasingly popular and encouraged at CMS. It removes the burden of deploying, maintaining, and updating software or hardware – saving time and money. </p><p>However, SaaS users have little to no visibility or control over the provider’s software or infrastructure. This means that SaaS can introduce unexpected risks and vulnerabilities into the CMS environment. </p><p>The SaaS Governance (SaaSG) program helps CMS understand and manage SaaS risk and make good business decisions around SaaS usage. We do this by taking a comprehensive approach with these ongoing activities: </p><ul><li><strong>Discover - </strong>Inventory and track SaaS application usage across the enterprise</li><li><strong>Manage - </strong>Develop policies and procedures for evaluating and authorizing SaaS products through the Rapid Cloud Review (RCR) Process</li><li><strong>Secure - </strong>Continuously monitor SaaS application configuration to align with agency policy, security standards, and best practices</li></ul><h2>Is SaaS the right choice for my business?</h2><p>Though they are effective and convenient, SaaS solutions are not always the best choice. It depends on the use case, adjacent technologies, and other factors. Proper due diligence is important before starting to use a new SaaS product. The SaaSG team is here to help! For Business Owners wanting to use a new SaaS product, we provide:</p><ul><li>Guidance in evaluating potential risks</li><li>Resources to help you determine suitability</li><li>A clear process for review and approval</li></ul><h2>How do I get approval for SaaS?</h2><p>We want to help you get started with your new solution quickly if it meets business needs and security criteria. Follow these steps:</p></div><div><ol class="usa-process-list"><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Evaluate the product</h4><div class="margin-top-05 usa-process-list__description"><p>Use the <a href="https://cmsbox.box.com/s/f5u2ms4idxqza7ckbw1hs1a455omc2im">CMS SaaS Buyer’s Guide</a> (requires access to CMS Box) as a checklist to determine if the product will meet your business needs – and to make sure the provider is addressing important cybersecurity considerations.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Check existing SaaS solutions</h4><div class="margin-top-05 usa-process-list__description"><p>The <a href="https://tableau.bi.cms.gov/#/site/CEDE/views/SaaSGovernanceDashboards_16860786175160/SaaSinReview?:iid=1">CMS SaaSG Dashboard</a> is a list of SaaS products already approved (or going through the approval process) at CMS. Check to see if one of these will meet your needs. If you are unable to view the dashboard, please ensure you have the EUA job code: TABLEAU_DIR_VIEWER_PRD. For assistance logging into the Tableau SaaS Dashboard, click <a href="https://app.box.com/file/1262804094940">HERE</a> to review the login guide.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Submit a request for review</h4><div class="margin-top-05 usa-process-list__description"><p>If you have determined that the SaaS product you’re considering is right for your needs and is not already being used at CMS, then you can submit the product to be reviewed by the SaaSG team to start a Rapid Cloud Review (RCR) assessment. Complete the <a href="https://coda.io/form/CMS-SaaS-Governance-Intake-Form_dddeq-6DEo6?FormSource=CyberGeek">SaaS Request Intake Form</a> (the Business Owner, ISSO, CRA, or designee can do this). Contact the SaaSG team via email (<a href="mailto:saasg@cms.hhs.gov">saasg@cms.hhs.gov</a>) if you need help with the form.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Respond to follow-up questions</h4><div class="margin-top-05 usa-process-list__description"><p>As the SaaSG team reviews your proposed SaaS product, we may ask for additional information. We may also need to schedule meetings with you or the SaaS provider. Timely and clear responses to these requests will help move the process along and lead to a faster decision. Meanwhile, you can use the SaaSG Dashboard in Tableau to track the progress of your request.</p></div></li></ol></div><div class="text-block text-block--theme-explainer"><h2 dir="ltr">The RCR (Rapid Cloud Review) Process</h2><p dir="ltr">Added in June 2024, <a href="https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#cloud-computing-requirements-cms-cld">section CMS-CLD-1.1 of the IS2P2</a> requires all non-<a href="https://security.cms.gov/learn/fedramp">FedRAMP</a> Authorized SaaS products used at CMS to go through a Rapid Cloud Review (RCR) process. </p><p dir="ltr">The RCR aims to help CMS stakeholders understand the risk posture of a SaaS vendor, their responsibilities before they agree to implement a pilot or procuring license, and provide clear, comprehensive information about the security risk they are responsible for managing. </p><h3 dir="ltr">Do I need to go through RCR? </h3><p dir="ltr">All CMS stakeholders should go through the RCR process for any SaaS applications that have not completed the FedRAMP authorization process. </p><p dir="ltr"><strong>Yes, an RCR is required</strong> if any of these are true of your application: </p><ul><li dir="ltr">It is <strong>unaccredited </strong>— that is, it has not been accredited in any form</li><li dir="ltr"><strong>FedRAMP review is in process</strong>, either by an agency or joint agency agreement</li><li dir="ltr">It’s <strong>FedRAMP ready</strong>, but not yet FedRAMP authorized</li></ul><p dir="ltr">No. Your SaaS application does not need an RCR if all of these things are true: </p><ul><li dir="ltr">Already FedRAMP authorized (not just ready, and the review is complete, not in process)</li><li dir="ltr">Approved in a current CMS <a href="https://security.cms.gov/learn/federal-information-security-modernization-act-fisma">FISMA</a> boundary </li><li dir="ltr">Has an <a href="https://security.cms.gov/learn/authorization-operate-ato">Authorization to Operate</a> (ATO)</li><li dir="ltr">Has a CMS-issued RCR P-PTO, and the use case is the same</li></ul><p dir="ltr">Note: the CMS Business Owner (BO) must confirm that the use case has not changed since the initial RCR assessment. If the use case has changed, you do need an RCR. </p><h4 dir="ltr">SaaS you’re already using needs to go through the RCR process</h4><p dir="ltr">Even if you’ve been using your SaaS for a while, if it is unaccredited and has not received FedRAMP approval, you still need to complete an RCR.</p><p dir="ltr">The SaaSG Team is going through a list of discovered, unaccredited SaaS applications, and will contact any Business Owners using a SaaS that has not yet been reviewed. Unaccredited means “any SaaS that does not have approval through the CMS ATO approval process.”</p><p dir="ltr">The report includes risk determinations, and has incorporated routing through ServiceNow (SNOW) to obtain approvals from the CMS CISO and CIO. If you review the SaaS dashboard in Tableau, it may say some RCRs reviewed a while ago are still unaccredited. That is because they were never officially pushed through the SNOW process after review. </p><h4 dir="ltr">SaaS that has been through the RCR Process</h4><p dir="ltr">You can use a SaaS application that has already been through the RCR process, as long asthe use case is the same as the initial RCR assessment. You do not need to repeat the RCR process.</p><p dir="ltr">However, if the RCR was completed more than 6 months ago, the SaaSG team will contact the SaaS vendor for updated security artifacts (such as the SOC2 and the penetration test report) to see if there are any deltas in the results.</p><h4 dir="ltr">SaaS approved in a FISMA ATO property</h4><p dir="ltr">If your SaaS was part of a FISMA ATO property and has already been approved, you do not need to go through the RCR process.</p><p dir="ltr">However, the SaaSG team would still like to know and track that in their inventory list in case another CMS Business Owner or Application User wants to use the same SaaS application.</p><h3 dir="ltr">Steps to complete the RCR process</h3><p dir="ltr">The typical timeframe for reviewing and completing RCR requests is about 2-3 weeks. However, the duration of this process depends on the responsiveness of the vendor when providing requested artifacts and follow-up information.</p></div><div><ol class="usa-process-list"><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Kickoff and intake form</h4><div class="margin-top-05 usa-process-list__description"><ol><li dir="ltr">Provide SaaSG overview</li><li dir="ltr">Determine use case</li><li dir="ltr">Discuss RCR process and next steps</li><li dir="ltr">Send BO Intake form link from Coda</li></ol></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Request</h4><div class="margin-top-05 usa-process-list__description"><p>Send request for information to the vendor</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Review</h4><div class="margin-top-05 usa-process-list__description"><ol><li dir="ltr">Perform Artifact review</li><li dir="ltr">Run perimeter scan</li><li dir="ltr">Reach out to the vendor for follow-up questions (if needed) </li></ol></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Outcome: Approval or Denial</h4><div class="margin-top-05 usa-process-list__description"><ol><li dir="ltr">Document findings from artifact review</li><li dir="ltr">Review CMS <a href="https://security.cms.gov/learn/supply-chain-risk-management-scrm">Supply Chain Risk Management</a> (SCRM) findings*</li><li dir="ltr">Finalize RCR report</li><li dir="ltr">Send final report to all stakeholders from SaaS Request</li><li dir="ltr">Out brief Meeting Scheduled (Provide an opportunity to discuss report findings and recommendations with BO)</li><li dir="ltr">Issue P-ATO (Provisional Authority to Operate) if approved by AO</li></ol></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">ConMon or Offboarding</h4><div class="margin-top-05 usa-process-list__description"><p>Check in with BO on current SaaS status after 90 days.</p><ul><li dir="ltr">ConMon (<a href="https://security.cms.gov/policy-guidance/cms-cyber-risk-management-plan-crmp#continuous-monitoring">Continuous Monitoring</a>)<ul><li dir="ltr">ISM/SSO Integration</li><li dir="ltr">Onboarded into SSPM</li><li dir="ltr">Third-Party Risk Management Integration</li><li dir="ltr"><a href="https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic">CMS Cybersecurity Integration Center</a> (CCIC) Integration</li><li dir="ltr"><a href="https://security.cms.gov/learn/cms-security-data-lake-sdl">CMS Security Data Lake</a> (SDL) Integration</li></ul></li><li dir="ltr">Offboard process for unused SaaS</li></ul></div></li></ol><div class="margin-top-105"><p>The RCR process incorporates some <a href="https://security.cms.gov/learn/supply-chain-risk-management-scrm">CMS SCRM</a> functionality to help identify concerns about Foreign Ownership Control and Influence (FOCI).</p></div></div><div class="text-block text-block--theme-explainer"><h3 dir="ltr">Provisional ATO (P-ATO)</h3><p dir="ltr">If your SaaS is not FedRAMP-approved, you will need to go through the RCR process to obtain a P-ATO.</p><p dir="ltr">This includes:</p><ul><li dir="ltr">Your SaaS is unaccredited, because it has not been accredited in any form</li><li dir="ltr">Your FedRAMP review is in process, either by an agency or joint agency agreement</li><li dir="ltr">Your SaaS is FedRAMP ready, but not yet FedRAMP authorized</li></ul><p dir="ltr">The CMS Authorization Official (AO) awards P-ATO status to SaaS that is approved through the Rapid Cloud Review (RCR) process. P-ATOs grant a SaaS compliance for one year, and will be onboarded into SSPM. SaaS will be evaluated to see if it is a candidate for Ongoing Authorization (OA).</p><h3 dir="ltr">High risk SaaS</h3><p dir="ltr">If you complete the RCR process and your SaaS is determined to be high risk, you will most likely not obtain the CMS AO's approval. </p><p dir="ltr">You will need to work with your Cyber Risk Advisor (CRA) and Information Systems Security Officer (ISSO) to understand what factors led to your SaaS being deemed high risk. You may have to work with the SaaS vendor to see if they can implement any mitigations to reduce the risk and bring it into an acceptable risk threshold.</p><h4 dir="ltr">SaaS unsuitable for FedRAMP authorization </h4><p dir="ltr">SaaS that is unsuitable for a FedRAMP authorization and deemed low or moderate risk will go through the ATO approval process and obtain a P-ATO from the CMS AO.</p><p dir="ltr">That SaaS will then be placed into the continuous monitoring process, which means it will have continuous authorization.</p><p dir="ltr">The SaaSG team will reassess the SaaS annually, at a minimum, unless the use case changes to warrant a more frequent evaluation.</p></div><div class="text-block text-block--theme-explainer"><h2>Frequently asked questions</h2><p><strong>Will SaaS currently in use (at CMS) continue to be approved for use without the need for review?</strong></p><p>SaaS that has been previously approved with a CMS ATO or FedRAMP authorization is not required to be reviewed by the SaaSG group.</p><p><strong>Would the SaaS product still have to be included in the FISMA system boundary?</strong></p><p>Yes, but we are looking at ways to move these approved SaaS requests under a sanctioned boundary in the future that will provide some of the customer control capabilities.</p><h2>Contact the SaaS Team</h2><p>The SaaSG Team can answer questions regarding any aspect of the SaaSG program, policies, guidance, or processes. You can reach us by email at <a href="mailto:saasg@cms.hhs.gov">saasg@cms.hhs.gov</a> or find our team on CMS Slack at #ispg-saas-governance.</p></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-cloud-services">CMS Cloud Services</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Platform-As-A-Service with tools, security, and support services designed specifically for CMS</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/fedramp">Federal Risk and Authorization Management Program (FedRAMP)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Provides a federally-recognized and standardized security framework for all cloud products and services</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/zero-trust">Zero Trust </a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Security paradigm that requires the continuous verification of system users to promote system security</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare & Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"saas-governance-saasg\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"saas-governance-saasg\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"saas-governance-saasg\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"saas-governance-saasg\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:T789,\u003ch2\u003eWhat is SaaS Governance at CMS?\u003c/h2\u003e\u003cp\u003eUsing Software-as-a-Service (SaaS), where an application is delivered as a service via the Internet, is increasingly popular and encouraged at CMS. It removes the burden of deploying, maintaining, and updating software or hardware – saving time and money.\u0026nbsp;\u003c/p\u003e\u003cp\u003eHowever, SaaS users have little to no visibility or control over the provider’s software or infrastructure. This means that SaaS can introduce unexpected risks and vulnerabilities into the CMS environment.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe SaaS Governance (SaaSG) program helps CMS understand and manage SaaS risk and make good business decisions around SaaS usage. We do this by taking a comprehensive approach with these ongoing activities:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eDiscover - \u003c/strong\u003eInventory and track SaaS application usage across the enterprise\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eManage - \u003c/strong\u003eDevelop policies and procedures for evaluating and authorizing SaaS products through the Rapid Cloud Review (RCR) Process\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSecure - \u003c/strong\u003eContinuously monitor SaaS application configuration to align with agency policy, security standards, and best practices\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIs SaaS the right choice for my business?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThough they are effective and convenient, SaaS solutions are not always the best choice. It depends on the use case, adjacent technologies, and other factors. Proper due diligence is important before starting to use a new SaaS product. The SaaSG team is here to help! For Business Owners wanting to use a new SaaS product, we provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eGuidance in evaluating potential risks\u003c/li\u003e\u003cli\u003eResources to help you determine suitab"])</script><script>self.__next_f.push([1,"ility\u003c/li\u003e\u003cli\u003eA clear process for review and approval\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eHow do I get approval for SaaS?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWe want to help you get started with your new solution quickly if it meets business needs and security criteria. Follow these steps:\u003c/p\u003e19:T789,\u003ch2\u003eWhat is SaaS Governance at CMS?\u003c/h2\u003e\u003cp\u003eUsing Software-as-a-Service (SaaS), where an application is delivered as a service via the Internet, is increasingly popular and encouraged at CMS. It removes the burden of deploying, maintaining, and updating software or hardware – saving time and money.\u0026nbsp;\u003c/p\u003e\u003cp\u003eHowever, SaaS users have little to no visibility or control over the provider’s software or infrastructure. This means that SaaS can introduce unexpected risks and vulnerabilities into the CMS environment.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe SaaS Governance (SaaSG) program helps CMS understand and manage SaaS risk and make good business decisions around SaaS usage. We do this by taking a comprehensive approach with these ongoing activities:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eDiscover - \u003c/strong\u003eInventory and track SaaS application usage across the enterprise\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eManage - \u003c/strong\u003eDevelop policies and procedures for evaluating and authorizing SaaS products through the Rapid Cloud Review (RCR) Process\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSecure - \u003c/strong\u003eContinuously monitor SaaS application configuration to align with agency policy, security standards, and best practices\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIs SaaS the right choice for my business?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThough they are effective and convenient, SaaS solutions are not always the best choice. It depends on the use case, adjacent technologies, and other factors. Proper due diligence is important before starting to use a new SaaS product. The SaaSG team is here to help! For Business Owners wanting to use a new SaaS product, we provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eGuidance in evaluating potential risks\u003c/li\u003e\u003cli\u003eResources to help you determine suitability\u003c/li\u003e\u003cli\u003eA clear process for review and approval\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eHow do I get approval for SaaS?\u003c/str"])</script><script>self.__next_f.push([1,"ong\u003e\u003c/h2\u003e\u003cp\u003eWe want to help you get started with your new solution quickly if it meets business needs and security criteria. Follow these steps:\u003c/p\u003e1a:T10be,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eThe RCR (Rapid Cloud Review) Process\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAdded in June 2024,\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#cloud-computing-requirements-cms-cld\"\u003esection CMS-CLD-1.1 of the IS2P2\u003c/a\u003e requires all non-\u003ca href=\"https://security.cms.gov/learn/fedramp\"\u003eFedRAMP\u003c/a\u003e Authorized SaaS products used at CMS to go through a Rapid Cloud Review (RCR) process.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe RCR aims to help CMS stakeholders understand the risk posture of a SaaS vendor, their responsibilities before they agree to implement a pilot or procuring license, and provide clear, comprehensive information about the security risk they are responsible for managing.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eDo I need to go through RCR?\u0026nbsp;\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAll CMS stakeholders should go through the RCR process for any SaaS applications that have not completed the FedRAMP authorization process.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eYes, an RCR is required\u003c/strong\u003e if any of these are true of your application:\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eIt is\u0026nbsp;\u003cstrong\u003eunaccredited\u0026nbsp;\u003c/strong\u003e— that is, it has not been accredited in any form\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eFedRAMP review is in process\u003c/strong\u003e, either by an agency or joint agency agreement\u003c/li\u003e\u003cli dir=\"ltr\"\u003eIt’s\u0026nbsp;\u003cstrong\u003eFedRAMP ready\u003c/strong\u003e, but not yet FedRAMP authorized\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eNo. Your SaaS application does not need an RCR if all of these things are true:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eAlready FedRAMP authorized (not just ready, and the review is complete, not in process)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eApproved in a current CMS \u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma\"\u003eFISMA\u003c/a\u003e boundary\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHas an \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate\u003c/a\u003e (ATO)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHas a CMS-issued RCR P-PTO, and the use case is the same\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eNote: the CMS Business Owner (BO) must confirm that the use case has not changed since the initial RCR assessment. If the use case has changed, you do need an RCR.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS you’re already using needs to go through the RCR process\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eEven if you’ve been using your SaaS for a while, if it is unaccredited and has not received FedRAMP approval, you still need to complete an RCR.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe SaaSG Team is going through a list of discovered, unaccredited SaaS applications, and will contact any Business Owners using a SaaS that has not yet been reviewed. Unaccredited means “any SaaS that does not have approval through the CMS ATO approval process.”\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe report includes risk determinations, and has incorporated routing through ServiceNow (SNOW) to obtain approvals from the CMS CISO and CIO. If you review the SaaS dashboard in Tableau, it may say some RCRs reviewed a while ago are still unaccredited. That is because they were never officially pushed through the SNOW process after review.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS that has been through the RCR Process\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eYou can use a SaaS application that has already been through the RCR process, as long asthe use case is the same as the initial RCR assessment. You do not need to repeat the RCR process.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eHowever, if the RCR was completed more than 6 months ago, the SaaSG team will contact the SaaS vendor for updated security artifacts (such as the SOC2 and the penetration test report) to see if there are any deltas in the results.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS approved in a FISMA ATO property\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eIf your SaaS was part of a FISMA ATO property and has already been approved, you do not need to go through the RCR process.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eHowever, the SaaSG team would still like to know and track that in their inventory list in case another CMS Business Owner or Application User wants to use the same SaaS application.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eSteps to complete the RCR process\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe typical timeframe for reviewing and completing RCR requests is about 2-3 weeks. However, the duration of this process depends on the responsiveness of the vendor when providing requested artifacts and follow-up information.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1b:T10be,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eThe RCR (Rapid Cloud Review) Process\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAdded in June 2024,\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#cloud-computing-requirements-cms-cld\"\u003esection CMS-CLD-1.1 of the IS2P2\u003c/a\u003e requires all non-\u003ca href=\"https://security.cms.gov/learn/fedramp\"\u003eFedRAMP\u003c/a\u003e Authorized SaaS products used at CMS to go through a Rapid Cloud Review (RCR) process.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe RCR aims to help CMS stakeholders understand the risk posture of a SaaS vendor, their responsibilities before they agree to implement a pilot or procuring license, and provide clear, comprehensive information about the security risk they are responsible for managing.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eDo I need to go through RCR?\u0026nbsp;\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAll CMS stakeholders should go through the RCR process for any SaaS applications that have not completed the FedRAMP authorization process.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eYes, an RCR is required\u003c/strong\u003e if any of these are true of your application:\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eIt is\u0026nbsp;\u003cstrong\u003eunaccredited\u0026nbsp;\u003c/strong\u003e— that is, it has not been accredited in any form\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eFedRAMP review is in process\u003c/strong\u003e, either by an agency or joint agency agreement\u003c/li\u003e\u003cli dir=\"ltr\"\u003eIt’s\u0026nbsp;\u003cstrong\u003eFedRAMP ready\u003c/strong\u003e, but not yet FedRAMP authorized\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eNo. Your SaaS application does not need an RCR if all of these things are true:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eAlready FedRAMP authorized (not just ready, and the review is complete, not in process)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eApproved in a current CMS \u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma\"\u003eFISMA\u003c/a\u003e boundary\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHas an \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate\u003c/a\u003e (ATO)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHas a CMS-issued RCR P-PTO, and the use case is the same\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eNote: the CMS Business Owner (BO) must confirm that the use case has not changed since the initial RCR assessment. If the use case has changed, you do need an RCR.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS you’re already using needs to go through the RCR process\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eEven if you’ve been using your SaaS for a while, if it is unaccredited and has not received FedRAMP approval, you still need to complete an RCR.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe SaaSG Team is going through a list of discovered, unaccredited SaaS applications, and will contact any Business Owners using a SaaS that has not yet been reviewed. Unaccredited means “any SaaS that does not have approval through the CMS ATO approval process.”\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe report includes risk determinations, and has incorporated routing through ServiceNow (SNOW) to obtain approvals from the CMS CISO and CIO. If you review the SaaS dashboard in Tableau, it may say some RCRs reviewed a while ago are still unaccredited. That is because they were never officially pushed through the SNOW process after review.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS that has been through the RCR Process\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eYou can use a SaaS application that has already been through the RCR process, as long asthe use case is the same as the initial RCR assessment. You do not need to repeat the RCR process.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eHowever, if the RCR was completed more than 6 months ago, the SaaSG team will contact the SaaS vendor for updated security artifacts (such as the SOC2 and the penetration test report) to see if there are any deltas in the results.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS approved in a FISMA ATO property\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eIf your SaaS was part of a FISMA ATO property and has already been approved, you do not need to go through the RCR process.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eHowever, the SaaSG team would still like to know and track that in their inventory list in case another CMS Business Owner or Application User wants to use the same SaaS application.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eSteps to complete the RCR process\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe typical timeframe for reviewing and completing RCR requests is about 2-3 weeks. However, the duration of this process depends on the responsiveness of the vendor when providing requested artifacts and follow-up information.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1c:T722,\u003ch3 dir=\"ltr\"\u003eProvisional ATO (P-ATO)\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eIf your SaaS is not FedRAMP-approved, you will need to go through the RCR process to obtain a P-ATO.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThis includes:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eYour SaaS is unaccredited, because it has not been accredited in any form\u003c/li\u003e\u003cli dir=\"ltr\"\u003eYour FedRAMP review is in process, either by an agency or joint agency agreement\u003c/li\u003e\u003cli dir=\"ltr\"\u003eYour SaaS is FedRAMP ready, but not yet FedRAMP authorized\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CMS Authorization Official (AO) awards P-ATO status to SaaS that is approved through the Rapid Cloud Review (RCR) process. P-ATOs grant a SaaS compliance for one year, and will be onboarded into SSPM. SaaS will be evaluated to see if it is a candidate for Ongoing Authorization (OA).\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHigh risk SaaS\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eIf you complete the RCR process and your SaaS is determined to be high risk, you will most likely not obtain the CMS AO's approval.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eYou will need to work with your Cyber Risk Advisor (CRA) and Information Systems Security Officer (ISSO) to understand what factors led to your SaaS being deemed high risk. You may have to work with the SaaS vendor to see if they can implement any mitigations to reduce the risk and bring it into an acceptable risk threshold.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS unsuitable for FedRAMP authorization\u0026nbsp;\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eSaaS that is unsuitable for a FedRAMP authorization and deemed low or moderate risk will go through the ATO approval process and obtain a P-ATO from the CMS AO.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThat SaaS will then be placed into the continuous monitoring process, which means it will have continuous authorization.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe SaaSG team will reassess the SaaS annually, at a minimum, unless the use case changes to warrant a more frequent evaluation.\u003c/p\u003e1d:T722,\u003ch3 dir=\"ltr\"\u003eProvisional ATO (P-ATO)\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eIf your SaaS is not FedRAMP-approved, you will need to go through the RCR process to obtain a P-ATO.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThis includes:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr"])</script><script>self.__next_f.push([1,"\"\u003eYour SaaS is unaccredited, because it has not been accredited in any form\u003c/li\u003e\u003cli dir=\"ltr\"\u003eYour FedRAMP review is in process, either by an agency or joint agency agreement\u003c/li\u003e\u003cli dir=\"ltr\"\u003eYour SaaS is FedRAMP ready, but not yet FedRAMP authorized\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CMS Authorization Official (AO) awards P-ATO status to SaaS that is approved through the Rapid Cloud Review (RCR) process. P-ATOs grant a SaaS compliance for one year, and will be onboarded into SSPM. SaaS will be evaluated to see if it is a candidate for Ongoing Authorization (OA).\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHigh risk SaaS\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eIf you complete the RCR process and your SaaS is determined to be high risk, you will most likely not obtain the CMS AO's approval.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eYou will need to work with your Cyber Risk Advisor (CRA) and Information Systems Security Officer (ISSO) to understand what factors led to your SaaS being deemed high risk. You may have to work with the SaaS vendor to see if they can implement any mitigations to reduce the risk and bring it into an acceptable risk threshold.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS unsuitable for FedRAMP authorization\u0026nbsp;\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eSaaS that is unsuitable for a FedRAMP authorization and deemed low or moderate risk will go through the ATO approval process and obtain a P-ATO from the CMS AO.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThat SaaS will then be placed into the continuous monitoring process, which means it will have continuous authorization.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe SaaSG team will reassess the SaaS annually, at a minimum, unless the use case changes to warrant a more frequent evaluation.\u003c/p\u003e20:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1f:{\"self\":\"$20\"}\n23:[\"menu_ui\",\"scheduler\"]\n22:{\"module\":\"$23\"}\n26:[]\n25:{\"available_menus\":\"$26\",\"parent\":\"\"}\n27:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\""])</script><script>self.__next_f.push([1,"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n24:{\"menu_ui\":\"$25\",\"scheduler\":\"$27\"}\n21:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$22\",\"third_party_settings\":\"$24\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1e:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1f\",\"attributes\":\"$21\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"mburgess\"}\n28:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4?resourceVersion=id%3A121\"}\n2d:{\"self\":\"$2e\"}\n30:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n2f:{\"drupal_internal__tid\":121,\"drupal_internal__revision_id\":121,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:12+00:00\",\"status\":true,\"name\":\"Tools / Services\",\"description\":null,\"weight\":5,\"changed\":\"2023-06-14T19:04:09+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$30\"}\n34:{\"drupal_internal__target_id\":\"resource_type\"}\n33:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$34\"}\n36:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/vid?resourceVersion=id%3A121\"}\n37:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/vid?resourceVersion=id%3A121\"}\n35:{\"related\":\"$36\",\"self\":\"$37\"}\n32:{\"data\":\"$33\",\"links\":\"$35\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907"])</script><script>self.__next_f.push([1,"eeb-b0a8-4dd3-8818-37cb1557a8f4/revision_user?resourceVersion=id%3A121\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/revision_user?resourceVersion=id%3A121\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n38:{\"data\":null,\"links\":\"$39\"}\n42:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n41:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$42\"}\n40:{\"help\":\"$41\"}\n3f:{\"links\":\"$40\"}\n3e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$3f\"}\n3d:[\"$3e\"]\n44:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/parent?resourceVersion=id%3A121\"}\n45:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/parent?resourceVersion=id%3A121\"}\n43:{\"related\":\"$44\",\"self\":\"$45\"}\n3c:{\"data\":\"$3d\",\"links\":\"$43\"}\n31:{\"vid\":\"$32\",\"revision_user\":\"$38\",\"parent\":\"$3c\"}\n2c:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"links\":\"$2d\",\"attributes\":\"$2f\",\"relationships\":\"$31\"}\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n47:{\"self\":\"$48\"}\n4a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n49:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4a\"}\n4e:{\"drupal_internal__target_id\":\"roles\"}\n4d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$4e\"}\n50:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n51:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0"])</script><script>self.__next_f.push([1,"fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n4f:{\"related\":\"$50\",\"self\":\"$51\"}\n4c:{\"data\":\"$4d\",\"links\":\"$4f\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n52:{\"data\":null,\"links\":\"$53\"}\n5c:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5b:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5c\"}\n5a:{\"help\":\"$5b\"}\n59:{\"links\":\"$5a\"}\n58:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$59\"}\n57:[\"$58\"]\n5e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n5f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n5d:{\"related\":\"$5e\",\"self\":\"$5f\"}\n56:{\"data\":\"$57\",\"links\":\"$5d\"}\n4b:{\"vid\":\"$4c\",\"revision_user\":\"$52\",\"parent\":\"$56\"}\n46:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$47\",\"attributes\":\"$49\",\"relationships\":\"$4b\"}\n62:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n61:{\"self\":\"$62\"}\n64:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n63:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$64\"}\n68:{\"drupal_internal__target_id\":\"roles\"}\n67:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$68\"}\n6a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/"])</script><script>self.__next_f.push([1,"f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n6b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n69:{\"related\":\"$6a\",\"self\":\"$6b\"}\n66:{\"data\":\"$67\",\"links\":\"$69\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6c:{\"data\":null,\"links\":\"$6d\"}\n76:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n75:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$76\"}\n74:{\"help\":\"$75\"}\n73:{\"links\":\"$74\"}\n72:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$73\"}\n71:[\"$72\"]\n78:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n79:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n77:{\"related\":\"$78\",\"self\":\"$79\"}\n70:{\"data\":\"$71\",\"links\":\"$77\"}\n65:{\"vid\":\"$66\",\"revision_user\":\"$6c\",\"parent\":\"$70\"}\n60:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$61\",\"attributes\":\"$63\",\"relationships\":\"$65\"}\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c?resourceVersion=id%3A41\"}\n7b:{\"self\":\"$7c\"}\n7e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7d:{\"drupal_internal__tid\":41,\"drupal_internal__revision_id\":41,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:04+00:00\",\"status\":true,\"name\":\"Application Security\",\"description\":null,\"weight\":0,\"changed\":\"2022-09-28T21:04:30+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$7e\"}\n82:{\"drupal_internal__target_id\":\"topics\"}\n81:{\"type\":\"taxonomy_vocabulary--ta"])</script><script>self.__next_f.push([1,"xonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$82\"}\n84:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/vid?resourceVersion=id%3A41\"}\n85:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/vid?resourceVersion=id%3A41\"}\n83:{\"related\":\"$84\",\"self\":\"$85\"}\n80:{\"data\":\"$81\",\"links\":\"$83\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/revision_user?resourceVersion=id%3A41\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/revision_user?resourceVersion=id%3A41\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n86:{\"data\":null,\"links\":\"$87\"}\n90:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n8f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$90\"}\n8e:{\"help\":\"$8f\"}\n8d:{\"links\":\"$8e\"}\n8c:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$8d\"}\n8b:[\"$8c\"]\n92:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/parent?resourceVersion=id%3A41\"}\n93:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/parent?resourceVersion=id%3A41\"}\n91:{\"related\":\"$92\",\"self\":\"$93\"}\n8a:{\"data\":\"$8b\",\"links\":\"$91\"}\n7f:{\"vid\":\"$80\",\"revision_user\":\"$86\",\"parent\":\"$8a\"}\n7a:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"links\":\"$7b\",\"attributes\":\"$7d\",\"relationships\":\"$7f\"}\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}\n95:{\"self\":\"$96\"}\n98:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n97:{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\""])</script><script>self.__next_f.push([1,"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$98\"}\n9c:{\"drupal_internal__target_id\":\"topics\"}\n9b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$9c\"}\n9e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"}\n9f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}\n9d:{\"related\":\"$9e\",\"self\":\"$9f\"}\n9a:{\"data\":\"$9b\",\"links\":\"$9d\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\na0:{\"data\":null,\"links\":\"$a1\"}\naa:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\na9:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$aa\"}\na8:{\"help\":\"$a9\"}\na7:{\"links\":\"$a8\"}\na6:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$a7\"}\na5:[\"$a6\"]\nac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"}\nad:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}\nab:{\"related\":\"$ac\",\"self\":\"$ad\"}\na4:{\"data\":\"$a5\",\"links\":\"$ab\"}\n99:{\"vid\":\"$9a\",\"revision_user\":\"$a0\",\"parent\":\"$a4\"}\n94:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":\"$95\",\"attributes\":\"$97\",\"relationships\":\"$99\"}\nb0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/32796f74-9a4b-49be-b101-133dce4c4568?resourceVersion=id%3A19389\"}\nb1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/32796f74-9a4b-49be-b101-133dce4c4568?resourceVersion=rel%3Aworking-copy\"}\naf:{"])</script><script>self.__next_f.push([1,"\"self\":\"$b0\",\"working-copy\":\"$b1\"}\nb3:[]\nb5:T789,\u003ch2\u003eWhat is SaaS Governance at CMS?\u003c/h2\u003e\u003cp\u003eUsing Software-as-a-Service (SaaS), where an application is delivered as a service via the Internet, is increasingly popular and encouraged at CMS. It removes the burden of deploying, maintaining, and updating software or hardware – saving time and money.\u0026nbsp;\u003c/p\u003e\u003cp\u003eHowever, SaaS users have little to no visibility or control over the provider’s software or infrastructure. This means that SaaS can introduce unexpected risks and vulnerabilities into the CMS environment.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe SaaS Governance (SaaSG) program helps CMS understand and manage SaaS risk and make good business decisions around SaaS usage. We do this by taking a comprehensive approach with these ongoing activities:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eDiscover - \u003c/strong\u003eInventory and track SaaS application usage across the enterprise\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eManage - \u003c/strong\u003eDevelop policies and procedures for evaluating and authorizing SaaS products through the Rapid Cloud Review (RCR) Process\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSecure - \u003c/strong\u003eContinuously monitor SaaS application configuration to align with agency policy, security standards, and best practices\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIs SaaS the right choice for my business?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThough they are effective and convenient, SaaS solutions are not always the best choice. It depends on the use case, adjacent technologies, and other factors. Proper due diligence is important before starting to use a new SaaS product. The SaaSG team is here to help! For Business Owners wanting to use a new SaaS product, we provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eGuidance in evaluating potential risks\u003c/li\u003e\u003cli\u003eResources to help you determine suitability\u003c/li\u003e\u003cli\u003eA clear process for review and approval\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eHow do I get approval for SaaS?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWe want to help you get started with your new solution quickly if it meets business needs and security criteria. Follow these steps:\u003c/p\u003eb6:T789,\u003ch2\u003eWhat is SaaS Governance at CMS?\u003c/h2\u003e\u003cp\u003eUsing Software-as-a"])</script><script>self.__next_f.push([1,"-Service (SaaS), where an application is delivered as a service via the Internet, is increasingly popular and encouraged at CMS. It removes the burden of deploying, maintaining, and updating software or hardware – saving time and money.\u0026nbsp;\u003c/p\u003e\u003cp\u003eHowever, SaaS users have little to no visibility or control over the provider’s software or infrastructure. This means that SaaS can introduce unexpected risks and vulnerabilities into the CMS environment.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe SaaS Governance (SaaSG) program helps CMS understand and manage SaaS risk and make good business decisions around SaaS usage. We do this by taking a comprehensive approach with these ongoing activities:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eDiscover - \u003c/strong\u003eInventory and track SaaS application usage across the enterprise\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eManage - \u003c/strong\u003eDevelop policies and procedures for evaluating and authorizing SaaS products through the Rapid Cloud Review (RCR) Process\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSecure - \u003c/strong\u003eContinuously monitor SaaS application configuration to align with agency policy, security standards, and best practices\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIs SaaS the right choice for my business?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThough they are effective and convenient, SaaS solutions are not always the best choice. It depends on the use case, adjacent technologies, and other factors. Proper due diligence is important before starting to use a new SaaS product. The SaaSG team is here to help! For Business Owners wanting to use a new SaaS product, we provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eGuidance in evaluating potential risks\u003c/li\u003e\u003cli\u003eResources to help you determine suitability\u003c/li\u003e\u003cli\u003eA clear process for review and approval\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eHow do I get approval for SaaS?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWe want to help you get started with your new solution quickly if it meets business needs and security criteria. Follow these steps:\u003c/p\u003eb4:{\"value\":\"$b5\",\"format\":\"body_text\",\"processed\":\"$b6\"}\nb2:{\"drupal_internal__id\":1446,\"drupal_internal__revision_id\":19389,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T20:"])</script><script>self.__next_f.push([1,"06:50+00:00\",\"parent_id\":\"736\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$b3\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$b4\"}\nba:{\"drupal_internal__target_id\":\"page_section\"}\nb9:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$ba\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/32796f74-9a4b-49be-b101-133dce4c4568/paragraph_type?resourceVersion=id%3A19389\"}\nbd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/32796f74-9a4b-49be-b101-133dce4c4568/relationships/paragraph_type?resourceVersion=id%3A19389\"}\nbb:{\"related\":\"$bc\",\"self\":\"$bd\"}\nb8:{\"data\":\"$b9\",\"links\":\"$bb\"}\nc0:{\"target_revision_id\":19388,\"drupal_internal__target_id\":1441}\nbf:{\"type\":\"paragraph--process_list\",\"id\":\"0e95620e-c7a4-4e21-b505-91a2f013a45a\",\"meta\":\"$c0\"}\nc2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/32796f74-9a4b-49be-b101-133dce4c4568/field_specialty_item?resourceVersion=id%3A19389\"}\nc3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/32796f74-9a4b-49be-b101-133dce4c4568/relationships/field_specialty_item?resourceVersion=id%3A19389\"}\nc1:{\"related\":\"$c2\",\"self\":\"$c3\"}\nbe:{\"data\":\"$bf\",\"links\":\"$c1\"}\nb7:{\"paragraph_type\":\"$b8\",\"field_specialty_item\":\"$be\"}\nae:{\"type\":\"paragraph--page_section\",\"id\":\"32796f74-9a4b-49be-b101-133dce4c4568\",\"links\":\"$af\",\"attributes\":\"$b2\",\"relationships\":\"$b7\"}\nc6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/23cc1637-59ba-448f-8e17-e5aed202cb74?resourceVersion=id%3A19396\"}\nc7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/23cc1637-59ba-448f-8e17-e5aed202cb74?resourceVersion=rel%3Aworking-copy\"}\nc5:{\"self\":\"$c6\",\"working-copy\":\"$c7\"}\nc9:[]\ncb:T10be,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eThe RCR (Rapid Cloud Review) Process\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAdded in June 2024,\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#cloud-computing-requirements-cms-cld\"\u003esection CMS-CLD-1.1 of the IS2P2\u003c/a\u003e requires all non-\u003ca href=\"https://security.cms.gov/learn/fedramp\"\u003eFedRAMP\u003c/a\u003e Authorized SaaS products used at CMS to go through a Rapid Cloud Review (RCR) process.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe RCR aims to help CMS stakeholders understand the risk posture of a SaaS vendor, their responsibilities before they agree to implement a pilot or procuring license, and provide clear, comprehensive information about the security risk they are responsible for managing.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eDo I need to go through RCR?\u0026nbsp;\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAll CMS stakeholders should go through the RCR process for any SaaS applications that have not completed the FedRAMP authorization process.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eYes, an RCR is required\u003c/strong\u003e if any of these are true of your application:\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eIt is\u0026nbsp;\u003cstrong\u003eunaccredited\u0026nbsp;\u003c/strong\u003e— that is, it has not been accredited in any form\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eFedRAMP review is in process\u003c/strong\u003e, either by an agency or joint agency agreement\u003c/li\u003e\u003cli dir=\"ltr\"\u003eIt’s\u0026nbsp;\u003cstrong\u003eFedRAMP ready\u003c/strong\u003e, but not yet FedRAMP authorized\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eNo. Your SaaS application does not need an RCR if all of these things are true:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eAlready FedRAMP authorized (not just ready, and the review is complete, not in process)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eApproved in a current CMS \u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma\"\u003eFISMA\u003c/a\u003e boundary\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHas an \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate\u003c/a\u003e (ATO)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHas a CMS-issued RCR P-PTO, and the use case is the same\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eNote: the CMS Business Owner (BO) must confirm that the use case has not changed since the initial RCR assessment. If the use case has changed, you do need an RCR.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS you’re already using needs to go through the RCR process\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eEven if you’ve been using your SaaS for a while, if it is unaccredited and has not received FedRAMP approval, you still need to complete an RCR.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe SaaSG Team is going through a list of discovered, unaccredited SaaS applications, and will contact any Business Owners using a SaaS that has not yet been reviewed. Unaccredited means “any SaaS that does not have approval through the CMS ATO approval process.”\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe report includes risk determinations, and has incorporated routing through ServiceNow (SNOW) to obtain approvals from the CMS CISO and CIO. If you review the SaaS dashboard in Tableau, it may say some RCRs reviewed a while ago are still unaccredited. That is because they were never officially pushed through the SNOW process after review.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS that has been through the RCR Process\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eYou can use a SaaS application that has already been through the RCR process, as long asthe use case is the same as the initial RCR assessment. You do not need to repeat the RCR process.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eHowever, if the RCR was completed more than 6 months ago, the SaaSG team will contact the SaaS vendor for updated security artifacts (such as the SOC2 and the penetration test report) to see if there are any deltas in the results.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS approved in a FISMA ATO property\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eIf your SaaS was part of a FISMA ATO property and has already been approved, you do not need to go through the RCR process.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eHowever, the SaaSG team would still like to know and track that in their inventory list in case another CMS Business Owner or Application User wants to use the same SaaS application.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eSteps to complete the RCR process\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe typical timeframe for reviewing and completing RCR requests is about 2-3 weeks. However, the duration of this process depends on the responsiveness of the vendor when providing requested artifacts and follow-up information.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"cc:T10be,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eThe RCR (Rapid Cloud Review) Process\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAdded in June 2024,\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#cloud-computing-requirements-cms-cld\"\u003esection CMS-CLD-1.1 of the IS2P2\u003c/a\u003e requires all non-\u003ca href=\"https://security.cms.gov/learn/fedramp\"\u003eFedRAMP\u003c/a\u003e Authorized SaaS products used at CMS to go through a Rapid Cloud Review (RCR) process.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe RCR aims to help CMS stakeholders understand the risk posture of a SaaS vendor, their responsibilities before they agree to implement a pilot or procuring license, and provide clear, comprehensive information about the security risk they are responsible for managing.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eDo I need to go through RCR?\u0026nbsp;\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAll CMS stakeholders should go through the RCR process for any SaaS applications that have not completed the FedRAMP authorization process.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eYes, an RCR is required\u003c/strong\u003e if any of these are true of your application:\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eIt is\u0026nbsp;\u003cstrong\u003eunaccredited\u0026nbsp;\u003c/strong\u003e— that is, it has not been accredited in any form\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eFedRAMP review is in process\u003c/strong\u003e, either by an agency or joint agency agreement\u003c/li\u003e\u003cli dir=\"ltr\"\u003eIt’s\u0026nbsp;\u003cstrong\u003eFedRAMP ready\u003c/strong\u003e, but not yet FedRAMP authorized\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eNo. Your SaaS application does not need an RCR if all of these things are true:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eAlready FedRAMP authorized (not just ready, and the review is complete, not in process)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eApproved in a current CMS \u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma\"\u003eFISMA\u003c/a\u003e boundary\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHas an \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate\u003c/a\u003e (ATO)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHas a CMS-issued RCR P-PTO, and the use case is the same\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eNote: the CMS Business Owner (BO) must confirm that the use case has not changed since the initial RCR assessment. If the use case has changed, you do need an RCR.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS you’re already using needs to go through the RCR process\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eEven if you’ve been using your SaaS for a while, if it is unaccredited and has not received FedRAMP approval, you still need to complete an RCR.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe SaaSG Team is going through a list of discovered, unaccredited SaaS applications, and will contact any Business Owners using a SaaS that has not yet been reviewed. Unaccredited means “any SaaS that does not have approval through the CMS ATO approval process.”\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe report includes risk determinations, and has incorporated routing through ServiceNow (SNOW) to obtain approvals from the CMS CISO and CIO. If you review the SaaS dashboard in Tableau, it may say some RCRs reviewed a while ago are still unaccredited. That is because they were never officially pushed through the SNOW process after review.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS that has been through the RCR Process\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eYou can use a SaaS application that has already been through the RCR process, as long asthe use case is the same as the initial RCR assessment. You do not need to repeat the RCR process.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eHowever, if the RCR was completed more than 6 months ago, the SaaSG team will contact the SaaS vendor for updated security artifacts (such as the SOC2 and the penetration test report) to see if there are any deltas in the results.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS approved in a FISMA ATO property\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eIf your SaaS was part of a FISMA ATO property and has already been approved, you do not need to go through the RCR process.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eHowever, the SaaSG team would still like to know and track that in their inventory list in case another CMS Business Owner or Application User wants to use the same SaaS application.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eSteps to complete the RCR process\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe typical timeframe for reviewing and completing RCR requests is about 2-3 weeks. However, the duration of this process depends on the responsiveness of the vendor when providing requested artifacts and follow-up information.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"ca:{\"value\":\"$cb\",\"format\":\"body_text\",\"processed\":\"$cc\"}\nc8:{\"drupal_internal__id\":3528,\"drupal_internal__revision_id\":19396,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:04:56+00:00\",\"parent_id\":\"736\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$c9\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$ca\"}\nd0:{\"drupal_internal__target_id\":\"page_section\"}\ncf:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$d0\"}\nd2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/23cc1637-59ba-448f-8e17-e5aed202cb74/paragraph_type?resourceVersion=id%3A19396\"}\nd3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/23cc1637-59ba-448f-8e17-e5aed202cb74/relationships/paragraph_type?resourceVersion=id%3A19396\"}\nd1:{\"related\":\"$d2\",\"self\":\"$d3\"}\nce:{\"data\":\"$cf\",\"links\":\"$d1\"}\nd6:{\"target_revision_id\":19395,\"drupal_internal__target_id\":3527}\nd5:{\"type\":\"paragraph--process_list\",\"id\":\"3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34\",\"meta\":\"$d6\"}\nd8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/23cc1637-59ba-448f-8e17-e5aed202cb74/field_specialty_item?resourceVersion=id%3A19396\"}\nd9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/23cc1637-59ba-448f-8e17-e5aed202cb74/relationships/field_specialty_item?resourceVersion=id%3A19396\"}\nd7:{\"related\":\"$d8\",\"self\":\"$d9\"}\nd4:{\"data\":\"$d5\",\"links\":\"$d7\"}\ncd:{\"paragraph_type\":\"$ce\",\"field_specialty_item\":\"$d4\"}\nc4:{\"type\":\"paragraph--page_section\",\"id\":\"23cc1637-59ba-448f-8e17-e5aed202cb74\",\"links\":\"$c5\",\"attributes\":\"$c8\",\"relationships\":\"$cd\"}\ndc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53da5747-8514-4ea5-9f3d-2905f9a61edb?resourceVersion=id%3A19397\"}\ndd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53da5747-8514-4ea5-9f3d-2905f9a61edb?resourceVersion=rel%3Aworking-copy\"}\ndb:{\"self\":\"$dc\",\"working-copy\":\"$dd\"}\ndf:[]\ne1:T722,\u003ch3 dir=\"ltr\"\u003eProvisional ATO (P-ATO)\u003c/h3\u003e\u003cp dir=\""])</script><script>self.__next_f.push([1,"ltr\"\u003eIf your SaaS is not FedRAMP-approved, you will need to go through the RCR process to obtain a P-ATO.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThis includes:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eYour SaaS is unaccredited, because it has not been accredited in any form\u003c/li\u003e\u003cli dir=\"ltr\"\u003eYour FedRAMP review is in process, either by an agency or joint agency agreement\u003c/li\u003e\u003cli dir=\"ltr\"\u003eYour SaaS is FedRAMP ready, but not yet FedRAMP authorized\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CMS Authorization Official (AO) awards P-ATO status to SaaS that is approved through the Rapid Cloud Review (RCR) process. P-ATOs grant a SaaS compliance for one year, and will be onboarded into SSPM. SaaS will be evaluated to see if it is a candidate for Ongoing Authorization (OA).\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHigh risk SaaS\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eIf you complete the RCR process and your SaaS is determined to be high risk, you will most likely not obtain the CMS AO's approval.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eYou will need to work with your Cyber Risk Advisor (CRA) and Information Systems Security Officer (ISSO) to understand what factors led to your SaaS being deemed high risk. You may have to work with the SaaS vendor to see if they can implement any mitigations to reduce the risk and bring it into an acceptable risk threshold.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS unsuitable for FedRAMP authorization\u0026nbsp;\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eSaaS that is unsuitable for a FedRAMP authorization and deemed low or moderate risk will go through the ATO approval process and obtain a P-ATO from the CMS AO.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThat SaaS will then be placed into the continuous monitoring process, which means it will have continuous authorization.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe SaaSG team will reassess the SaaS annually, at a minimum, unless the use case changes to warrant a more frequent evaluation.\u003c/p\u003ee2:T722,\u003ch3 dir=\"ltr\"\u003eProvisional ATO (P-ATO)\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eIf your SaaS is not FedRAMP-approved, you will need to go through the RCR process to obtain a P-ATO.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThis includes:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eYour SaaS is unaccredited, because it has not been accre"])</script><script>self.__next_f.push([1,"dited in any form\u003c/li\u003e\u003cli dir=\"ltr\"\u003eYour FedRAMP review is in process, either by an agency or joint agency agreement\u003c/li\u003e\u003cli dir=\"ltr\"\u003eYour SaaS is FedRAMP ready, but not yet FedRAMP authorized\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CMS Authorization Official (AO) awards P-ATO status to SaaS that is approved through the Rapid Cloud Review (RCR) process. P-ATOs grant a SaaS compliance for one year, and will be onboarded into SSPM. SaaS will be evaluated to see if it is a candidate for Ongoing Authorization (OA).\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHigh risk SaaS\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eIf you complete the RCR process and your SaaS is determined to be high risk, you will most likely not obtain the CMS AO's approval.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eYou will need to work with your Cyber Risk Advisor (CRA) and Information Systems Security Officer (ISSO) to understand what factors led to your SaaS being deemed high risk. You may have to work with the SaaS vendor to see if they can implement any mitigations to reduce the risk and bring it into an acceptable risk threshold.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eSaaS unsuitable for FedRAMP authorization\u0026nbsp;\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eSaaS that is unsuitable for a FedRAMP authorization and deemed low or moderate risk will go through the ATO approval process and obtain a P-ATO from the CMS AO.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThat SaaS will then be placed into the continuous monitoring process, which means it will have continuous authorization.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe SaaSG team will reassess the SaaS annually, at a minimum, unless the use case changes to warrant a more frequent evaluation.\u003c/p\u003ee0:{\"value\":\"$e1\",\"format\":\"body_text\",\"processed\":\"$e2\"}\nde:{\"drupal_internal__id\":3529,\"drupal_internal__revision_id\":19397,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:10:11+00:00\",\"parent_id\":\"736\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$df\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$e0\"}\ne6:{\"drupal_internal__target_id\":\"page_section\"}\ne5:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\""])</script><script>self.__next_f.push([1,":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$e6\"}\ne8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53da5747-8514-4ea5-9f3d-2905f9a61edb/paragraph_type?resourceVersion=id%3A19397\"}\ne9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53da5747-8514-4ea5-9f3d-2905f9a61edb/relationships/paragraph_type?resourceVersion=id%3A19397\"}\ne7:{\"related\":\"$e8\",\"self\":\"$e9\"}\ne4:{\"data\":\"$e5\",\"links\":\"$e7\"}\nec:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53da5747-8514-4ea5-9f3d-2905f9a61edb/field_specialty_item?resourceVersion=id%3A19397\"}\ned:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53da5747-8514-4ea5-9f3d-2905f9a61edb/relationships/field_specialty_item?resourceVersion=id%3A19397\"}\neb:{\"related\":\"$ec\",\"self\":\"$ed\"}\nea:{\"data\":null,\"links\":\"$eb\"}\ne3:{\"paragraph_type\":\"$e4\",\"field_specialty_item\":\"$ea\"}\nda:{\"type\":\"paragraph--page_section\",\"id\":\"53da5747-8514-4ea5-9f3d-2905f9a61edb\",\"links\":\"$db\",\"attributes\":\"$de\",\"relationships\":\"$e3\"}\nf0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c1fc448a-a41f-4061-9bc9-59b74374d79a?resourceVersion=id%3A19398\"}\nf1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c1fc448a-a41f-4061-9bc9-59b74374d79a?resourceVersion=rel%3Aworking-copy\"}\nef:{\"self\":\"$f0\",\"working-copy\":\"$f1\"}\nf3:[]\nf4:{\"value\":\"\u003ch2\u003eFrequently asked questions\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eWill SaaS currently in use (at CMS) continue to be approved for use without the need for review?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSaaS that has been previously approved with a CMS ATO or FedRAMP authorization is not required to be reviewed by the SaaSG group.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWould the SaaS product still have to be included in the FISMA system boundary?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYes, but we are looking at ways to move these approved SaaS requests under a sanctioned boundary in the future that will provide some of the customer control capabilities.\u003c/p\u003e\u003ch2\u003eContact the SaaS Team\u003c/h2\u003e\u003cp\u003eThe SaaSG Team can answer questions regarding any aspect of the SaaSG program, policies, "])</script><script>self.__next_f.push([1,"guidance, or processes. You can reach us by email at\u0026nbsp;\u003ca href=\\\"mailto:saasg@cms.hhs.gov\\\"\u003esaasg@cms.hhs.gov\u003c/a\u003e\u0026nbsp;or find our team on CMS Slack at\u0026nbsp;#ispg-saas-governance.\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2\u003eFrequently asked questions\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eWill SaaS currently in use (at CMS) continue to be approved for use without the need for review?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSaaS that has been previously approved with a CMS ATO or FedRAMP authorization is not required to be reviewed by the SaaSG group.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWould the SaaS product still have to be included in the FISMA system boundary?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYes, but we are looking at ways to move these approved SaaS requests under a sanctioned boundary in the future that will provide some of the customer control capabilities.\u003c/p\u003e\u003ch2\u003eContact the SaaS Team\u003c/h2\u003e\u003cp\u003eThe SaaSG Team can answer questions regarding any aspect of the SaaSG program, policies, guidance, or processes. You can reach us by email at\u0026nbsp;\u003ca href=\\\"mailto:saasg@cms.hhs.gov\\\"\u003esaasg@cms.hhs.gov\u003c/a\u003e\u0026nbsp;or find our team on CMS Slack at\u0026nbsp;#ispg-saas-governance.\u003c/p\u003e\"}\nf2:{\"drupal_internal__id\":1451,\"drupal_internal__revision_id\":19398,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T20:10:09+00:00\",\"parent_id\":\"736\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$f3\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$f4\"}\nf8:{\"drupal_internal__target_id\":\"page_section\"}\nf7:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$f8\"}\nfa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c1fc448a-a41f-4061-9bc9-59b74374d79a/paragraph_type?resourceVersion=id%3A19398\"}\nfb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c1fc448a-a41f-4061-9bc9-59b74374d79a/relationships/paragraph_type?resourceVersion=id%3A19398\"}\nf9:{\"related\":\"$fa\",\"self\":\"$fb\"}\nf6:{\"data\":\"$f7\",\"links\":\"$f9\"}\nfe:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c1fc448a-a41f"])</script><script>self.__next_f.push([1,"-4061-9bc9-59b74374d79a/field_specialty_item?resourceVersion=id%3A19398\"}\nff:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c1fc448a-a41f-4061-9bc9-59b74374d79a/relationships/field_specialty_item?resourceVersion=id%3A19398\"}\nfd:{\"related\":\"$fe\",\"self\":\"$ff\"}\nfc:{\"data\":null,\"links\":\"$fd\"}\nf5:{\"paragraph_type\":\"$f6\",\"field_specialty_item\":\"$fc\"}\nee:{\"type\":\"paragraph--page_section\",\"id\":\"c1fc448a-a41f-4061-9bc9-59b74374d79a\",\"links\":\"$ef\",\"attributes\":\"$f2\",\"relationships\":\"$f5\"}\n102:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/0e95620e-c7a4-4e21-b505-91a2f013a45a?resourceVersion=id%3A19388\"}\n103:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/0e95620e-c7a4-4e21-b505-91a2f013a45a?resourceVersion=rel%3Aworking-copy\"}\n101:{\"self\":\"$102\",\"working-copy\":\"$103\"}\n105:[]\n104:{\"drupal_internal__id\":1441,\"drupal_internal__revision_id\":19388,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T20:06:50+00:00\",\"parent_id\":\"1446\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$105\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null}\n109:{\"drupal_internal__target_id\":\"process_list\"}\n108:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":\"$109\"}\n10b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/0e95620e-c7a4-4e21-b505-91a2f013a45a/paragraph_type?resourceVersion=id%3A19388\"}\n10c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/0e95620e-c7a4-4e21-b505-91a2f013a45a/relationships/paragraph_type?resourceVersion=id%3A19388\"}\n10a:{\"related\":\"$10b\",\"self\":\"$10c\"}\n107:{\"data\":\"$108\",\"links\":\"$10a\"}\n110:{\"target_revision_id\":19384,\"drupal_internal__target_id\":1421}\n10f:{\"type\":\"paragraph--process_list_item\",\"id\":\"9039953e-b7e7-46a6-a045-9d010fab764f\",\"meta\":\"$110\"}\n112:{\"target_revision_id\":19385,\"drupal_internal__target_id\":1426}\n111:{\"type\":\"paragraph--process_list_item\",\"id\":\"7d37fbfd-f4f1-4d3f-a0da-67ec181ef13b"])</script><script>self.__next_f.push([1,"\",\"meta\":\"$112\"}\n114:{\"target_revision_id\":19386,\"drupal_internal__target_id\":1431}\n113:{\"type\":\"paragraph--process_list_item\",\"id\":\"947c05a0-f2b4-4340-bae9-9b1bc412cca8\",\"meta\":\"$114\"}\n116:{\"target_revision_id\":19387,\"drupal_internal__target_id\":1436}\n115:{\"type\":\"paragraph--process_list_item\",\"id\":\"b7233d36-c647-457c-a731-7dc12fef983b\",\"meta\":\"$116\"}\n10e:[\"$10f\",\"$111\",\"$113\",\"$115\"]\n118:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/0e95620e-c7a4-4e21-b505-91a2f013a45a/field_process_list_item?resourceVersion=id%3A19388\"}\n119:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/0e95620e-c7a4-4e21-b505-91a2f013a45a/relationships/field_process_list_item?resourceVersion=id%3A19388\"}\n117:{\"related\":\"$118\",\"self\":\"$119\"}\n10d:{\"data\":\"$10e\",\"links\":\"$117\"}\n106:{\"paragraph_type\":\"$107\",\"field_process_list_item\":\"$10d\"}\n100:{\"type\":\"paragraph--process_list\",\"id\":\"0e95620e-c7a4-4e21-b505-91a2f013a45a\",\"links\":\"$101\",\"attributes\":\"$104\",\"relationships\":\"$106\"}\n11c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34?resourceVersion=id%3A19395\"}\n11d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34?resourceVersion=rel%3Aworking-copy\"}\n11b:{\"self\":\"$11c\",\"working-copy\":\"$11d\"}\n11f:[]\n120:{\"value\":\"\u003cp\u003eThe RCR process incorporates some \u003ca href=\\\"https://security.cms.gov/learn/supply-chain-risk-management-scrm\\\"\u003eCMS SCRM\u003c/a\u003e functionality to help identify concerns about Foreign Ownership Control and Influence (FOCI).\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe RCR process incorporates some \u003ca href=\\\"https://security.cms.gov/learn/supply-chain-risk-management-scrm\\\"\u003eCMS SCRM\u003c/a\u003e functionality to help identify concerns about Foreign Ownership Control and Influence (FOCI).\u003c/p\u003e\"}\n11e:{\"drupal_internal__id\":3527,\"drupal_internal__revision_id\":19395,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:06:37+00:00\",\"parent_id\":\"3528\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_spec"])</script><script>self.__next_f.push([1,"ialty_item\",\"behavior_settings\":\"$11f\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":\"$120\"}\n124:{\"drupal_internal__target_id\":\"process_list\"}\n123:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":\"$124\"}\n126:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34/paragraph_type?resourceVersion=id%3A19395\"}\n127:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34/relationships/paragraph_type?resourceVersion=id%3A19395\"}\n125:{\"related\":\"$126\",\"self\":\"$127\"}\n122:{\"data\":\"$123\",\"links\":\"$125\"}\n12b:{\"target_revision_id\":19390,\"drupal_internal__target_id\":3522}\n12a:{\"type\":\"paragraph--process_list_item\",\"id\":\"4373fc65-fb5b-4d76-ae39-82fdbcea9634\",\"meta\":\"$12b\"}\n12d:{\"target_revision_id\":19391,\"drupal_internal__target_id\":3523}\n12c:{\"type\":\"paragraph--process_list_item\",\"id\":\"f4b6e8cd-89ae-4577-a94c-78b4012275de\",\"meta\":\"$12d\"}\n12f:{\"target_revision_id\":19392,\"drupal_internal__target_id\":3524}\n12e:{\"type\":\"paragraph--process_list_item\",\"id\":\"e7fb8da9-4bdd-4e62-8628-366d7c37c950\",\"meta\":\"$12f\"}\n131:{\"target_revision_id\":19393,\"drupal_internal__target_id\":3525}\n130:{\"type\":\"paragraph--process_list_item\",\"id\":\"56abc1b3-50aa-47cc-8ed1-1d18d4974216\",\"meta\":\"$131\"}\n133:{\"target_revision_id\":19394,\"drupal_internal__target_id\":3526}\n132:{\"type\":\"paragraph--process_list_item\",\"id\":\"483da93f-2f21-46f2-912a-67261fa19261\",\"meta\":\"$133\"}\n129:[\"$12a\",\"$12c\",\"$12e\",\"$130\",\"$132\"]\n135:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34/field_process_list_item?resourceVersion=id%3A19395\"}\n136:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34/relationships/field_process_list_item?resourceVersion=id%3A19395\"}\n134:{\"related\":\"$135\",\"self\":\"$136\"}\n128:{\"data\":\"$129\",\"links\":\"$134\"}\n121:{\"paragraph_type\":\"$122\",\"field_process_list_item\":\"$128\"}\n11a:{\"typ"])</script><script>self.__next_f.push([1,"e\":\"paragraph--process_list\",\"id\":\"3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34\",\"links\":\"$11b\",\"attributes\":\"$11e\",\"relationships\":\"$121\"}\n139:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/9039953e-b7e7-46a6-a045-9d010fab764f?resourceVersion=id%3A19384\"}\n13a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/9039953e-b7e7-46a6-a045-9d010fab764f?resourceVersion=rel%3Aworking-copy\"}\n138:{\"self\":\"$139\",\"working-copy\":\"$13a\"}\n13c:[]\n13d:{\"value\":\"\u003cp\u003eUse the \u003ca href=\\\"https://cmsbox.box.com/s/f5u2ms4idxqza7ckbw1hs1a455omc2im\\\"\u003eCMS SaaS Buyer’s Guide\u003c/a\u003e (requires access to CMS Box) as a checklist to determine if the product will meet your business needs – and to make sure the provider is addressing important cybersecurity considerations.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eUse the \u003ca href=\\\"https://cmsbox.box.com/s/f5u2ms4idxqza7ckbw1hs1a455omc2im\\\"\u003eCMS SaaS Buyer’s Guide\u003c/a\u003e (requires access to CMS Box) as a checklist to determine if the product will meet your business needs – and to make sure the provider is addressing important cybersecurity considerations.\u003c/p\u003e\"}\n13b:{\"drupal_internal__id\":1421,\"drupal_internal__revision_id\":19384,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T20:06:50+00:00\",\"parent_id\":\"1441\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$13c\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$13d\",\"field_list_item_title\":\"Evaluate the product\"}\n141:{\"drupal_internal__target_id\":\"process_list_item\"}\n140:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$141\"}\n143:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/9039953e-b7e7-46a6-a045-9d010fab764f/paragraph_type?resourceVersion=id%3A19384\"}\n144:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/9039953e-b7e7-46a6-a045-9d010fab764f/relationships/paragraph_type?resourceVersion=id%3A19384\"}\n142:{\"related\":\"$143"])</script><script>self.__next_f.push([1,"\",\"self\":\"$144\"}\n13f:{\"data\":\"$140\",\"links\":\"$142\"}\n13e:{\"paragraph_type\":\"$13f\"}\n137:{\"type\":\"paragraph--process_list_item\",\"id\":\"9039953e-b7e7-46a6-a045-9d010fab764f\",\"links\":\"$138\",\"attributes\":\"$13b\",\"relationships\":\"$13e\"}\n147:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/7d37fbfd-f4f1-4d3f-a0da-67ec181ef13b?resourceVersion=id%3A19385\"}\n148:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/7d37fbfd-f4f1-4d3f-a0da-67ec181ef13b?resourceVersion=rel%3Aworking-copy\"}\n146:{\"self\":\"$147\",\"working-copy\":\"$148\"}\n14a:[]\n14b:{\"value\":\"\u003cp\u003eThe \u003ca href=\\\"https://tableau.bi.cms.gov/#/site/CEDE/views/SaaSGovernanceDashboards_16860786175160/SaaSinReview?:iid=1\\\"\u003eCMS SaaSG Dashboard\u003c/a\u003e is a list of SaaS products already approved (or going through the approval process) at CMS. Check to see if one of these will meet your needs. If you are unable to view the dashboard, please ensure you have the EUA job code: TABLEAU_DIR_VIEWER_PRD. For assistance logging into the Tableau SaaS Dashboard, click\u0026nbsp;\u003ca href=\\\"https://app.box.com/file/1262804094940\\\" target=\\\"_blank\\\"\u003eHERE\u003c/a\u003e\u0026nbsp;to review the login guide.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe \u003ca href=\\\"https://tableau.bi.cms.gov/#/site/CEDE/views/SaaSGovernanceDashboards_16860786175160/SaaSinReview?:iid=1\\\"\u003eCMS SaaSG Dashboard\u003c/a\u003e is a list of SaaS products already approved (or going through the approval process) at CMS. Check to see if one of these will meet your needs. If you are unable to view the dashboard, please ensure you have the EUA job code: TABLEAU_DIR_VIEWER_PRD. For assistance logging into the Tableau SaaS Dashboard, click\u0026nbsp;\u003ca href=\\\"https://app.box.com/file/1262804094940\\\" target=\\\"_blank\\\"\u003eHERE\u003c/a\u003e\u0026nbsp;to review the login guide.\u003c/p\u003e\"}\n149:{\"drupal_internal__id\":1426,\"drupal_internal__revision_id\":19385,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T20:07:01+00:00\",\"parent_id\":\"1441\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$14a\",\"default_"])</script><script>self.__next_f.push([1,"langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$14b\",\"field_list_item_title\":\"Check existing SaaS solutions\"}\n14f:{\"drupal_internal__target_id\":\"process_list_item\"}\n14e:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$14f\"}\n151:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/7d37fbfd-f4f1-4d3f-a0da-67ec181ef13b/paragraph_type?resourceVersion=id%3A19385\"}\n152:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/7d37fbfd-f4f1-4d3f-a0da-67ec181ef13b/relationships/paragraph_type?resourceVersion=id%3A19385\"}\n150:{\"related\":\"$151\",\"self\":\"$152\"}\n14d:{\"data\":\"$14e\",\"links\":\"$150\"}\n14c:{\"paragraph_type\":\"$14d\"}\n145:{\"type\":\"paragraph--process_list_item\",\"id\":\"7d37fbfd-f4f1-4d3f-a0da-67ec181ef13b\",\"links\":\"$146\",\"attributes\":\"$149\",\"relationships\":\"$14c\"}\n155:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/947c05a0-f2b4-4340-bae9-9b1bc412cca8?resourceVersion=id%3A19386\"}\n156:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/947c05a0-f2b4-4340-bae9-9b1bc412cca8?resourceVersion=rel%3Aworking-copy\"}\n154:{\"self\":\"$155\",\"working-copy\":\"$156\"}\n158:[]\n159:{\"value\":\"\u003cp\u003eIf you have determined that the SaaS product you’re considering is right for your needs and is not already being used at CMS, then you can submit the product to be reviewed by the SaaSG team to start a Rapid Cloud Review (RCR) assessment.\u0026nbsp; Complete the \u003ca href=\\\"https://coda.io/form/CMS-SaaS-Governance-Intake-Form_dddeq-6DEo6?FormSource=CyberGeek\\\"\u003eSaaS Request Intake Form\u003c/a\u003e (the Business Owner, ISSO, CRA, or designee can do this). Contact the SaaSG team via email (\u003ca href=\\\"mailto:saasg@cms.hhs.gov\\\"\u003esaasg@cms.hhs.gov\u003c/a\u003e) if you need help with the form.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eIf you have determined that the SaaS product you’re considering is right for your needs and is not already being used at CMS, then you can submit the product to be reviewed by the SaaSG team"])</script><script>self.__next_f.push([1," to start a Rapid Cloud Review (RCR) assessment.\u0026nbsp; Complete the \u003ca href=\\\"https://coda.io/form/CMS-SaaS-Governance-Intake-Form_dddeq-6DEo6?FormSource=CyberGeek\\\"\u003eSaaS Request Intake Form\u003c/a\u003e (the Business Owner, ISSO, CRA, or designee can do this). Contact the SaaSG team via email (\u003ca href=\\\"mailto:saasg@cms.hhs.gov\\\"\u003esaasg@cms.hhs.gov\u003c/a\u003e) if you need help with the form.\u003c/p\u003e\"}\n157:{\"drupal_internal__id\":1431,\"drupal_internal__revision_id\":19386,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T20:07:56+00:00\",\"parent_id\":\"1441\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$158\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$159\",\"field_list_item_title\":\"Submit a request for review\"}\n15d:{\"drupal_internal__target_id\":\"process_list_item\"}\n15c:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$15d\"}\n15f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/947c05a0-f2b4-4340-bae9-9b1bc412cca8/paragraph_type?resourceVersion=id%3A19386\"}\n160:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/947c05a0-f2b4-4340-bae9-9b1bc412cca8/relationships/paragraph_type?resourceVersion=id%3A19386\"}\n15e:{\"related\":\"$15f\",\"self\":\"$160\"}\n15b:{\"data\":\"$15c\",\"links\":\"$15e\"}\n15a:{\"paragraph_type\":\"$15b\"}\n153:{\"type\":\"paragraph--process_list_item\",\"id\":\"947c05a0-f2b4-4340-bae9-9b1bc412cca8\",\"links\":\"$154\",\"attributes\":\"$157\",\"relationships\":\"$15a\"}\n163:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b7233d36-c647-457c-a731-7dc12fef983b?resourceVersion=id%3A19387\"}\n164:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b7233d36-c647-457c-a731-7dc12fef983b?resourceVersion=rel%3Aworking-copy\"}\n162:{\"self\":\"$163\",\"working-copy\":\"$164\"}\n166:[]\n167:{\"value\":\"\u003cp\u003eAs the SaaSG team reviews your proposed SaaS product, we may ask for additional information. We may also need to schedule meetings with you or the SaaS provider. Ti"])</script><script>self.__next_f.push([1,"mely and clear responses to these requests will help move the process along and lead to a faster decision. Meanwhile, you can use the SaaSG Dashboard in Tableau to track the progress of your request.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eAs the SaaSG team reviews your proposed SaaS product, we may ask for additional information. We may also need to schedule meetings with you or the SaaS provider. Timely and clear responses to these requests will help move the process along and lead to a faster decision. Meanwhile, you can use the SaaSG Dashboard in Tableau to track the progress of your request.\u003c/p\u003e\"}\n165:{\"drupal_internal__id\":1436,\"drupal_internal__revision_id\":19387,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T20:09:23+00:00\",\"parent_id\":\"1441\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$166\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$167\",\"field_list_item_title\":\"Respond to follow-up questions\"}\n16b:{\"drupal_internal__target_id\":\"process_list_item\"}\n16a:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$16b\"}\n16d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b7233d36-c647-457c-a731-7dc12fef983b/paragraph_type?resourceVersion=id%3A19387\"}\n16e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b7233d36-c647-457c-a731-7dc12fef983b/relationships/paragraph_type?resourceVersion=id%3A19387\"}\n16c:{\"related\":\"$16d\",\"self\":\"$16e\"}\n169:{\"data\":\"$16a\",\"links\":\"$16c\"}\n168:{\"paragraph_type\":\"$169\"}\n161:{\"type\":\"paragraph--process_list_item\",\"id\":\"b7233d36-c647-457c-a731-7dc12fef983b\",\"links\":\"$162\",\"attributes\":\"$165\",\"relationships\":\"$168\"}\n171:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4373fc65-fb5b-4d76-ae39-82fdbcea9634?resourceVersion=id%3A19390\"}\n172:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4373fc65-fb5b-4d76-ae39-82fdbcea9634?resourceVersion=rel%3Aworking-c"])</script><script>self.__next_f.push([1,"opy\"}\n170:{\"self\":\"$171\",\"working-copy\":\"$172\"}\n174:[]\n175:{\"value\":\"\u003col\u003e\u003cli dir=\\\"ltr\\\"\u003eProvide SaaSG overview\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eDetermine use case\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eDiscuss RCR process and next steps\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eSend BO Intake form link from Coda\u003c/li\u003e\u003c/ol\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003col\u003e\u003cli dir=\\\"ltr\\\"\u003eProvide SaaSG overview\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eDetermine use case\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eDiscuss RCR process and next steps\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eSend BO Intake form link from Coda\u003c/li\u003e\u003c/ol\u003e\"}\n173:{\"drupal_internal__id\":3522,\"drupal_internal__revision_id\":19390,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:06:37+00:00\",\"parent_id\":\"3527\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$174\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$175\",\"field_list_item_title\":\"Kickoff and intake form\"}\n179:{\"drupal_internal__target_id\":\"process_list_item\"}\n178:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$179\"}\n17b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4373fc65-fb5b-4d76-ae39-82fdbcea9634/paragraph_type?resourceVersion=id%3A19390\"}\n17c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4373fc65-fb5b-4d76-ae39-82fdbcea9634/relationships/paragraph_type?resourceVersion=id%3A19390\"}\n17a:{\"related\":\"$17b\",\"self\":\"$17c\"}\n177:{\"data\":\"$178\",\"links\":\"$17a\"}\n176:{\"paragraph_type\":\"$177\"}\n16f:{\"type\":\"paragraph--process_list_item\",\"id\":\"4373fc65-fb5b-4d76-ae39-82fdbcea9634\",\"links\":\"$170\",\"attributes\":\"$173\",\"relationships\":\"$176\"}\n17f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f4b6e8cd-89ae-4577-a94c-78b4012275de?resourceVersion=id%3A19391\"}\n180:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f4b6e8cd-89ae-4577-a94c-78b4012275de?resourceVersion=rel%3Aworking-copy\"}\n17e:{\"self\":\"$17f\",\"working-copy\":\"$180\"}\n182:[]\n183:{\"value\":\"\u003cp\u003eSend request for information to the v"])</script><script>self.__next_f.push([1,"endor\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eSend request for information to the vendor\u003c/p\u003e\"}\n181:{\"drupal_internal__id\":3523,\"drupal_internal__revision_id\":19391,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:07:01+00:00\",\"parent_id\":\"3527\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$182\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$183\",\"field_list_item_title\":\"Request\"}\n187:{\"drupal_internal__target_id\":\"process_list_item\"}\n186:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$187\"}\n189:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f4b6e8cd-89ae-4577-a94c-78b4012275de/paragraph_type?resourceVersion=id%3A19391\"}\n18a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f4b6e8cd-89ae-4577-a94c-78b4012275de/relationships/paragraph_type?resourceVersion=id%3A19391\"}\n188:{\"related\":\"$189\",\"self\":\"$18a\"}\n185:{\"data\":\"$186\",\"links\":\"$188\"}\n184:{\"paragraph_type\":\"$185\"}\n17d:{\"type\":\"paragraph--process_list_item\",\"id\":\"f4b6e8cd-89ae-4577-a94c-78b4012275de\",\"links\":\"$17e\",\"attributes\":\"$181\",\"relationships\":\"$184\"}\n18d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e7fb8da9-4bdd-4e62-8628-366d7c37c950?resourceVersion=id%3A19392\"}\n18e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e7fb8da9-4bdd-4e62-8628-366d7c37c950?resourceVersion=rel%3Aworking-copy\"}\n18c:{\"self\":\"$18d\",\"working-copy\":\"$18e\"}\n190:[]\n191:{\"value\":\"\u003col\u003e\u003cli dir=\\\"ltr\\\"\u003ePerform Artifact review\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eRun perimeter scan\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eReach out to the vendor for follow-up questions (if needed)\u0026nbsp;\u003c/li\u003e\u003c/ol\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003col\u003e\u003cli dir=\\\"ltr\\\"\u003ePerform Artifact review\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eRun perimeter scan\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eReach out to the vendor for follow-up questions (if needed)\u0026nbsp;\u003c/li\u003e\u003c/ol\u003e\"}\n18f:{\"drupal_internal__id\":3524,\"drupal_internal__revision_id\":19392"])</script><script>self.__next_f.push([1,",\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:07:24+00:00\",\"parent_id\":\"3527\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$190\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$191\",\"field_list_item_title\":\"Review\"}\n195:{\"drupal_internal__target_id\":\"process_list_item\"}\n194:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$195\"}\n197:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e7fb8da9-4bdd-4e62-8628-366d7c37c950/paragraph_type?resourceVersion=id%3A19392\"}\n198:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e7fb8da9-4bdd-4e62-8628-366d7c37c950/relationships/paragraph_type?resourceVersion=id%3A19392\"}\n196:{\"related\":\"$197\",\"self\":\"$198\"}\n193:{\"data\":\"$194\",\"links\":\"$196\"}\n192:{\"paragraph_type\":\"$193\"}\n18b:{\"type\":\"paragraph--process_list_item\",\"id\":\"e7fb8da9-4bdd-4e62-8628-366d7c37c950\",\"links\":\"$18c\",\"attributes\":\"$18f\",\"relationships\":\"$192\"}\n19b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/56abc1b3-50aa-47cc-8ed1-1d18d4974216?resourceVersion=id%3A19393\"}\n19c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/56abc1b3-50aa-47cc-8ed1-1d18d4974216?resourceVersion=rel%3Aworking-copy\"}\n19a:{\"self\":\"$19b\",\"working-copy\":\"$19c\"}\n19e:[]\n19f:{\"value\":\"\u003col\u003e\u003cli dir=\\\"ltr\\\"\u003eDocument findings from artifact review\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eReview CMS \u003ca href=\\\"https://security.cms.gov/learn/supply-chain-risk-management-scrm\\\"\u003eSupply Chain Risk Management\u003c/a\u003e (SCRM) findings*\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eFinalize RCR report\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eSend final report to all stakeholders from SaaS Request\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eOut brief Meeting Scheduled (Provide an opportunity to discuss report findings and recommendations with BO)\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eIssue P-ATO (Provisional Authority to Operate) if approved by AO\u003c/li\u003e\u003c/ol\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003col\u003e\u003cli dir=\\\"ltr\\\"\u003eDocument findings from a"])</script><script>self.__next_f.push([1,"rtifact review\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eReview CMS \u003ca href=\\\"https://security.cms.gov/learn/supply-chain-risk-management-scrm\\\"\u003eSupply Chain Risk Management\u003c/a\u003e (SCRM) findings*\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eFinalize RCR report\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eSend final report to all stakeholders from SaaS Request\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eOut brief Meeting Scheduled (Provide an opportunity to discuss report findings and recommendations with BO)\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eIssue P-ATO (Provisional Authority to Operate) if approved by AO\u003c/li\u003e\u003c/ol\u003e\"}\n19d:{\"drupal_internal__id\":3525,\"drupal_internal__revision_id\":19393,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:07:42+00:00\",\"parent_id\":\"3527\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$19e\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$19f\",\"field_list_item_title\":\"Outcome: Approval or Denial\"}\n1a3:{\"drupal_internal__target_id\":\"process_list_item\"}\n1a2:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$1a3\"}\n1a5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/56abc1b3-50aa-47cc-8ed1-1d18d4974216/paragraph_type?resourceVersion=id%3A19393\"}\n1a6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/56abc1b3-50aa-47cc-8ed1-1d18d4974216/relationships/paragraph_type?resourceVersion=id%3A19393\"}\n1a4:{\"related\":\"$1a5\",\"self\":\"$1a6\"}\n1a1:{\"data\":\"$1a2\",\"links\":\"$1a4\"}\n1a0:{\"paragraph_type\":\"$1a1\"}\n199:{\"type\":\"paragraph--process_list_item\",\"id\":\"56abc1b3-50aa-47cc-8ed1-1d18d4974216\",\"links\":\"$19a\",\"attributes\":\"$19d\",\"relationships\":\"$1a0\"}\n1a9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/483da93f-2f21-46f2-912a-67261fa19261?resourceVersion=id%3A19394\"}\n1aa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/483da93f-2f21-46f2-912a-67261fa19261?resourceVersion=rel%3Aworking-copy\"}\n1a8:{\"self\":\"$1a9\",\"working-copy\":\"$1aa\"}\n1ac:[]\n1ad:{\"value\":\"\u003cp\u003eCheck in with BO on current SaaS st"])</script><script>self.__next_f.push([1,"atus after 90 days.\u003c/p\u003e\u003cul\u003e\u003cli dir=\\\"ltr\\\"\u003eConMon (\u003ca href=\\\"https://security.cms.gov/policy-guidance/cms-cyber-risk-management-plan-crmp#continuous-monitoring\\\"\u003eContinuous Monitoring\u003c/a\u003e)\u003cul\u003e\u003cli dir=\\\"ltr\\\"\u003eISM/SSO Integration\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eOnboarded into SSPM\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eThird-Party Risk Management Integration\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003ca href=\\\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\\\"\u003eCMS Cybersecurity Integration Center\u003c/a\u003e (CCIC) Integration\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003ca href=\\\"https://security.cms.gov/learn/cms-security-data-lake-sdl\\\"\u003eCMS Security Data Lake\u003c/a\u003e (SDL) Integration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eOffboard process for unused SaaS\u003c/li\u003e\u003c/ul\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eCheck in with BO on current SaaS status after 90 days.\u003c/p\u003e\u003cul\u003e\u003cli dir=\\\"ltr\\\"\u003eConMon (\u003ca href=\\\"https://security.cms.gov/policy-guidance/cms-cyber-risk-management-plan-crmp#continuous-monitoring\\\"\u003eContinuous Monitoring\u003c/a\u003e)\u003cul\u003e\u003cli dir=\\\"ltr\\\"\u003eISM/SSO Integration\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eOnboarded into SSPM\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eThird-Party Risk Management Integration\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003ca href=\\\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\\\"\u003eCMS Cybersecurity Integration Center\u003c/a\u003e (CCIC) Integration\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003ca href=\\\"https://security.cms.gov/learn/cms-security-data-lake-sdl\\\"\u003eCMS Security Data Lake\u003c/a\u003e (SDL) Integration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eOffboard process for unused SaaS\u003c/li\u003e\u003c/ul\u003e\"}\n1ab:{\"drupal_internal__id\":3526,\"drupal_internal__revision_id\":19394,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:08:06+00:00\",\"parent_id\":\"3527\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$1ac\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$1ad\",\"field_list_item_title\":\"ConMon or Offboarding\"}\n1b1:{\"drupal_internal__target_id\":\"process_list_item\"}\n1b0:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$1b1\"}\n1b"])</script><script>self.__next_f.push([1,"3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/483da93f-2f21-46f2-912a-67261fa19261/paragraph_type?resourceVersion=id%3A19394\"}\n1b4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/483da93f-2f21-46f2-912a-67261fa19261/relationships/paragraph_type?resourceVersion=id%3A19394\"}\n1b2:{\"related\":\"$1b3\",\"self\":\"$1b4\"}\n1af:{\"data\":\"$1b0\",\"links\":\"$1b2\"}\n1ae:{\"paragraph_type\":\"$1af\"}\n1a7:{\"type\":\"paragraph--process_list_item\",\"id\":\"483da93f-2f21-46f2-912a-67261fa19261\",\"links\":\"$1a8\",\"attributes\":\"$1ab\",\"relationships\":\"$1ae\"}\n1b7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e0d07bf6-c606-4a38-ba34-9521f9e77733?resourceVersion=id%3A19399\"}\n1b8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e0d07bf6-c606-4a38-ba34-9521f9e77733?resourceVersion=rel%3Aworking-copy\"}\n1b6:{\"self\":\"$1b7\",\"working-copy\":\"$1b8\"}\n1ba:[]\n1b9:{\"drupal_internal__id\":1671,\"drupal_internal__revision_id\":19399,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-14T16:33:27+00:00\",\"parent_id\":\"736\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1ba\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1be:{\"drupal_internal__target_id\":\"internal_link\"}\n1bd:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1be\"}\n1c0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e0d07bf6-c606-4a38-ba34-9521f9e77733/paragraph_type?resourceVersion=id%3A19399\"}\n1c1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e0d07bf6-c606-4a38-ba34-9521f9e77733/relationships/paragraph_type?resourceVersion=id%3A19399\"}\n1bf:{\"related\":\"$1c0\",\"self\":\"$1c1\"}\n1bc:{\"data\":\"$1bd\",\"links\":\"$1bf\"}\n1c4:{\"drupal_internal__target_id\":246}\n1c3:{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"meta\":\"$1c4\"}\n1c6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e0d07bf6-c606-4a38-ba34-9521f9e77733/field_link?resourceVersion=id%3A19399\"}\n1c7:{\"href"])</script><script>self.__next_f.push([1,"\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e0d07bf6-c606-4a38-ba34-9521f9e77733/relationships/field_link?resourceVersion=id%3A19399\"}\n1c5:{\"related\":\"$1c6\",\"self\":\"$1c7\"}\n1c2:{\"data\":\"$1c3\",\"links\":\"$1c5\"}\n1bb:{\"paragraph_type\":\"$1bc\",\"field_link\":\"$1c2\"}\n1b5:{\"type\":\"paragraph--internal_link\",\"id\":\"e0d07bf6-c606-4a38-ba34-9521f9e77733\",\"links\":\"$1b6\",\"attributes\":\"$1b9\",\"relationships\":\"$1bb\"}\n1ca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/be5c8dd0-860f-4570-bf13-358733b392ca?resourceVersion=id%3A19400\"}\n1cb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/be5c8dd0-860f-4570-bf13-358733b392ca?resourceVersion=rel%3Aworking-copy\"}\n1c9:{\"self\":\"$1ca\",\"working-copy\":\"$1cb\"}\n1cd:[]\n1cc:{\"drupal_internal__id\":1676,\"drupal_internal__revision_id\":19400,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-14T16:33:34+00:00\",\"parent_id\":\"736\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1cd\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1d1:{\"drupal_internal__target_id\":\"internal_link\"}\n1d0:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1d1\"}\n1d3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/be5c8dd0-860f-4570-bf13-358733b392ca/paragraph_type?resourceVersion=id%3A19400\"}\n1d4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/be5c8dd0-860f-4570-bf13-358733b392ca/relationships/paragraph_type?resourceVersion=id%3A19400\"}\n1d2:{\"related\":\"$1d3\",\"self\":\"$1d4\"}\n1cf:{\"data\":\"$1d0\",\"links\":\"$1d2\"}\n1d7:{\"drupal_internal__target_id\":326}\n1d6:{\"type\":\"node--explainer\",\"id\":\"a279358b-5b24-49bc-a98e-11681bd7e65c\",\"meta\":\"$1d7\"}\n1d9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/be5c8dd0-860f-4570-bf13-358733b392ca/field_link?resourceVersion=id%3A19400\"}\n1da:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/be5c8dd0-860f-4570-bf13-358733b392ca/relationships/field_link?resourceVersion=id%3A19400\"}\n1d8:"])</script><script>self.__next_f.push([1,"{\"related\":\"$1d9\",\"self\":\"$1da\"}\n1d5:{\"data\":\"$1d6\",\"links\":\"$1d8\"}\n1ce:{\"paragraph_type\":\"$1cf\",\"field_link\":\"$1d5\"}\n1c8:{\"type\":\"paragraph--internal_link\",\"id\":\"be5c8dd0-860f-4570-bf13-358733b392ca\",\"links\":\"$1c9\",\"attributes\":\"$1cc\",\"relationships\":\"$1ce\"}\n1dd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/10abb234-5289-40da-9df3-f4e6e9c06a80?resourceVersion=id%3A19401\"}\n1de:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/10abb234-5289-40da-9df3-f4e6e9c06a80?resourceVersion=rel%3Aworking-copy\"}\n1dc:{\"self\":\"$1dd\",\"working-copy\":\"$1de\"}\n1e0:[]\n1df:{\"drupal_internal__id\":1681,\"drupal_internal__revision_id\":19401,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-14T16:34:14+00:00\",\"parent_id\":\"736\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1e0\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1e4:{\"drupal_internal__target_id\":\"internal_link\"}\n1e3:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1e4\"}\n1e6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/10abb234-5289-40da-9df3-f4e6e9c06a80/paragraph_type?resourceVersion=id%3A19401\"}\n1e7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/10abb234-5289-40da-9df3-f4e6e9c06a80/relationships/paragraph_type?resourceVersion=id%3A19401\"}\n1e5:{\"related\":\"$1e6\",\"self\":\"$1e7\"}\n1e2:{\"data\":\"$1e3\",\"links\":\"$1e5\"}\n1ea:{\"drupal_internal__target_id\":671}\n1e9:{\"type\":\"node--explainer\",\"id\":\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\",\"meta\":\"$1ea\"}\n1ec:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/10abb234-5289-40da-9df3-f4e6e9c06a80/field_link?resourceVersion=id%3A19401\"}\n1ed:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/10abb234-5289-40da-9df3-f4e6e9c06a80/relationships/field_link?resourceVersion=id%3A19401\"}\n1eb:{\"related\":\"$1ec\",\"self\":\"$1ed\"}\n1e8:{\"data\":\"$1e9\",\"links\":\"$1eb\"}\n1e1:{\"paragraph_type\":\"$1e2\",\"field_link\":\"$1e8\"}\n1db:{\"type\":\"paragraph--internal_link\""])</script><script>self.__next_f.push([1,",\"id\":\"10abb234-5289-40da-9df3-f4e6e9c06a80\",\"links\":\"$1dc\",\"attributes\":\"$1df\",\"relationships\":\"$1e1\"}\n1f0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58?resourceVersion=id%3A5668\"}\n1ef:{\"self\":\"$1f0\"}\n1f2:{\"alias\":\"/learn/cms-cloud-services\",\"pid\":236,\"langcode\":\"en\"}\n1f3:{\"value\":\"Platform-As-A-Service with tools, security, and support services designed specifically for CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003ePlatform-As-A-Service with tools, security, and support services designed specifically for CMS\u003c/p\u003e\\n\"}\n1f4:[\"#cms-cloud-security-forum\"]\n1f1:{\"drupal_internal__nid\":246,\"drupal_internal__vid\":5668,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-12T15:23:53+00:00\",\"status\":true,\"title\":\"CMS Cloud Services\",\"created\":\"2022-08-26T14:47:12+00:00\",\"changed\":\"2024-07-12T15:23:53+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1f2\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cloudsupport@cms.hhs.gov\",\"field_contact_name\":\"CMS Cloud Support\",\"field_short_description\":\"$1f3\",\"field_slack_channel\":\"$1f4\"}\n1f8:{\"drupal_internal__target_id\":\"explainer\"}\n1f7:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$1f8\"}\n1fa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/node_type?resourceVersion=id%3A5668\"}\n1fb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/node_type?resourceVersion=id%3A5668\"}\n1f9:{\"related\":\"$1fa\",\"self\":\"$1fb\"}\n1f6:{\"data\":\"$1f7\",\"links\":\"$1f9\"}\n1fe:{\"drupal_internal__target_id\":6}\n1fd:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$1fe\"}\n200:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/revision_uid?resourceVersion=id%3A5668\"}"])</script><script>self.__next_f.push([1,"\n201:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/revision_uid?resourceVersion=id%3A5668\"}\n1ff:{\"related\":\"$200\",\"self\":\"$201\"}\n1fc:{\"data\":\"$1fd\",\"links\":\"$1ff\"}\n204:{\"drupal_internal__target_id\":26}\n203:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$204\"}\n206:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/uid?resourceVersion=id%3A5668\"}\n207:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/uid?resourceVersion=id%3A5668\"}\n205:{\"related\":\"$206\",\"self\":\"$207\"}\n202:{\"data\":\"$203\",\"links\":\"$205\"}\n20b:{\"target_revision_id\":18519,\"drupal_internal__target_id\":1371}\n20a:{\"type\":\"paragraph--page_section\",\"id\":\"15f8e7ab-00f6-4c17-b433-659267271131\",\"meta\":\"$20b\"}\n209:[\"$20a\"]\n20d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_page_section?resourceVersion=id%3A5668\"}\n20e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_page_section?resourceVersion=id%3A5668\"}\n20c:{\"related\":\"$20d\",\"self\":\"$20e\"}\n208:{\"data\":\"$209\",\"links\":\"$20c\"}\n212:{\"target_revision_id\":18520,\"drupal_internal__target_id\":1376}\n211:{\"type\":\"paragraph--internal_link\",\"id\":\"b48e2348-59b0-42a6-9f44-62af8a94ddf1\",\"meta\":\"$212\"}\n214:{\"target_revision_id\":18521,\"drupal_internal__target_id\":1381}\n213:{\"type\":\"paragraph--internal_link\",\"id\":\"17ea04ed-0987-43ea-b494-7c051ddfcd28\",\"meta\":\"$214\"}\n216:{\"target_revision_id\":18522,\"drupal_internal__target_id\":1391}\n215:{\"type\":\"paragraph--internal_link\",\"id\":\"ae49a5b4-3922-4f8d-bbe5-624b243b4637\",\"meta\":\"$216\"}\n218:{\"target_revision_id\":18523,\"drupal_internal__target_id\":1396}\n217:{\"type\":\"paragraph--internal_link\",\"id\":\"3ebbf63a-35a8-4c15-8002-2b41f7ef528a\",\"meta\":\"$218\"}\n210:[\"$211\",\"$213\",\"$215\",\"$217\"]\n21a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/fie"])</script><script>self.__next_f.push([1,"ld_related_collection?resourceVersion=id%3A5668\"}\n21b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_related_collection?resourceVersion=id%3A5668\"}\n219:{\"related\":\"$21a\",\"self\":\"$21b\"}\n20f:{\"data\":\"$210\",\"links\":\"$219\"}\n21e:{\"drupal_internal__target_id\":121}\n21d:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$21e\"}\n220:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_resource_type?resourceVersion=id%3A5668\"}\n221:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_resource_type?resourceVersion=id%3A5668\"}\n21f:{\"related\":\"$220\",\"self\":\"$221\"}\n21c:{\"data\":\"$21d\",\"links\":\"$21f\"}\n225:{\"drupal_internal__target_id\":76}\n224:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$225\"}\n227:{\"drupal_internal__target_id\":71}\n226:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$227\"}\n223:[\"$224\",\"$226\"]\n229:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_roles?resourceVersion=id%3A5668\"}\n22a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_roles?resourceVersion=id%3A5668\"}\n228:{\"related\":\"$229\",\"self\":\"$22a\"}\n222:{\"data\":\"$223\",\"links\":\"$228\"}\n22e:{\"drupal_internal__target_id\":41}\n22d:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":\"$22e\"}\n230:{\"drupal_internal__target_id\":11}\n22f:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$230\"}\n22c:[\"$22d\",\"$22f\"]\n232:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_topics?resourceVersion=id%3A5668\"}\n233:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_topics?resourceVersion=id%3A5668\"}\n231:{\"relat"])</script><script>self.__next_f.push([1,"ed\":\"$232\",\"self\":\"$233\"}\n22b:{\"data\":\"$22c\",\"links\":\"$231\"}\n1f5:{\"node_type\":\"$1f6\",\"revision_uid\":\"$1fc\",\"uid\":\"$202\",\"field_page_section\":\"$208\",\"field_related_collection\":\"$20f\",\"field_resource_type\":\"$21c\",\"field_roles\":\"$222\",\"field_topics\":\"$22b\"}\n1ee:{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"links\":\"$1ef\",\"attributes\":\"$1f1\",\"relationships\":\"$1f5\"}\n236:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c?resourceVersion=id%3A5942\"}\n235:{\"self\":\"$236\"}\n238:{\"alias\":\"/learn/fedramp\",\"pid\":316,\"langcode\":\"en\"}\n239:{\"value\":\"Provides a federally-recognized and standardized security framework for all cloud products and services\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProvides a federally-recognized and standardized security framework for all cloud products and services\u003c/p\u003e\\n\"}\n23a:[\"#fedramp\"]\n237:{\"drupal_internal__nid\":326,\"drupal_internal__vid\":5942,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-17T14:55:23+00:00\",\"status\":true,\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"created\":\"2022-08-29T15:22:00+00:00\",\"changed\":\"2024-10-17T14:55:23+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$238\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"FedRAMP@cms.hhs.gov\",\"field_contact_name\":\"CMS FedRAMP PMO\",\"field_short_description\":\"$239\",\"field_slack_channel\":\"$23a\"}\n23e:{\"drupal_internal__target_id\":\"explainer\"}\n23d:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$23e\"}\n240:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/node_type?resourceVersion=id%3A5942\"}\n241:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/node_type?resourceVersion=id%3A5942\"}\n23f:{\"related\":\"$240\",\"s"])</script><script>self.__next_f.push([1,"elf\":\"$241\"}\n23c:{\"data\":\"$23d\",\"links\":\"$23f\"}\n244:{\"drupal_internal__target_id\":114}\n243:{\"type\":\"user--user\",\"id\":\"d3421e1d-1fda-4bd0-83ab-e404455b0e66\",\"meta\":\"$244\"}\n246:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/revision_uid?resourceVersion=id%3A5942\"}\n247:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/revision_uid?resourceVersion=id%3A5942\"}\n245:{\"related\":\"$246\",\"self\":\"$247\"}\n242:{\"data\":\"$243\",\"links\":\"$245\"}\n24a:{\"drupal_internal__target_id\":26}\n249:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$24a\"}\n24c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/uid?resourceVersion=id%3A5942\"}\n24d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/uid?resourceVersion=id%3A5942\"}\n24b:{\"related\":\"$24c\",\"self\":\"$24d\"}\n248:{\"data\":\"$249\",\"links\":\"$24b\"}\n251:{\"target_revision_id\":19451,\"drupal_internal__target_id\":1171}\n250:{\"type\":\"paragraph--page_section\",\"id\":\"2ce39e48-81e4-4bea-a0ff-04f25ddd0041\",\"meta\":\"$251\"}\n253:{\"target_revision_id\":19452,\"drupal_internal__target_id\":1211}\n252:{\"type\":\"paragraph--page_section\",\"id\":\"77ea2e89-2433-4815-b869-52b2d900029e\",\"meta\":\"$253\"}\n255:{\"target_revision_id\":19462,\"drupal_internal__target_id\":3431}\n254:{\"type\":\"paragraph--page_section\",\"id\":\"deedf0fe-44e9-4015-90a1-f86ce6cbaf24\",\"meta\":\"$255\"}\n257:{\"target_revision_id\":19472,\"drupal_internal__target_id\":1261}\n256:{\"type\":\"paragraph--page_section\",\"id\":\"2b2216d8-24c3-4940-930f-6e79f68a279a\",\"meta\":\"$257\"}\n259:{\"target_revision_id\":19474,\"drupal_internal__target_id\":1266}\n258:{\"type\":\"paragraph--page_section\",\"id\":\"cbda5c42-489d-4480-85f5-db10db44de3e\",\"meta\":\"$259\"}\n25b:{\"target_revision_id\":19475,\"drupal_internal__target_id\":3433}\n25a:{\"type\":\"paragraph--page_section\",\"id\":\"37970dd4-a515-4370-a09f-f5177c2f98c2\",\"meta\":\"$25b\"}\n25d:{\"target_revision_id\":19476,\"drupal_internal__target_"])</script><script>self.__next_f.push([1,"id\":3434}\n25c:{\"type\":\"paragraph--page_section\",\"id\":\"434b1960-73e8-43fa-9b9e-253ce35fa55a\",\"meta\":\"$25d\"}\n24f:[\"$250\",\"$252\",\"$254\",\"$256\",\"$258\",\"$25a\",\"$25c\"]\n25f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_page_section?resourceVersion=id%3A5942\"}\n260:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_page_section?resourceVersion=id%3A5942\"}\n25e:{\"related\":\"$25f\",\"self\":\"$260\"}\n24e:{\"data\":\"$24f\",\"links\":\"$25e\"}\n264:{\"target_revision_id\":19477,\"drupal_internal__target_id\":1956}\n263:{\"type\":\"paragraph--internal_link\",\"id\":\"7a5f06f0-e0ba-4ed2-aade-79b2233ec125\",\"meta\":\"$264\"}\n266:{\"target_revision_id\":19478,\"drupal_internal__target_id\":1961}\n265:{\"type\":\"paragraph--internal_link\",\"id\":\"61509c21-9c9e-48d0-8110-b98574cee727\",\"meta\":\"$266\"}\n268:{\"target_revision_id\":19479,\"drupal_internal__target_id\":1966}\n267:{\"type\":\"paragraph--internal_link\",\"id\":\"c2480fc7-b7c3-49d4-8643-cd42bcd3b56b\",\"meta\":\"$268\"}\n26a:{\"target_revision_id\":19480,\"drupal_internal__target_id\":3435}\n269:{\"type\":\"paragraph--internal_link\",\"id\":\"63dffb2c-c587-4991-8523-142b2378a5aa\",\"meta\":\"$26a\"}\n262:[\"$263\",\"$265\",\"$267\",\"$269\"]\n26c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_related_collection?resourceVersion=id%3A5942\"}\n26d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_related_collection?resourceVersion=id%3A5942\"}\n26b:{\"related\":\"$26c\",\"self\":\"$26d\"}\n261:{\"data\":\"$262\",\"links\":\"$26b\"}\n270:{\"drupal_internal__target_id\":131}\n26f:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$270\"}\n272:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_resource_type?resourceVersion=id%3A5942\"}\n273:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_resource_type?res"])</script><script>self.__next_f.push([1,"ourceVersion=id%3A5942\"}\n271:{\"related\":\"$272\",\"self\":\"$273\"}\n26e:{\"data\":\"$26f\",\"links\":\"$271\"}\n277:{\"drupal_internal__target_id\":66}\n276:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$277\"}\n279:{\"drupal_internal__target_id\":61}\n278:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$279\"}\n27b:{\"drupal_internal__target_id\":76}\n27a:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$27b\"}\n275:[\"$276\",\"$278\",\"$27a\"]\n27d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_roles?resourceVersion=id%3A5942\"}\n27e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_roles?resourceVersion=id%3A5942\"}\n27c:{\"related\":\"$27d\",\"self\":\"$27e\"}\n274:{\"data\":\"$275\",\"links\":\"$27c\"}\n282:{\"drupal_internal__target_id\":21}\n281:{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":\"$282\"}\n280:[\"$281\"]\n284:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_topics?resourceVersion=id%3A5942\"}\n285:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_topics?resourceVersion=id%3A5942\"}\n283:{\"related\":\"$284\",\"self\":\"$285\"}\n27f:{\"data\":\"$280\",\"links\":\"$283\"}\n23b:{\"node_type\":\"$23c\",\"revision_uid\":\"$242\",\"uid\":\"$248\",\"field_page_section\":\"$24e\",\"field_related_collection\":\"$261\",\"field_resource_type\":\"$26e\",\"field_roles\":\"$274\",\"field_topics\":\"$27f\"}\n234:{\"type\":\"node--explainer\",\"id\":\"a279358b-5b24-49bc-a98e-11681bd7e65c\",\"links\":\"$235\",\"attributes\":\"$237\",\"relationships\":\"$23b\"}\n288:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf?resourceVersion=id%3A6076\"}\n287:{\"self\":\"$288\"}\n28a:{\"alias\":\"/learn/zero-trust\",\"pid\":661,\"langcode\":\"en\"}\n28b:{\"value\":\"Security paradigm that requires the continuous verification of system users to promote system security\","])</script><script>self.__next_f.push([1,"\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSecurity paradigm that requires the continuous verification of system users to promote system security\u003c/p\u003e\\n\"}\n28c:[\"#cms-zero-trust\"]\n289:{\"drupal_internal__nid\":671,\"drupal_internal__vid\":6076,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-15T16:28:16+00:00\",\"status\":true,\"title\":\"Zero Trust \",\"created\":\"2023-02-02T19:12:26+00:00\",\"changed\":\"2025-01-15T16:28:16+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$28a\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ISPGZeroTrust@cms.hhs.gov\",\"field_contact_name\":\"Zero Trust Team\",\"field_short_description\":\"$28b\",\"field_slack_channel\":\"$28c\"}\n290:{\"drupal_internal__target_id\":\"explainer\"}\n28f:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$290\"}\n292:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/node_type?resourceVersion=id%3A6076\"}\n293:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/node_type?resourceVersion=id%3A6076\"}\n291:{\"related\":\"$292\",\"self\":\"$293\"}\n28e:{\"data\":\"$28f\",\"links\":\"$291\"}\n296:{\"drupal_internal__target_id\":138}\n295:{\"type\":\"user--user\",\"id\":\"bebd6b4a-b250-4060-a68d-15e540df32b8\",\"meta\":\"$296\"}\n298:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/revision_uid?resourceVersion=id%3A6076\"}\n299:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/revision_uid?resourceVersion=id%3A6076\"}\n297:{\"related\":\"$298\",\"self\":\"$299\"}\n294:{\"data\":\"$295\",\"links\":\"$297\"}\n29c:{\"drupal_internal__target_id\":26}\n29b:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$29c\"}\n29e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3"])</script><script>self.__next_f.push([1,"ab2faf97cf/uid?resourceVersion=id%3A6076\"}\n29f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/uid?resourceVersion=id%3A6076\"}\n29d:{\"related\":\"$29e\",\"self\":\"$29f\"}\n29a:{\"data\":\"$29b\",\"links\":\"$29d\"}\n2a3:{\"target_revision_id\":19936,\"drupal_internal__target_id\":536}\n2a2:{\"type\":\"paragraph--page_section\",\"id\":\"9271f09e-6087-42ce-9b2a-2ddf6888888d\",\"meta\":\"$2a3\"}\n2a1:[\"$2a2\"]\n2a5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_page_section?resourceVersion=id%3A6076\"}\n2a6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_page_section?resourceVersion=id%3A6076\"}\n2a4:{\"related\":\"$2a5\",\"self\":\"$2a6\"}\n2a0:{\"data\":\"$2a1\",\"links\":\"$2a4\"}\n2aa:{\"target_revision_id\":19941,\"drupal_internal__target_id\":3398}\n2a9:{\"type\":\"paragraph--internal_link\",\"id\":\"c6911d3e-5198-4b35-ac2a-13d123aedee1\",\"meta\":\"$2aa\"}\n2ac:{\"target_revision_id\":19946,\"drupal_internal__target_id\":1616}\n2ab:{\"type\":\"paragraph--internal_link\",\"id\":\"2bcabaa5-d621-42c9-bdc8-e0b80b3869d3\",\"meta\":\"$2ac\"}\n2ae:{\"target_revision_id\":19951,\"drupal_internal__target_id\":3499}\n2ad:{\"type\":\"paragraph--internal_link\",\"id\":\"670741af-bf41-4d99-a21c-a24dc57f4424\",\"meta\":\"$2ae\"}\n2b0:{\"target_revision_id\":19956,\"drupal_internal__target_id\":1611}\n2af:{\"type\":\"paragraph--internal_link\",\"id\":\"f7a739a6-3d16-4633-bfad-fd8f469ffb64\",\"meta\":\"$2b0\"}\n2b2:{\"target_revision_id\":19961,\"drupal_internal__target_id\":1621}\n2b1:{\"type\":\"paragraph--internal_link\",\"id\":\"80d01d00-9ecf-4254-8e6e-a9242e8289f1\",\"meta\":\"$2b2\"}\n2b4:{\"target_revision_id\":19966,\"drupal_internal__target_id\":1626}\n2b3:{\"type\":\"paragraph--internal_link\",\"id\":\"d576257b-f5ba-4ad4-a81b-7628a82e8dce\",\"meta\":\"$2b4\"}\n2a8:[\"$2a9\",\"$2ab\",\"$2ad\",\"$2af\",\"$2b1\",\"$2b3\"]\n2b6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_related_collection?resourceVersion=id%3A6076\"}\n2b7:{\"href\":\"https://cybergeek.cms.gov/jsona"])</script><script>self.__next_f.push([1,"pi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_related_collection?resourceVersion=id%3A6076\"}\n2b5:{\"related\":\"$2b6\",\"self\":\"$2b7\"}\n2a7:{\"data\":\"$2a8\",\"links\":\"$2b5\"}\n2ba:{\"drupal_internal__target_id\":131}\n2b9:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$2ba\"}\n2bc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_resource_type?resourceVersion=id%3A6076\"}\n2bd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_resource_type?resourceVersion=id%3A6076\"}\n2bb:{\"related\":\"$2bc\",\"self\":\"$2bd\"}\n2b8:{\"data\":\"$2b9\",\"links\":\"$2bb\"}\n2c1:{\"drupal_internal__target_id\":66}\n2c0:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$2c1\"}\n2c3:{\"drupal_internal__target_id\":61}\n2c2:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$2c3\"}\n2c5:{\"drupal_internal__target_id\":76}\n2c4:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$2c5\"}\n2bf:[\"$2c0\",\"$2c2\",\"$2c4\"]\n2c7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_roles?resourceVersion=id%3A6076\"}\n2c8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_roles?resourceVersion=id%3A6076\"}\n2c6:{\"related\":\"$2c7\",\"self\":\"$2c8\"}\n2be:{\"data\":\"$2bf\",\"links\":\"$2c6\"}\n2cc:{\"drupal_internal__target_id\":21}\n2cb:{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":\"$2cc\"}\n2ca:[\"$2cb\"]\n2ce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_topics?resourceVersion=id%3A6076\"}\n2cf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_topics?resourceVersion=id%3A6076\"}\n2cd:{\"related\":\"$2ce\",\"self\":\"$2cf\"}\n2c9:{\"data\":\"$2ca\",\"links\":\"$2cd\"}\n28d:{\"node_type\":\"$28e\",\"revision_"])</script><script>self.__next_f.push([1,"uid\":\"$294\",\"uid\":\"$29a\",\"field_page_section\":\"$2a0\",\"field_related_collection\":\"$2a7\",\"field_resource_type\":\"$2b8\",\"field_roles\":\"$2be\",\"field_topics\":\"$2c9\"}\n286:{\"type\":\"node--explainer\",\"id\":\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\",\"links\":\"$287\",\"attributes\":\"$289\",\"relationships\":\"$28d\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a?resourceVersion=id%3A5934\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__nid\":736,\"drupal_internal__vid\":5934,\"langcode\":\"en\",\"revision_timestamp\":\"2024-09-28T13:01:56+00:00\",\"status\":true,\"title\":\"SaaS Governance (SaaSG)\",\"created\":\"2023-02-13T19:52:17+00:00\",\"changed\":\"2024-09-28T13:01:56+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/saas-governance-saasg\",\"pid\":726,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"saasg@cms.hhs.gov\",\"field_contact_name\":\"SaaSG Team\",\"field_short_description\":{\"value\":\"Considerations and guidelines for CMS business units wanting to use SaaS applications\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eConsiderations and guidelines for CMS business units wanting to use SaaS applications\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-saas-governance\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/node_type?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/node_type?resourceVersion=id%3A5934\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/revision_uid?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/revision_uid?resourceVersion=id%3A5934\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/uid?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/uid?resourceVersion=id%3A5934\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"32796f74-9a4b-49be-b101-133dce4c4568\",\"meta\":{\"target_revision_id\":19389,\"drupal_internal__target_id\":1446}},{\"type\":\"paragraph--page_section\",\"id\":\"23cc1637-59ba-448f-8e17-e5aed202cb74\",\"meta\":{\"target_revision_id\":19396,\"drupal_internal__target_id\":3528}},{\"type\":\"paragraph--page_section\",\"id\":\"53da5747-8514-4ea5-9f3d-2905f9a61edb\",\"meta\":{\"target_revision_id\":19397,\"drupal_internal__target_id\":3529}},{\"type\":\"paragraph--page_section\",\"id\":\"c1fc448a-a41f-4061-9bc9-59b74374d79a\",\"meta\":{\"target_revision_id\":19398,\"drupal_internal__target_id\":1451}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_page_section?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_page_section?resourceVersion=id%3A5934\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"e0d07bf6-c606-4a38-ba34-9521f9e77733\",\"meta\":{\"target_revision_id\":19399,\"drupal_internal__target_id\":1671}},{\"type\":\"paragraph--internal_link\",\"id\":\"be5c8dd0-860f-4570-bf13-358733b392ca\",\"meta\":{\"target_revision_id\":19400,\"drupal_internal__target_id\":1676}},{\"type\":\"paragraph--internal_link\",\"id\":\"10abb234-5289-40da-9df3-f4e6e9c06a80\",\"meta\":{\"target_revision_id\":19401,\"drupal_internal__target_id\":1681}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_related_collection?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_related_collection?resourceVersion=id%3A5934\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_resource_type?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_resource_type?resourceVersion=id%3A5934\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_roles?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_roles?resourceVersion=id%3A5934\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_topics?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_topics?resourceVersion=id%3A5934\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}},\"attributes\":{\"display_name\":\"mburgess\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4?resourceVersion=id%3A121\"}},\"attributes\":{\"drupal_internal__tid\":121,\"drupal_internal__revision_id\":121,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:12+00:00\",\"status\":true,\"name\":\"Tools / Services\",\"description\":null,\"weight\":5,\"changed\":\"2023-06-14T19:04:09+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/vid?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/vid?resourceVersion=id%3A121\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/revision_user?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/revision_user?resourceVersion=id%3A121\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/parent?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/parent?resourceVersion=id%3A121\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c?resourceVersion=id%3A41\"}},\"attributes\":{\"drupal_internal__tid\":41,\"drupal_internal__revision_id\":41,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:04+00:00\",\"status\":true,\"name\":\"Application Security\",\"description\":null,\"weight\":0,\"changed\":\"2022-09-28T21:04:30+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/vid?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/vid?resourceVersion=id%3A41\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/revision_user?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/revision_user?resourceVersion=id%3A41\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/parent?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/parent?resourceVersion=id%3A41\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}},\"attributes\":{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"32796f74-9a4b-49be-b101-133dce4c4568\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/32796f74-9a4b-49be-b101-133dce4c4568?resourceVersion=id%3A19389\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/32796f74-9a4b-49be-b101-133dce4c4568?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":1446,\"drupal_internal__revision_id\":19389,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T20:06:50+00:00\",\"parent_id\":\"736\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/32796f74-9a4b-49be-b101-133dce4c4568/paragraph_type?resourceVersion=id%3A19389\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/32796f74-9a4b-49be-b101-133dce4c4568/relationships/paragraph_type?resourceVersion=id%3A19389\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--process_list\",\"id\":\"0e95620e-c7a4-4e21-b505-91a2f013a45a\",\"meta\":{\"target_revision_id\":19388,\"drupal_internal__target_id\":1441}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/32796f74-9a4b-49be-b101-133dce4c4568/field_specialty_item?resourceVersion=id%3A19389\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/32796f74-9a4b-49be-b101-133dce4c4568/relationships/field_specialty_item?resourceVersion=id%3A19389\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"23cc1637-59ba-448f-8e17-e5aed202cb74\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/23cc1637-59ba-448f-8e17-e5aed202cb74?resourceVersion=id%3A19396\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/23cc1637-59ba-448f-8e17-e5aed202cb74?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":3528,\"drupal_internal__revision_id\":19396,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:04:56+00:00\",\"parent_id\":\"736\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/23cc1637-59ba-448f-8e17-e5aed202cb74/paragraph_type?resourceVersion=id%3A19396\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/23cc1637-59ba-448f-8e17-e5aed202cb74/relationships/paragraph_type?resourceVersion=id%3A19396\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--process_list\",\"id\":\"3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34\",\"meta\":{\"target_revision_id\":19395,\"drupal_internal__target_id\":3527}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/23cc1637-59ba-448f-8e17-e5aed202cb74/field_specialty_item?resourceVersion=id%3A19396\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/23cc1637-59ba-448f-8e17-e5aed202cb74/relationships/field_specialty_item?resourceVersion=id%3A19396\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"53da5747-8514-4ea5-9f3d-2905f9a61edb\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53da5747-8514-4ea5-9f3d-2905f9a61edb?resourceVersion=id%3A19397\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53da5747-8514-4ea5-9f3d-2905f9a61edb?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":3529,\"drupal_internal__revision_id\":19397,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:10:11+00:00\",\"parent_id\":\"736\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$1c\",\"format\":\"body_text\",\"processed\":\"$1d\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53da5747-8514-4ea5-9f3d-2905f9a61edb/paragraph_type?resourceVersion=id%3A19397\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53da5747-8514-4ea5-9f3d-2905f9a61edb/relationships/paragraph_type?resourceVersion=id%3A19397\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53da5747-8514-4ea5-9f3d-2905f9a61edb/field_specialty_item?resourceVersion=id%3A19397\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/53da5747-8514-4ea5-9f3d-2905f9a61edb/relationships/field_specialty_item?resourceVersion=id%3A19397\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"c1fc448a-a41f-4061-9bc9-59b74374d79a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c1fc448a-a41f-4061-9bc9-59b74374d79a?resourceVersion=id%3A19398\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c1fc448a-a41f-4061-9bc9-59b74374d79a?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":1451,\"drupal_internal__revision_id\":19398,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T20:10:09+00:00\",\"parent_id\":\"736\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"\u003ch2\u003eFrequently asked questions\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eWill SaaS currently in use (at CMS) continue to be approved for use without the need for review?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSaaS that has been previously approved with a CMS ATO or FedRAMP authorization is not required to be reviewed by the SaaSG group.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWould the SaaS product still have to be included in the FISMA system boundary?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYes, but we are looking at ways to move these approved SaaS requests under a sanctioned boundary in the future that will provide some of the customer control capabilities.\u003c/p\u003e\u003ch2\u003eContact the SaaS Team\u003c/h2\u003e\u003cp\u003eThe SaaSG Team can answer questions regarding any aspect of the SaaSG program, policies, guidance, or processes. You can reach us by email at\u0026nbsp;\u003ca href=\\\"mailto:saasg@cms.hhs.gov\\\"\u003esaasg@cms.hhs.gov\u003c/a\u003e\u0026nbsp;or find our team on CMS Slack at\u0026nbsp;#ispg-saas-governance.\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2\u003eFrequently asked questions\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eWill SaaS currently in use (at CMS) continue to be approved for use without the need for review?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSaaS that has been previously approved with a CMS ATO or FedRAMP authorization is not required to be reviewed by the SaaSG group.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWould the SaaS product still have to be included in the FISMA system boundary?\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYes, but we are looking at ways to move these approved SaaS requests under a sanctioned boundary in the future that will provide some of the customer control capabilities.\u003c/p\u003e\u003ch2\u003eContact the SaaS Team\u003c/h2\u003e\u003cp\u003eThe SaaSG Team can answer questions regarding any aspect of the SaaSG program, policies, guidance, or processes. You can reach us by email at\u0026nbsp;\u003ca href=\\\"mailto:saasg@cms.hhs.gov\\\"\u003esaasg@cms.hhs.gov\u003c/a\u003e\u0026nbsp;or find our team on CMS Slack at\u0026nbsp;#ispg-saas-governance.\u003c/p\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c1fc448a-a41f-4061-9bc9-59b74374d79a/paragraph_type?resourceVersion=id%3A19398\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c1fc448a-a41f-4061-9bc9-59b74374d79a/relationships/paragraph_type?resourceVersion=id%3A19398\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c1fc448a-a41f-4061-9bc9-59b74374d79a/field_specialty_item?resourceVersion=id%3A19398\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c1fc448a-a41f-4061-9bc9-59b74374d79a/relationships/field_specialty_item?resourceVersion=id%3A19398\"}}}}},{\"type\":\"paragraph--process_list\",\"id\":\"0e95620e-c7a4-4e21-b505-91a2f013a45a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/0e95620e-c7a4-4e21-b505-91a2f013a45a?resourceVersion=id%3A19388\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/0e95620e-c7a4-4e21-b505-91a2f013a45a?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":1441,\"drupal_internal__revision_id\":19388,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T20:06:50+00:00\",\"parent_id\":\"1446\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":{\"drupal_internal__target_id\":\"process_list\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/0e95620e-c7a4-4e21-b505-91a2f013a45a/paragraph_type?resourceVersion=id%3A19388\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/0e95620e-c7a4-4e21-b505-91a2f013a45a/relationships/paragraph_type?resourceVersion=id%3A19388\"}}},\"field_process_list_item\":{\"data\":[{\"type\":\"paragraph--process_list_item\",\"id\":\"9039953e-b7e7-46a6-a045-9d010fab764f\",\"meta\":{\"target_revision_id\":19384,\"drupal_internal__target_id\":1421}},{\"type\":\"paragraph--process_list_item\",\"id\":\"7d37fbfd-f4f1-4d3f-a0da-67ec181ef13b\",\"meta\":{\"target_revision_id\":19385,\"drupal_internal__target_id\":1426}},{\"type\":\"paragraph--process_list_item\",\"id\":\"947c05a0-f2b4-4340-bae9-9b1bc412cca8\",\"meta\":{\"target_revision_id\":19386,\"drupal_internal__target_id\":1431}},{\"type\":\"paragraph--process_list_item\",\"id\":\"b7233d36-c647-457c-a731-7dc12fef983b\",\"meta\":{\"target_revision_id\":19387,\"drupal_internal__target_id\":1436}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/0e95620e-c7a4-4e21-b505-91a2f013a45a/field_process_list_item?resourceVersion=id%3A19388\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/0e95620e-c7a4-4e21-b505-91a2f013a45a/relationships/field_process_list_item?resourceVersion=id%3A19388\"}}}}},{\"type\":\"paragraph--process_list\",\"id\":\"3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34?resourceVersion=id%3A19395\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":3527,\"drupal_internal__revision_id\":19395,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:06:37+00:00\",\"parent_id\":\"3528\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":{\"value\":\"\u003cp\u003eThe RCR process incorporates some \u003ca href=\\\"https://security.cms.gov/learn/supply-chain-risk-management-scrm\\\"\u003eCMS SCRM\u003c/a\u003e functionality to help identify concerns about Foreign Ownership Control and Influence (FOCI).\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe RCR process incorporates some \u003ca href=\\\"https://security.cms.gov/learn/supply-chain-risk-management-scrm\\\"\u003eCMS SCRM\u003c/a\u003e functionality to help identify concerns about Foreign Ownership Control and Influence (FOCI).\u003c/p\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":{\"drupal_internal__target_id\":\"process_list\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34/paragraph_type?resourceVersion=id%3A19395\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34/relationships/paragraph_type?resourceVersion=id%3A19395\"}}},\"field_process_list_item\":{\"data\":[{\"type\":\"paragraph--process_list_item\",\"id\":\"4373fc65-fb5b-4d76-ae39-82fdbcea9634\",\"meta\":{\"target_revision_id\":19390,\"drupal_internal__target_id\":3522}},{\"type\":\"paragraph--process_list_item\",\"id\":\"f4b6e8cd-89ae-4577-a94c-78b4012275de\",\"meta\":{\"target_revision_id\":19391,\"drupal_internal__target_id\":3523}},{\"type\":\"paragraph--process_list_item\",\"id\":\"e7fb8da9-4bdd-4e62-8628-366d7c37c950\",\"meta\":{\"target_revision_id\":19392,\"drupal_internal__target_id\":3524}},{\"type\":\"paragraph--process_list_item\",\"id\":\"56abc1b3-50aa-47cc-8ed1-1d18d4974216\",\"meta\":{\"target_revision_id\":19393,\"drupal_internal__target_id\":3525}},{\"type\":\"paragraph--process_list_item\",\"id\":\"483da93f-2f21-46f2-912a-67261fa19261\",\"meta\":{\"target_revision_id\":19394,\"drupal_internal__target_id\":3526}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34/field_process_list_item?resourceVersion=id%3A19395\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34/relationships/field_process_list_item?resourceVersion=id%3A19395\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"9039953e-b7e7-46a6-a045-9d010fab764f\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/9039953e-b7e7-46a6-a045-9d010fab764f?resourceVersion=id%3A19384\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/9039953e-b7e7-46a6-a045-9d010fab764f?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":1421,\"drupal_internal__revision_id\":19384,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T20:06:50+00:00\",\"parent_id\":\"1441\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eUse the \u003ca href=\\\"https://cmsbox.box.com/s/f5u2ms4idxqza7ckbw1hs1a455omc2im\\\"\u003eCMS SaaS Buyer’s Guide\u003c/a\u003e (requires access to CMS Box) as a checklist to determine if the product will meet your business needs – and to make sure the provider is addressing important cybersecurity considerations.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eUse the \u003ca href=\\\"https://cmsbox.box.com/s/f5u2ms4idxqza7ckbw1hs1a455omc2im\\\"\u003eCMS SaaS Buyer’s Guide\u003c/a\u003e (requires access to CMS Box) as a checklist to determine if the product will meet your business needs – and to make sure the provider is addressing important cybersecurity considerations.\u003c/p\u003e\"},\"field_list_item_title\":\"Evaluate the product\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/9039953e-b7e7-46a6-a045-9d010fab764f/paragraph_type?resourceVersion=id%3A19384\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/9039953e-b7e7-46a6-a045-9d010fab764f/relationships/paragraph_type?resourceVersion=id%3A19384\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"7d37fbfd-f4f1-4d3f-a0da-67ec181ef13b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/7d37fbfd-f4f1-4d3f-a0da-67ec181ef13b?resourceVersion=id%3A19385\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/7d37fbfd-f4f1-4d3f-a0da-67ec181ef13b?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":1426,\"drupal_internal__revision_id\":19385,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T20:07:01+00:00\",\"parent_id\":\"1441\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eThe \u003ca href=\\\"https://tableau.bi.cms.gov/#/site/CEDE/views/SaaSGovernanceDashboards_16860786175160/SaaSinReview?:iid=1\\\"\u003eCMS SaaSG Dashboard\u003c/a\u003e is a list of SaaS products already approved (or going through the approval process) at CMS. Check to see if one of these will meet your needs. If you are unable to view the dashboard, please ensure you have the EUA job code: TABLEAU_DIR_VIEWER_PRD. For assistance logging into the Tableau SaaS Dashboard, click\u0026nbsp;\u003ca href=\\\"https://app.box.com/file/1262804094940\\\" target=\\\"_blank\\\"\u003eHERE\u003c/a\u003e\u0026nbsp;to review the login guide.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe \u003ca href=\\\"https://tableau.bi.cms.gov/#/site/CEDE/views/SaaSGovernanceDashboards_16860786175160/SaaSinReview?:iid=1\\\"\u003eCMS SaaSG Dashboard\u003c/a\u003e is a list of SaaS products already approved (or going through the approval process) at CMS. Check to see if one of these will meet your needs. If you are unable to view the dashboard, please ensure you have the EUA job code: TABLEAU_DIR_VIEWER_PRD. For assistance logging into the Tableau SaaS Dashboard, click\u0026nbsp;\u003ca href=\\\"https://app.box.com/file/1262804094940\\\" target=\\\"_blank\\\"\u003eHERE\u003c/a\u003e\u0026nbsp;to review the login guide.\u003c/p\u003e\"},\"field_list_item_title\":\"Check existing SaaS solutions\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/7d37fbfd-f4f1-4d3f-a0da-67ec181ef13b/paragraph_type?resourceVersion=id%3A19385\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/7d37fbfd-f4f1-4d3f-a0da-67ec181ef13b/relationships/paragraph_type?resourceVersion=id%3A19385\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"947c05a0-f2b4-4340-bae9-9b1bc412cca8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/947c05a0-f2b4-4340-bae9-9b1bc412cca8?resourceVersion=id%3A19386\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/947c05a0-f2b4-4340-bae9-9b1bc412cca8?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":1431,\"drupal_internal__revision_id\":19386,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T20:07:56+00:00\",\"parent_id\":\"1441\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eIf you have determined that the SaaS product you’re considering is right for your needs and is not already being used at CMS, then you can submit the product to be reviewed by the SaaSG team to start a Rapid Cloud Review (RCR) assessment.\u0026nbsp; Complete the \u003ca href=\\\"https://coda.io/form/CMS-SaaS-Governance-Intake-Form_dddeq-6DEo6?FormSource=CyberGeek\\\"\u003eSaaS Request Intake Form\u003c/a\u003e (the Business Owner, ISSO, CRA, or designee can do this). Contact the SaaSG team via email (\u003ca href=\\\"mailto:saasg@cms.hhs.gov\\\"\u003esaasg@cms.hhs.gov\u003c/a\u003e) if you need help with the form.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eIf you have determined that the SaaS product you’re considering is right for your needs and is not already being used at CMS, then you can submit the product to be reviewed by the SaaSG team to start a Rapid Cloud Review (RCR) assessment.\u0026nbsp; Complete the \u003ca href=\\\"https://coda.io/form/CMS-SaaS-Governance-Intake-Form_dddeq-6DEo6?FormSource=CyberGeek\\\"\u003eSaaS Request Intake Form\u003c/a\u003e (the Business Owner, ISSO, CRA, or designee can do this). Contact the SaaSG team via email (\u003ca href=\\\"mailto:saasg@cms.hhs.gov\\\"\u003esaasg@cms.hhs.gov\u003c/a\u003e) if you need help with the form.\u003c/p\u003e\"},\"field_list_item_title\":\"Submit a request for review\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/947c05a0-f2b4-4340-bae9-9b1bc412cca8/paragraph_type?resourceVersion=id%3A19386\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/947c05a0-f2b4-4340-bae9-9b1bc412cca8/relationships/paragraph_type?resourceVersion=id%3A19386\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"b7233d36-c647-457c-a731-7dc12fef983b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b7233d36-c647-457c-a731-7dc12fef983b?resourceVersion=id%3A19387\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b7233d36-c647-457c-a731-7dc12fef983b?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":1436,\"drupal_internal__revision_id\":19387,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T20:09:23+00:00\",\"parent_id\":\"1441\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eAs the SaaSG team reviews your proposed SaaS product, we may ask for additional information. We may also need to schedule meetings with you or the SaaS provider. Timely and clear responses to these requests will help move the process along and lead to a faster decision. Meanwhile, you can use the SaaSG Dashboard in Tableau to track the progress of your request.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eAs the SaaSG team reviews your proposed SaaS product, we may ask for additional information. We may also need to schedule meetings with you or the SaaS provider. Timely and clear responses to these requests will help move the process along and lead to a faster decision. Meanwhile, you can use the SaaSG Dashboard in Tableau to track the progress of your request.\u003c/p\u003e\"},\"field_list_item_title\":\"Respond to follow-up questions\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b7233d36-c647-457c-a731-7dc12fef983b/paragraph_type?resourceVersion=id%3A19387\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b7233d36-c647-457c-a731-7dc12fef983b/relationships/paragraph_type?resourceVersion=id%3A19387\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"4373fc65-fb5b-4d76-ae39-82fdbcea9634\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4373fc65-fb5b-4d76-ae39-82fdbcea9634?resourceVersion=id%3A19390\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4373fc65-fb5b-4d76-ae39-82fdbcea9634?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":3522,\"drupal_internal__revision_id\":19390,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:06:37+00:00\",\"parent_id\":\"3527\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003col\u003e\u003cli dir=\\\"ltr\\\"\u003eProvide SaaSG overview\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eDetermine use case\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eDiscuss RCR process and next steps\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eSend BO Intake form link from Coda\u003c/li\u003e\u003c/ol\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003col\u003e\u003cli dir=\\\"ltr\\\"\u003eProvide SaaSG overview\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eDetermine use case\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eDiscuss RCR process and next steps\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eSend BO Intake form link from Coda\u003c/li\u003e\u003c/ol\u003e\"},\"field_list_item_title\":\"Kickoff and intake form\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4373fc65-fb5b-4d76-ae39-82fdbcea9634/paragraph_type?resourceVersion=id%3A19390\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4373fc65-fb5b-4d76-ae39-82fdbcea9634/relationships/paragraph_type?resourceVersion=id%3A19390\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"f4b6e8cd-89ae-4577-a94c-78b4012275de\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f4b6e8cd-89ae-4577-a94c-78b4012275de?resourceVersion=id%3A19391\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f4b6e8cd-89ae-4577-a94c-78b4012275de?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":3523,\"drupal_internal__revision_id\":19391,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:07:01+00:00\",\"parent_id\":\"3527\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eSend request for information to the vendor\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eSend request for information to the vendor\u003c/p\u003e\"},\"field_list_item_title\":\"Request\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f4b6e8cd-89ae-4577-a94c-78b4012275de/paragraph_type?resourceVersion=id%3A19391\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f4b6e8cd-89ae-4577-a94c-78b4012275de/relationships/paragraph_type?resourceVersion=id%3A19391\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"e7fb8da9-4bdd-4e62-8628-366d7c37c950\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e7fb8da9-4bdd-4e62-8628-366d7c37c950?resourceVersion=id%3A19392\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e7fb8da9-4bdd-4e62-8628-366d7c37c950?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":3524,\"drupal_internal__revision_id\":19392,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:07:24+00:00\",\"parent_id\":\"3527\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003col\u003e\u003cli dir=\\\"ltr\\\"\u003ePerform Artifact review\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eRun perimeter scan\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eReach out to the vendor for follow-up questions (if needed)\u0026nbsp;\u003c/li\u003e\u003c/ol\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003col\u003e\u003cli dir=\\\"ltr\\\"\u003ePerform Artifact review\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eRun perimeter scan\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eReach out to the vendor for follow-up questions (if needed)\u0026nbsp;\u003c/li\u003e\u003c/ol\u003e\"},\"field_list_item_title\":\"Review\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e7fb8da9-4bdd-4e62-8628-366d7c37c950/paragraph_type?resourceVersion=id%3A19392\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e7fb8da9-4bdd-4e62-8628-366d7c37c950/relationships/paragraph_type?resourceVersion=id%3A19392\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"56abc1b3-50aa-47cc-8ed1-1d18d4974216\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/56abc1b3-50aa-47cc-8ed1-1d18d4974216?resourceVersion=id%3A19393\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/56abc1b3-50aa-47cc-8ed1-1d18d4974216?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":3525,\"drupal_internal__revision_id\":19393,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:07:42+00:00\",\"parent_id\":\"3527\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003col\u003e\u003cli dir=\\\"ltr\\\"\u003eDocument findings from artifact review\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eReview CMS \u003ca href=\\\"https://security.cms.gov/learn/supply-chain-risk-management-scrm\\\"\u003eSupply Chain Risk Management\u003c/a\u003e (SCRM) findings*\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eFinalize RCR report\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eSend final report to all stakeholders from SaaS Request\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eOut brief Meeting Scheduled (Provide an opportunity to discuss report findings and recommendations with BO)\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eIssue P-ATO (Provisional Authority to Operate) if approved by AO\u003c/li\u003e\u003c/ol\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003col\u003e\u003cli dir=\\\"ltr\\\"\u003eDocument findings from artifact review\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eReview CMS \u003ca href=\\\"https://security.cms.gov/learn/supply-chain-risk-management-scrm\\\"\u003eSupply Chain Risk Management\u003c/a\u003e (SCRM) findings*\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eFinalize RCR report\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eSend final report to all stakeholders from SaaS Request\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eOut brief Meeting Scheduled (Provide an opportunity to discuss report findings and recommendations with BO)\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eIssue P-ATO (Provisional Authority to Operate) if approved by AO\u003c/li\u003e\u003c/ol\u003e\"},\"field_list_item_title\":\"Outcome: Approval or Denial\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/56abc1b3-50aa-47cc-8ed1-1d18d4974216/paragraph_type?resourceVersion=id%3A19393\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/56abc1b3-50aa-47cc-8ed1-1d18d4974216/relationships/paragraph_type?resourceVersion=id%3A19393\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"483da93f-2f21-46f2-912a-67261fa19261\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/483da93f-2f21-46f2-912a-67261fa19261?resourceVersion=id%3A19394\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/483da93f-2f21-46f2-912a-67261fa19261?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":3526,\"drupal_internal__revision_id\":19394,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-09-05T21:08:06+00:00\",\"parent_id\":\"3527\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eCheck in with BO on current SaaS status after 90 days.\u003c/p\u003e\u003cul\u003e\u003cli dir=\\\"ltr\\\"\u003eConMon (\u003ca href=\\\"https://security.cms.gov/policy-guidance/cms-cyber-risk-management-plan-crmp#continuous-monitoring\\\"\u003eContinuous Monitoring\u003c/a\u003e)\u003cul\u003e\u003cli dir=\\\"ltr\\\"\u003eISM/SSO Integration\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eOnboarded into SSPM\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eThird-Party Risk Management Integration\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003ca href=\\\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\\\"\u003eCMS Cybersecurity Integration Center\u003c/a\u003e (CCIC) Integration\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003ca href=\\\"https://security.cms.gov/learn/cms-security-data-lake-sdl\\\"\u003eCMS Security Data Lake\u003c/a\u003e (SDL) Integration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eOffboard process for unused SaaS\u003c/li\u003e\u003c/ul\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eCheck in with BO on current SaaS status after 90 days.\u003c/p\u003e\u003cul\u003e\u003cli dir=\\\"ltr\\\"\u003eConMon (\u003ca href=\\\"https://security.cms.gov/policy-guidance/cms-cyber-risk-management-plan-crmp#continuous-monitoring\\\"\u003eContinuous Monitoring\u003c/a\u003e)\u003cul\u003e\u003cli dir=\\\"ltr\\\"\u003eISM/SSO Integration\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eOnboarded into SSPM\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eThird-Party Risk Management Integration\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003ca href=\\\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\\\"\u003eCMS Cybersecurity Integration Center\u003c/a\u003e (CCIC) Integration\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003ca href=\\\"https://security.cms.gov/learn/cms-security-data-lake-sdl\\\"\u003eCMS Security Data Lake\u003c/a\u003e (SDL) Integration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003eOffboard process for unused SaaS\u003c/li\u003e\u003c/ul\u003e\"},\"field_list_item_title\":\"ConMon or Offboarding\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/483da93f-2f21-46f2-912a-67261fa19261/paragraph_type?resourceVersion=id%3A19394\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/483da93f-2f21-46f2-912a-67261fa19261/relationships/paragraph_type?resourceVersion=id%3A19394\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"e0d07bf6-c606-4a38-ba34-9521f9e77733\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e0d07bf6-c606-4a38-ba34-9521f9e77733?resourceVersion=id%3A19399\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e0d07bf6-c606-4a38-ba34-9521f9e77733?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":1671,\"drupal_internal__revision_id\":19399,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-14T16:33:27+00:00\",\"parent_id\":\"736\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e0d07bf6-c606-4a38-ba34-9521f9e77733/paragraph_type?resourceVersion=id%3A19399\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e0d07bf6-c606-4a38-ba34-9521f9e77733/relationships/paragraph_type?resourceVersion=id%3A19399\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"meta\":{\"drupal_internal__target_id\":246}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e0d07bf6-c606-4a38-ba34-9521f9e77733/field_link?resourceVersion=id%3A19399\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e0d07bf6-c606-4a38-ba34-9521f9e77733/relationships/field_link?resourceVersion=id%3A19399\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"be5c8dd0-860f-4570-bf13-358733b392ca\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/be5c8dd0-860f-4570-bf13-358733b392ca?resourceVersion=id%3A19400\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/be5c8dd0-860f-4570-bf13-358733b392ca?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":1676,\"drupal_internal__revision_id\":19400,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-14T16:33:34+00:00\",\"parent_id\":\"736\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/be5c8dd0-860f-4570-bf13-358733b392ca/paragraph_type?resourceVersion=id%3A19400\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/be5c8dd0-860f-4570-bf13-358733b392ca/relationships/paragraph_type?resourceVersion=id%3A19400\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"a279358b-5b24-49bc-a98e-11681bd7e65c\",\"meta\":{\"drupal_internal__target_id\":326}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/be5c8dd0-860f-4570-bf13-358733b392ca/field_link?resourceVersion=id%3A19400\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/be5c8dd0-860f-4570-bf13-358733b392ca/relationships/field_link?resourceVersion=id%3A19400\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"10abb234-5289-40da-9df3-f4e6e9c06a80\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/10abb234-5289-40da-9df3-f4e6e9c06a80?resourceVersion=id%3A19401\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/10abb234-5289-40da-9df3-f4e6e9c06a80?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__id\":1681,\"drupal_internal__revision_id\":19401,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-14T16:34:14+00:00\",\"parent_id\":\"736\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/10abb234-5289-40da-9df3-f4e6e9c06a80/paragraph_type?resourceVersion=id%3A19401\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/10abb234-5289-40da-9df3-f4e6e9c06a80/relationships/paragraph_type?resourceVersion=id%3A19401\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\",\"meta\":{\"drupal_internal__target_id\":671}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/10abb234-5289-40da-9df3-f4e6e9c06a80/field_link?resourceVersion=id%3A19401\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/10abb234-5289-40da-9df3-f4e6e9c06a80/relationships/field_link?resourceVersion=id%3A19401\"}}}}},{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58?resourceVersion=id%3A5668\"}},\"attributes\":{\"drupal_internal__nid\":246,\"drupal_internal__vid\":5668,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-12T15:23:53+00:00\",\"status\":true,\"title\":\"CMS Cloud Services\",\"created\":\"2022-08-26T14:47:12+00:00\",\"changed\":\"2024-07-12T15:23:53+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-cloud-services\",\"pid\":236,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cloudsupport@cms.hhs.gov\",\"field_contact_name\":\"CMS Cloud Support\",\"field_short_description\":{\"value\":\"Platform-As-A-Service with tools, security, and support services designed specifically for CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003ePlatform-As-A-Service with tools, security, and support services designed specifically for CMS\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cms-cloud-security-forum\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/node_type?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/node_type?resourceVersion=id%3A5668\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/revision_uid?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/revision_uid?resourceVersion=id%3A5668\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/uid?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/uid?resourceVersion=id%3A5668\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"15f8e7ab-00f6-4c17-b433-659267271131\",\"meta\":{\"target_revision_id\":18519,\"drupal_internal__target_id\":1371}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_page_section?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_page_section?resourceVersion=id%3A5668\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"b48e2348-59b0-42a6-9f44-62af8a94ddf1\",\"meta\":{\"target_revision_id\":18520,\"drupal_internal__target_id\":1376}},{\"type\":\"paragraph--internal_link\",\"id\":\"17ea04ed-0987-43ea-b494-7c051ddfcd28\",\"meta\":{\"target_revision_id\":18521,\"drupal_internal__target_id\":1381}},{\"type\":\"paragraph--internal_link\",\"id\":\"ae49a5b4-3922-4f8d-bbe5-624b243b4637\",\"meta\":{\"target_revision_id\":18522,\"drupal_internal__target_id\":1391}},{\"type\":\"paragraph--internal_link\",\"id\":\"3ebbf63a-35a8-4c15-8002-2b41f7ef528a\",\"meta\":{\"target_revision_id\":18523,\"drupal_internal__target_id\":1396}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_related_collection?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_related_collection?resourceVersion=id%3A5668\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_resource_type?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_resource_type?resourceVersion=id%3A5668\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_roles?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_roles?resourceVersion=id%3A5668\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_topics?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_topics?resourceVersion=id%3A5668\"}}}}},{\"type\":\"node--explainer\",\"id\":\"a279358b-5b24-49bc-a98e-11681bd7e65c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c?resourceVersion=id%3A5942\"}},\"attributes\":{\"drupal_internal__nid\":326,\"drupal_internal__vid\":5942,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-17T14:55:23+00:00\",\"status\":true,\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"created\":\"2022-08-29T15:22:00+00:00\",\"changed\":\"2024-10-17T14:55:23+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/fedramp\",\"pid\":316,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"FedRAMP@cms.hhs.gov\",\"field_contact_name\":\"CMS FedRAMP PMO\",\"field_short_description\":{\"value\":\"Provides a federally-recognized and standardized security framework for all cloud products and services\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProvides a federally-recognized and standardized security framework for all cloud products and services\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#fedramp\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/node_type?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/node_type?resourceVersion=id%3A5942\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"d3421e1d-1fda-4bd0-83ab-e404455b0e66\",\"meta\":{\"drupal_internal__target_id\":114}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/revision_uid?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/revision_uid?resourceVersion=id%3A5942\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/uid?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/uid?resourceVersion=id%3A5942\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"2ce39e48-81e4-4bea-a0ff-04f25ddd0041\",\"meta\":{\"target_revision_id\":19451,\"drupal_internal__target_id\":1171}},{\"type\":\"paragraph--page_section\",\"id\":\"77ea2e89-2433-4815-b869-52b2d900029e\",\"meta\":{\"target_revision_id\":19452,\"drupal_internal__target_id\":1211}},{\"type\":\"paragraph--page_section\",\"id\":\"deedf0fe-44e9-4015-90a1-f86ce6cbaf24\",\"meta\":{\"target_revision_id\":19462,\"drupal_internal__target_id\":3431}},{\"type\":\"paragraph--page_section\",\"id\":\"2b2216d8-24c3-4940-930f-6e79f68a279a\",\"meta\":{\"target_revision_id\":19472,\"drupal_internal__target_id\":1261}},{\"type\":\"paragraph--page_section\",\"id\":\"cbda5c42-489d-4480-85f5-db10db44de3e\",\"meta\":{\"target_revision_id\":19474,\"drupal_internal__target_id\":1266}},{\"type\":\"paragraph--page_section\",\"id\":\"37970dd4-a515-4370-a09f-f5177c2f98c2\",\"meta\":{\"target_revision_id\":19475,\"drupal_internal__target_id\":3433}},{\"type\":\"paragraph--page_section\",\"id\":\"434b1960-73e8-43fa-9b9e-253ce35fa55a\",\"meta\":{\"target_revision_id\":19476,\"drupal_internal__target_id\":3434}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_page_section?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_page_section?resourceVersion=id%3A5942\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"7a5f06f0-e0ba-4ed2-aade-79b2233ec125\",\"meta\":{\"target_revision_id\":19477,\"drupal_internal__target_id\":1956}},{\"type\":\"paragraph--internal_link\",\"id\":\"61509c21-9c9e-48d0-8110-b98574cee727\",\"meta\":{\"target_revision_id\":19478,\"drupal_internal__target_id\":1961}},{\"type\":\"paragraph--internal_link\",\"id\":\"c2480fc7-b7c3-49d4-8643-cd42bcd3b56b\",\"meta\":{\"target_revision_id\":19479,\"drupal_internal__target_id\":1966}},{\"type\":\"paragraph--internal_link\",\"id\":\"63dffb2c-c587-4991-8523-142b2378a5aa\",\"meta\":{\"target_revision_id\":19480,\"drupal_internal__target_id\":3435}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_related_collection?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_related_collection?resourceVersion=id%3A5942\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_resource_type?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_resource_type?resourceVersion=id%3A5942\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_roles?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_roles?resourceVersion=id%3A5942\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":{\"drupal_internal__target_id\":21}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/field_topics?resourceVersion=id%3A5942\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a279358b-5b24-49bc-a98e-11681bd7e65c/relationships/field_topics?resourceVersion=id%3A5942\"}}}}},{\"type\":\"node--explainer\",\"id\":\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf?resourceVersion=id%3A6076\"}},\"attributes\":{\"drupal_internal__nid\":671,\"drupal_internal__vid\":6076,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-15T16:28:16+00:00\",\"status\":true,\"title\":\"Zero Trust \",\"created\":\"2023-02-02T19:12:26+00:00\",\"changed\":\"2025-01-15T16:28:16+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/zero-trust\",\"pid\":661,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ISPGZeroTrust@cms.hhs.gov\",\"field_contact_name\":\"Zero Trust Team\",\"field_short_description\":{\"value\":\"Security paradigm that requires the continuous verification of system users to promote system security\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSecurity paradigm that requires the continuous verification of system users to promote system security\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cms-zero-trust\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/node_type?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/node_type?resourceVersion=id%3A6076\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"bebd6b4a-b250-4060-a68d-15e540df32b8\",\"meta\":{\"drupal_internal__target_id\":138}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/revision_uid?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/revision_uid?resourceVersion=id%3A6076\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/uid?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/uid?resourceVersion=id%3A6076\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"9271f09e-6087-42ce-9b2a-2ddf6888888d\",\"meta\":{\"target_revision_id\":19936,\"drupal_internal__target_id\":536}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_page_section?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_page_section?resourceVersion=id%3A6076\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"c6911d3e-5198-4b35-ac2a-13d123aedee1\",\"meta\":{\"target_revision_id\":19941,\"drupal_internal__target_id\":3398}},{\"type\":\"paragraph--internal_link\",\"id\":\"2bcabaa5-d621-42c9-bdc8-e0b80b3869d3\",\"meta\":{\"target_revision_id\":19946,\"drupal_internal__target_id\":1616}},{\"type\":\"paragraph--internal_link\",\"id\":\"670741af-bf41-4d99-a21c-a24dc57f4424\",\"meta\":{\"target_revision_id\":19951,\"drupal_internal__target_id\":3499}},{\"type\":\"paragraph--internal_link\",\"id\":\"f7a739a6-3d16-4633-bfad-fd8f469ffb64\",\"meta\":{\"target_revision_id\":19956,\"drupal_internal__target_id\":1611}},{\"type\":\"paragraph--internal_link\",\"id\":\"80d01d00-9ecf-4254-8e6e-a9242e8289f1\",\"meta\":{\"target_revision_id\":19961,\"drupal_internal__target_id\":1621}},{\"type\":\"paragraph--internal_link\",\"id\":\"d576257b-f5ba-4ad4-a81b-7628a82e8dce\",\"meta\":{\"target_revision_id\":19966,\"drupal_internal__target_id\":1626}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_related_collection?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_related_collection?resourceVersion=id%3A6076\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_resource_type?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_resource_type?resourceVersion=id%3A6076\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_roles?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_roles?resourceVersion=id%3A6076\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":{\"drupal_internal__target_id\":21}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_topics?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_topics?resourceVersion=id%3A6076\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1e\",\"e352e203-fe9c-47ba-af75-2c7f8302fca8\":\"$28\",\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\":\"$2c\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$46\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$60\",\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\":\"$7a\",\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\":\"$94\",\"32796f74-9a4b-49be-b101-133dce4c4568\":\"$ae\",\"23cc1637-59ba-448f-8e17-e5aed202cb74\":\"$c4\",\"53da5747-8514-4ea5-9f3d-2905f9a61edb\":\"$da\",\"c1fc448a-a41f-4061-9bc9-59b74374d79a\":\"$ee\",\"0e95620e-c7a4-4e21-b505-91a2f013a45a\":\"$100\",\"3f65aeeb-0f81-46fc-8cf7-b477e0f8cb34\":\"$11a\",\"9039953e-b7e7-46a6-a045-9d010fab764f\":\"$137\",\"7d37fbfd-f4f1-4d3f-a0da-67ec181ef13b\":\"$145\",\"947c05a0-f2b4-4340-bae9-9b1bc412cca8\":\"$153\",\"b7233d36-c647-457c-a731-7dc12fef983b\":\"$161\",\"4373fc65-fb5b-4d76-ae39-82fdbcea9634\":\"$16f\",\"f4b6e8cd-89ae-4577-a94c-78b4012275de\":\"$17d\",\"e7fb8da9-4bdd-4e62-8628-366d7c37c950\":\"$18b\",\"56abc1b3-50aa-47cc-8ed1-1d18d4974216\":\"$199\",\"483da93f-2f21-46f2-912a-67261fa19261\":\"$1a7\",\"e0d07bf6-c606-4a38-ba34-9521f9e77733\":\"$1b5\",\"be5c8dd0-860f-4570-bf13-358733b392ca\":\"$1c8\",\"10abb234-5289-40da-9df3-f4e6e9c06a80\":\"$1db\",\"42018625-2456-415e-bd2c-f1c061290d58\":\"$1ee\",\"a279358b-5b24-49bc-a98e-11681bd7e65c\":\"$234\",\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\":\"$286\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"SaaS Governance (SaaSG) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Considerations and guidelines for CMS business units wanting to use SaaS applications\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/saas-governance-saasg\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"SaaS Governance (SaaSG) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Considerations and guidelines for CMS business units wanting to use SaaS applications\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/saas-governance-saasg\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/saas-governance-saasg/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"SaaS Governance (SaaSG) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Considerations and guidelines for CMS business units wanting to use SaaS applications\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/saas-governance-saasg/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html> |