publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/software-bill-materials-sbom
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

2 lines
No EOL
222 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>Software Bill of Materials (SBOM) | CMS Information Security &amp; Privacy Group</title><meta name="description" content="A structured list of the components and modules that make up a piece of software, and the supply chain relationships between them"/><link rel="canonical" href="https://security.cms.gov/learn/software-bill-materials-sbom"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="Software Bill of Materials (SBOM) | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="A structured list of the components and modules that make up a piece of software, and the supply chain relationships between them"/><meta property="og:url" content="https://security.cms.gov/learn/software-bill-materials-sbom"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/software-bill-materials-sbom/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Software Bill of Materials (SBOM) | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="A structured list of the components and modules that make up a piece of software, and the supply chain relationships between them"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/software-bill-materials-sbom/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">Software Bill of Materials (SBOM)</h1><p class="hero__description">A structured list of the components and modules that make up a piece of software, and the supply chain relationships between them</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">SaaS Governance Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:saasg@cms.hhs.gov">saasg@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#ispg-saas-governance</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What is an SBOM?</h2><p>A “Software Bill of Materials” (SBOM) is a list of all the open-source and third-party components present in a systems code. An SBOM lists the licenses that govern the components, the versions of the components used in the code, and their patch status, which allows for quick identification of any security or license risk.</p><p>SBOMs are becoming an important part of how government agencies strengthen their software security by identifying and managing risks in the software supply chain. For federal information technology systems, SBOMs support:</p><p><strong>Transparency - </strong>Organizations are more aware of the component parts of their software and can make better security decisions based on that knowledge.</p><p><strong>Vulnerability tracking - </strong>Known vulnerabilities for each component can be tracked as software updates are made, resulting in a more accurate understanding of a projects overall system risk.</p><p><strong>Auditing - </strong>Knowing a systems component parts and any related risks ensures that only authorized dependencies are included in a software project.</p><h3>Federal guidance on SBOM</h3><p>Federal authorities such as the National Telecommunications and Information Administration (NTIA) and the Cybersecurity Infrastructure Agency (CISA) provide information about the use of SBOMs and the importance of their adoption by government agencies:</p><ul><li><a href="https://ntia.gov/page/software-bill-materials">Guidance from NTIA</a></li><li>NTIAs list of <a href="https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf">Minimum Elements for an SBOM (2021)</a></li><li><a href="https://www.cisa.gov/sbom">Guidance from CISA</a></li></ul></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>SBOM videos from NTIA</h1><p>The National Telecommunications and Information Administration (NTIA) has produced a series of explainer videos about Software Bill of Materials (SBOM) that can help you understand their value and how to use them.</p><p><a href="https://www.youtube.com/watch?v=6yljBKKl8Vo&amp;list=PLO2lqCK7WyTDpVmcHsy6R2HWftFkUp6zG&amp;index=1">See the playlist</a></p></section><div class="text-block text-block--theme-explainer"><h2>SBOM adoption at CMS</h2><p>CMS is working to align its cybersecurity strategy with federal government standards, including the <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/">Executive Order on Improving the Nations Cybersecurity</a> (2021), which calls for enhanced software supply chain risk management across government agencies. Incorporating SBOMs into this overall strategy&nbsp; will help CMS mitigate weaknesses in its software supply chain and prevent threats from bad actors that seek to compromise government systems.</p><p>Like all modernization efforts, the full-scale adoption and utilization of SBOMs at CMS will take some time. The effective use of SBOMs depends on their completeness and quality as well as the tooling used to “consume” the SBOMs in order to make sense of the data they provide.</p><h2>Contact</h2><p>While we are determining our strategy and technology for implementing SBOMs effectively, system teams and Business Owners with questions about the secure and approved usage of SaaS products should get in touch with the CMS SaaS Governance (SaaSG) team:</p><p>Email: <a href="mailto:saasg@cms.hhs.gov"><strong>saasg@cms.hhs.gov</strong></a></p><p>CMS Slack: <strong>#ispg-saas-governance</strong></p></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/saas-governance-saasg">SaaS Governance (SaaSG)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Considerations and guidelines for CMS business units wanting to use SaaS applications</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/posts/executive-order-improving-nations-cybersecurity-what-it-means-you">Executive Order on Improving the Nations Cybersecurity: What it means for you</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Learn about the latest federal cybersecurity guidance from the White House and its application at CMS
</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"software-bill-materials-sbom\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"software-bill-materials-sbom\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"software-bill-materials-sbom\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"software-bill-materials-sbom\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:T702,\u003ch2\u003e\u003cstrong\u003eWhat is an SBOM?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA “Software Bill of Materials” (SBOM) is a list of all the open-source and third-party components present in a systems code. An SBOM lists the licenses that govern the components, the versions of the components used in the code, and their patch status, which allows for quick identification of any security or license risk.\u003c/p\u003e\u003cp\u003eSBOMs are becoming an important part of how government agencies strengthen their software security by identifying and managing risks in the software supply chain. For federal information technology systems, SBOMs support:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTransparency - \u003c/strong\u003eOrganizations are more aware of the component parts of their software and can make better security decisions based on that knowledge.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVulnerability tracking - \u003c/strong\u003eKnown vulnerabilities for each component can be tracked as software updates are made, resulting in a more accurate understanding of a projects overall system risk.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAuditing - \u003c/strong\u003eKnowing a systems component parts and any related risks ensures that only authorized dependencies are included in a software project.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFederal guidance on SBOM\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFederal authorities such as the National Telecommunications and Information Administration (NTIA) and the Cybersecurity Infrastructure Agency (CISA) provide information about the use of SBOMs and the importance of their adoption by government agencies:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://ntia.gov/page/software-bill-materials\"\u003eGuidance from NTIA\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNTIAs list of \u003ca href=\"https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_repo"])</script><script>self.__next_f.push([1,"rt.pdf\"\u003eMinimum Elements for an SBOM (2021)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/sbom\"\u003eGuidance from CISA\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e19:T702,\u003ch2\u003e\u003cstrong\u003eWhat is an SBOM?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA “Software Bill of Materials” (SBOM) is a list of all the open-source and third-party components present in a systems code. An SBOM lists the licenses that govern the components, the versions of the components used in the code, and their patch status, which allows for quick identification of any security or license risk.\u003c/p\u003e\u003cp\u003eSBOMs are becoming an important part of how government agencies strengthen their software security by identifying and managing risks in the software supply chain. For federal information technology systems, SBOMs support:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTransparency - \u003c/strong\u003eOrganizations are more aware of the component parts of their software and can make better security decisions based on that knowledge.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVulnerability tracking - \u003c/strong\u003eKnown vulnerabilities for each component can be tracked as software updates are made, resulting in a more accurate understanding of a projects overall system risk.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAuditing - \u003c/strong\u003eKnowing a systems component parts and any related risks ensures that only authorized dependencies are included in a software project.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFederal guidance on SBOM\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFederal authorities such as the National Telecommunications and Information Administration (NTIA) and the Cybersecurity Infrastructure Agency (CISA) provide information about the use of SBOMs and the importance of their adoption by government agencies:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://ntia.gov/page/software-bill-materials\"\u003eGuidance from NTIA\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNTIAs list of \u003ca href=\"https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf\"\u003eMinimum Elements for an SBOM (2021)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/sbom\"\u003eGuidance from CISA\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e1a:T54e,\u003ch2\u003e\u003cstrong\u003eSBOM adoption at CMS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS is working to align its cybersecurity strategy with federal g"])</script><script>self.__next_f.push([1,"overnment standards, including the \u003ca href=\"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\"\u003eExecutive Order on Improving the Nations Cybersecurity\u003c/a\u003e (2021), which calls for enhanced software supply chain risk management across government agencies. Incorporating SBOMs into this overall strategy\u0026nbsp; will help CMS mitigate weaknesses in its software supply chain and prevent threats from bad actors that seek to compromise government systems.\u003c/p\u003e\u003cp\u003eLike all modernization efforts, the full-scale adoption and utilization of SBOMs at CMS will take some time. The effective use of SBOMs depends on their completeness and quality as well as the tooling used to “consume” the SBOMs in order to make sense of the data they provide.\u003c/p\u003e\u003ch2\u003eContact\u003c/h2\u003e\u003cp\u003eWhile we are determining our strategy and technology for implementing SBOMs effectively, system teams and Business Owners with questions about the secure and approved usage of SaaS products should get in touch with the CMS SaaS Governance (SaaSG) team:\u003c/p\u003e\u003cp\u003eEmail: \u003ca href=\"mailto:saasg@cms.hhs.gov\"\u003e\u003cstrong\u003esaasg@cms.hhs.gov\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003cp\u003eCMS Slack: \u003cstrong\u003e#ispg-saas-governance\u003c/strong\u003e\u003c/p\u003e1b:T54e,\u003ch2\u003e\u003cstrong\u003eSBOM adoption at CMS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS is working to align its cybersecurity strategy with federal government standards, including the \u003ca href=\"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\"\u003eExecutive Order on Improving the Nations Cybersecurity\u003c/a\u003e (2021), which calls for enhanced software supply chain risk management across government agencies. Incorporating SBOMs into this overall strategy\u0026nbsp; will help CMS mitigate weaknesses in its software supply chain and prevent threats from bad actors that seek to compromise government systems.\u003c/p\u003e\u003cp\u003eLike all modernization efforts, the full-scale adoption and utilization of SBOMs at CMS will take some time. The effective use of SBOMs depends o"])</script><script>self.__next_f.push([1,"n their completeness and quality as well as the tooling used to “consume” the SBOMs in order to make sense of the data they provide.\u003c/p\u003e\u003ch2\u003eContact\u003c/h2\u003e\u003cp\u003eWhile we are determining our strategy and technology for implementing SBOMs effectively, system teams and Business Owners with questions about the secure and approved usage of SaaS products should get in touch with the CMS SaaS Governance (SaaSG) team:\u003c/p\u003e\u003cp\u003eEmail: \u003ca href=\"mailto:saasg@cms.hhs.gov\"\u003e\u003cstrong\u003esaasg@cms.hhs.gov\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003cp\u003eCMS Slack: \u003cstrong\u003e#ispg-saas-governance\u003c/strong\u003e\u003c/p\u003e1c:T9fd,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the Executive Order?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe \u003ca href=\"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\"\u003eExecutive Order on Improving the Nation's Cybersecurity (Executive Order 14028)\u003c/a\u003e is an important step forward in protecting Americans from cyber threats. The order, signed by President Biden on May 11, 2021, focuses on strengthening the cybersecurity of the federal government, critical infrastructure, and the private sector.\u003c/p\u003e\u003cp\u003eThe order requires federal agencies to adopt and implement a series of measures to improve their cybersecurity. These measures include developing a cybersecurity risk management program, conducting regular risk assessments, and implementing measures to protect against attacks and reduce cyber risk. It also requires agencies to implement multi-factor authentication to better protect against account hijacking, and to use encryption to protect data and communications.\u003c/p\u003e\u003cp\u003eIn addition, the order calls for the creation of a Cybersecurity Safety Review Board. This board will be charged with reviewing and assessing the effectiveness of the cybersecurity measures being implemented by the federal government and by critical infrastructure. It will also review cybersecurity incidents that have occurred and make recommendations for improving the nation's cybersecurity posture.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat does this mean for CMS?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) is taking steps to improve its cybersecurity posture, including strengthening its identity and access management, network monitoring and detection, and incident response capabilities. Additionally, CMS is working with its partners to identify areas of improvement and to develop and implement new and enhanced security controls. CMS is also focused on increasing employee awareness of cybersecurity threats and best practices. Finally, CMS is actively engaging with the healthcare industry to ensure that all organizations are taking the necessary steps to safeguard patient health data.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow is ISPG involved?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eISPG is at the forefront of the efforts to:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eImprove incident response practices\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplement new security controls with the adoption of the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eAcceptable Risk Safeguards (ARS) 5.0\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCreate a culture of cybersecurity awareness through training\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1d:T9fd,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the Executive Order?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe \u003ca href=\"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\"\u003eExecutive Order on Improving the Nation's Cybersecurity (Executive Order 14028)\u003c/a\u003e is an important step forward in protecting Americans from cyber threats. The order, signed by President Biden on May 11, 2021, focuses on strengthening the cybersecurity of the federal government, critical infrastructure, and the private sector.\u003c/p\u003e\u003cp\u003eThe order requires federal agencies to adopt and implement a series of measures to improve their cybersecurity. These measures include developing a cybersecurity risk management program, conducting regular risk assessments, and implementing measures to protect against attacks and reduce cyber risk. It also requires agencies to implement multi-factor authentication to better protect against account hijacking, and to use encryption to protect data and communications.\u003c/p\u003e\u003cp\u003eIn addition, the order calls for the creation of a Cybersecurity Safety Review Board. This board will be charged with reviewing and assessing the effectiveness of the cybersecurity measures being implemented by the federal government and by critical infrastructure. It will also review cybersecurity incidents that have occurred and make recommendations for improving the nation's cybersecurity posture.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat does this mean for CMS?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) is taking steps to improve its cybersecurity posture, including strengthening its identity and access management, network monitoring and detection, and incident response capabilities. Additionally, CMS is working with its partners to identify areas of improvement and to develop and implement new and enhanced security controls. CMS is also focused on increasing employee awareness of cybersecurity threats and best practices. Finally, CMS is actively engaging with the healthcare industry to ensure that all organizations are taking the necessary steps to safeguard patient health data.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow is ISPG involved?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eISPG is at the forefront of the efforts to:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eImprove incident response practices\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplement new security controls with the adoption of the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eAcceptable Risk Safeguards (ARS) 5.0\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCreate a culture of cybersecurity awareness through training\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"20:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1f:{\"self\":\"$20\"}\n23:[\"menu_ui\",\"scheduler\"]\n22:{\"module\":\"$23\"}\n26:[]\n25:{\"available_menus\":\"$26\",\"parent\":\"\"}\n27:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n24:{\"menu_ui\":\"$25\",\"scheduler\":\"$27\"}\n21:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$22\",\"third_party_settings\":\"$24\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1e:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1f\",\"attributes\":\"$21\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/663db243-0ec9-4d3f-9589-5a0ed308fbbc\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"alex.kerr\"}\n28:{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}\n2d:{\"self\":\"$2e\"}\n2f:{\"display_name\":\"mburgess\"}\n2c:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":\"$2d\",\"attributes\":\"$2f\"}\n32:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}\n31:{\"self\":\"$32\"}\n34:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n33:{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"d"])</script><script>self.__next_f.push([1,"efault_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$34\"}\n38:{\"drupal_internal__target_id\":\"resource_type\"}\n37:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$38\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n36:{\"data\":\"$37\",\"links\":\"$39\"}\n3e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"}\n3f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}\n3d:{\"related\":\"$3e\",\"self\":\"$3f\"}\n3c:{\"data\":null,\"links\":\"$3d\"}\n46:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n45:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$46\"}\n44:{\"help\":\"$45\"}\n43:{\"links\":\"$44\"}\n42:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$43\"}\n41:[\"$42\"]\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"}\n49:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}\n47:{\"related\":\"$48\",\"self\":\"$49\"}\n40:{\"data\":\"$41\",\"links\":\"$47\"}\n35:{\"vid\":\"$36\",\"revision_user\":\"$3c\",\"parent\":\"$40\"}\n30:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":\"$31\",\"attributes\":\"$33\",\"relationships\":\"$35\"}\n4c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n4b:{\"self\":\"$4c\"}\n4e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4d:{\"drupal_internal__"])</script><script>self.__next_f.push([1,"tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4e\"}\n52:{\"drupal_internal__target_id\":\"roles\"}\n51:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$52\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n50:{\"data\":\"$51\",\"links\":\"$53\"}\n58:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n59:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n57:{\"related\":\"$58\",\"self\":\"$59\"}\n56:{\"data\":null,\"links\":\"$57\"}\n60:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$60\"}\n5e:{\"help\":\"$5f\"}\n5d:{\"links\":\"$5e\"}\n5c:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$5d\"}\n5b:[\"$5c\"]\n62:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n63:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n61:{\"related\":\"$62\",\"self\":\"$63\"}\n5a:{\"data\":\"$5b\",\"links\":\"$61\"}\n4f:{\"vid\":\"$50\",\"revision_user\":\"$56\",\"parent\":\"$5a\"}\n4a:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$4b\",\"attributes\":\"$4d\",\"relationships\":\"$4f\"}\n66:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxon"])</script><script>self.__next_f.push([1,"omy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n65:{\"self\":\"$66\"}\n68:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n67:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$68\"}\n6c:{\"drupal_internal__target_id\":\"roles\"}\n6b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$6c\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6a:{\"data\":\"$6b\",\"links\":\"$6d\"}\n72:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n73:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n71:{\"related\":\"$72\",\"self\":\"$73\"}\n70:{\"data\":null,\"links\":\"$71\"}\n7a:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n79:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$7a\"}\n78:{\"help\":\"$79\"}\n77:{\"links\":\"$78\"}\n76:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$77\"}\n75:[\"$76\"]\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n7d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n7b:{\"related\":\"$7c\",\"self\":\"$7d\"}\n74:{\"data\":\"$75\",\"links\":\"$7b\"}\n69:{\"vid\":\"$6a\",\"revision_user\":\"$70\",\"parent\":\"$74\"}\n64:{\"type\":\"taxonomy_term--roles\",\"id\":\"f"])</script><script>self.__next_f.push([1,"591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$65\",\"attributes\":\"$67\",\"relationships\":\"$69\"}\n80:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\n7f:{\"self\":\"$80\"}\n82:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n81:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$82\"}\n86:{\"drupal_internal__target_id\":\"roles\"}\n85:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$86\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n84:{\"data\":\"$85\",\"links\":\"$87\"}\n8c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\n8d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\n8b:{\"related\":\"$8c\",\"self\":\"$8d\"}\n8a:{\"data\":null,\"links\":\"$8b\"}\n94:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n93:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$94\"}\n92:{\"help\":\"$93\"}\n91:{\"links\":\"$92\"}\n90:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$91\"}\n8f:[\"$90\"]\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\n97:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\n95:{\"related\":\"$96\",\"self\":\""])</script><script>self.__next_f.push([1,"$97\"}\n8e:{\"data\":\"$8f\",\"links\":\"$95\"}\n83:{\"vid\":\"$84\",\"revision_user\":\"$8a\",\"parent\":\"$8e\"}\n7e:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$7f\",\"attributes\":\"$81\",\"relationships\":\"$83\"}\n9a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c?resourceVersion=id%3A41\"}\n99:{\"self\":\"$9a\"}\n9c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n9b:{\"drupal_internal__tid\":41,\"drupal_internal__revision_id\":41,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:04+00:00\",\"status\":true,\"name\":\"Application Security\",\"description\":null,\"weight\":0,\"changed\":\"2022-09-28T21:04:30+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$9c\"}\na0:{\"drupal_internal__target_id\":\"topics\"}\n9f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$a0\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/vid?resourceVersion=id%3A41\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/vid?resourceVersion=id%3A41\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\n9e:{\"data\":\"$9f\",\"links\":\"$a1\"}\na6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/revision_user?resourceVersion=id%3A41\"}\na7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/revision_user?resourceVersion=id%3A41\"}\na5:{\"related\":\"$a6\",\"self\":\"$a7\"}\na4:{\"data\":null,\"links\":\"$a5\"}\nae:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nad:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$ae\"}\nac:{\"help\":\"$ad\"}\nab:{\"links\":\"$ac\"}\naa:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$ab\"}\na9:[\"$aa\"]\nb0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/parent?resourceVersion=id%3A41\"}\nb1:{\"href\":\"https://cybergeek"])</script><script>self.__next_f.push([1,".cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/parent?resourceVersion=id%3A41\"}\naf:{\"related\":\"$b0\",\"self\":\"$b1\"}\na8:{\"data\":\"$a9\",\"links\":\"$af\"}\n9d:{\"vid\":\"$9e\",\"revision_user\":\"$a4\",\"parent\":\"$a8\"}\n98:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"links\":\"$99\",\"attributes\":\"$9b\",\"relationships\":\"$9d\"}\nb4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}\nb3:{\"self\":\"$b4\"}\nb6:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb5:{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b6\"}\nba:{\"drupal_internal__target_id\":\"topics\"}\nb9:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$ba\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"}\nbd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}\nbb:{\"related\":\"$bc\",\"self\":\"$bd\"}\nb8:{\"data\":\"$b9\",\"links\":\"$bb\"}\nc0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"}\nc1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}\nbf:{\"related\":\"$c0\",\"self\":\"$c1\"}\nbe:{\"data\":null,\"links\":\"$bf\"}\nc8:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc7:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c8\"}\nc6:{\"help\":\"$c7\"}\nc5:{\"links\":\"$c6\"}\nc4:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$c5\"}\nc3:[\"$c4\"]\nca:{\"hre"])</script><script>self.__next_f.push([1,"f\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"}\ncb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}\nc9:{\"related\":\"$ca\",\"self\":\"$cb\"}\nc2:{\"data\":\"$c3\",\"links\":\"$c9\"}\nb7:{\"vid\":\"$b8\",\"revision_user\":\"$be\",\"parent\":\"$c2\"}\nb2:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":\"$b3\",\"attributes\":\"$b5\",\"relationships\":\"$b7\"}\nce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/13b80850-5640-4bde-8bbe-24310feb7831?resourceVersion=id%3A16246\"}\ncd:{\"self\":\"$ce\"}\nd0:[]\nd2:T702,\u003ch2\u003e\u003cstrong\u003eWhat is an SBOM?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA “Software Bill of Materials” (SBOM) is a list of all the open-source and third-party components present in a systems code. An SBOM lists the licenses that govern the components, the versions of the components used in the code, and their patch status, which allows for quick identification of any security or license risk.\u003c/p\u003e\u003cp\u003eSBOMs are becoming an important part of how government agencies strengthen their software security by identifying and managing risks in the software supply chain. For federal information technology systems, SBOMs support:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTransparency - \u003c/strong\u003eOrganizations are more aware of the component parts of their software and can make better security decisions based on that knowledge.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVulnerability tracking - \u003c/strong\u003eKnown vulnerabilities for each component can be tracked as software updates are made, resulting in a more accurate understanding of a projects overall system risk.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAuditing - \u003c/strong\u003eKnowing a systems component parts and any related risks ensures that only authorized dependencies are included in a software project.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFederal guidance on SBOM\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFederal authorities such as the National Telecommunications and Information Administration (NTIA) and the Cybersecurity Infrastr"])</script><script>self.__next_f.push([1,"ucture Agency (CISA) provide information about the use of SBOMs and the importance of their adoption by government agencies:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://ntia.gov/page/software-bill-materials\"\u003eGuidance from NTIA\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNTIAs list of \u003ca href=\"https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf\"\u003eMinimum Elements for an SBOM (2021)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/sbom\"\u003eGuidance from CISA\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003ed3:T702,\u003ch2\u003e\u003cstrong\u003eWhat is an SBOM?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA “Software Bill of Materials” (SBOM) is a list of all the open-source and third-party components present in a systems code. An SBOM lists the licenses that govern the components, the versions of the components used in the code, and their patch status, which allows for quick identification of any security or license risk.\u003c/p\u003e\u003cp\u003eSBOMs are becoming an important part of how government agencies strengthen their software security by identifying and managing risks in the software supply chain. For federal information technology systems, SBOMs support:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTransparency - \u003c/strong\u003eOrganizations are more aware of the component parts of their software and can make better security decisions based on that knowledge.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVulnerability tracking - \u003c/strong\u003eKnown vulnerabilities for each component can be tracked as software updates are made, resulting in a more accurate understanding of a projects overall system risk.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAuditing - \u003c/strong\u003eKnowing a systems component parts and any related risks ensures that only authorized dependencies are included in a software project.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFederal guidance on SBOM\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFederal authorities such as the National Telecommunications and Information Administration (NTIA) and the Cybersecurity Infrastructure Agency (CISA) provide information about the use of SBOMs and the importance of their adoption by government agencies:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://ntia.gov/page/software-bill-materials\"\u003eGuidance from NTIA\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNTIAs list of \u003ca hre"])</script><script>self.__next_f.push([1,"f=\"https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf\"\u003eMinimum Elements for an SBOM (2021)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/sbom\"\u003eGuidance from CISA\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003ed1:{\"value\":\"$d2\",\"format\":\"body_text\",\"processed\":\"$d3\"}\ncf:{\"drupal_internal__id\":2806,\"drupal_internal__revision_id\":16246,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-20T16:36:07+00:00\",\"parent_id\":\"851\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$d0\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$d1\"}\nd7:{\"drupal_internal__target_id\":\"page_section\"}\nd6:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$d7\"}\nd9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/13b80850-5640-4bde-8bbe-24310feb7831/paragraph_type?resourceVersion=id%3A16246\"}\nda:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/13b80850-5640-4bde-8bbe-24310feb7831/relationships/paragraph_type?resourceVersion=id%3A16246\"}\nd8:{\"related\":\"$d9\",\"self\":\"$da\"}\nd5:{\"data\":\"$d6\",\"links\":\"$d8\"}\ndd:{\"target_revision_id\":16245,\"drupal_internal__target_id\":2801}\ndc:{\"type\":\"paragraph--call_out_box\",\"id\":\"c42c665f-aca6-4b61-9083-28eb938db0b8\",\"meta\":\"$dd\"}\ndf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/13b80850-5640-4bde-8bbe-24310feb7831/field_specialty_item?resourceVersion=id%3A16246\"}\ne0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/13b80850-5640-4bde-8bbe-24310feb7831/relationships/field_specialty_item?resourceVersion=id%3A16246\"}\nde:{\"related\":\"$df\",\"self\":\"$e0\"}\ndb:{\"data\":\"$dc\",\"links\":\"$de\"}\nd4:{\"paragraph_type\":\"$d5\",\"field_specialty_item\":\"$db\"}\ncc:{\"type\":\"paragraph--page_section\",\"id\":\"13b80850-5640-4bde-8bbe-24310feb7831\",\"links\":\"$cd\",\"attributes\":\"$cf\",\"relationships\":\"$d4\"}\ne3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6f4e3323-98c9-4f4f-b2b7-62a581f7e16f?resourceVersion=id%3A16247\"}\ne2:{\"self\":\"$e3\"}\ne5:[]\ne7:T54e,\u003ch2\u003e\u003cstrong\u003e"])</script><script>self.__next_f.push([1,"SBOM adoption at CMS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS is working to align its cybersecurity strategy with federal government standards, including the \u003ca href=\"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\"\u003eExecutive Order on Improving the Nations Cybersecurity\u003c/a\u003e (2021), which calls for enhanced software supply chain risk management across government agencies. Incorporating SBOMs into this overall strategy\u0026nbsp; will help CMS mitigate weaknesses in its software supply chain and prevent threats from bad actors that seek to compromise government systems.\u003c/p\u003e\u003cp\u003eLike all modernization efforts, the full-scale adoption and utilization of SBOMs at CMS will take some time. The effective use of SBOMs depends on their completeness and quality as well as the tooling used to “consume” the SBOMs in order to make sense of the data they provide.\u003c/p\u003e\u003ch2\u003eContact\u003c/h2\u003e\u003cp\u003eWhile we are determining our strategy and technology for implementing SBOMs effectively, system teams and Business Owners with questions about the secure and approved usage of SaaS products should get in touch with the CMS SaaS Governance (SaaSG) team:\u003c/p\u003e\u003cp\u003eEmail: \u003ca href=\"mailto:saasg@cms.hhs.gov\"\u003e\u003cstrong\u003esaasg@cms.hhs.gov\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003cp\u003eCMS Slack: \u003cstrong\u003e#ispg-saas-governance\u003c/strong\u003e\u003c/p\u003ee8:T54e,\u003ch2\u003e\u003cstrong\u003eSBOM adoption at CMS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS is working to align its cybersecurity strategy with federal government standards, including the \u003ca href=\"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\"\u003eExecutive Order on Improving the Nations Cybersecurity\u003c/a\u003e (2021), which calls for enhanced software supply chain risk management across government agencies. Incorporating SBOMs into this overall strategy\u0026nbsp; will help CMS mitigate weaknesses in its software supply chain and prevent threats from bad actors that seek to compromise government systems.\u003c/p\u003e\u003cp\u003eLike all modernization efforts, the full-sc"])</script><script>self.__next_f.push([1,"ale adoption and utilization of SBOMs at CMS will take some time. The effective use of SBOMs depends on their completeness and quality as well as the tooling used to “consume” the SBOMs in order to make sense of the data they provide.\u003c/p\u003e\u003ch2\u003eContact\u003c/h2\u003e\u003cp\u003eWhile we are determining our strategy and technology for implementing SBOMs effectively, system teams and Business Owners with questions about the secure and approved usage of SaaS products should get in touch with the CMS SaaS Governance (SaaSG) team:\u003c/p\u003e\u003cp\u003eEmail: \u003ca href=\"mailto:saasg@cms.hhs.gov\"\u003e\u003cstrong\u003esaasg@cms.hhs.gov\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003cp\u003eCMS Slack: \u003cstrong\u003e#ispg-saas-governance\u003c/strong\u003e\u003c/p\u003ee6:{\"value\":\"$e7\",\"format\":\"body_text\",\"processed\":\"$e8\"}\ne4:{\"drupal_internal__id\":2811,\"drupal_internal__revision_id\":16247,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-20T16:37:05+00:00\",\"parent_id\":\"851\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$e5\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$e6\"}\nec:{\"drupal_internal__target_id\":\"page_section\"}\neb:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$ec\"}\nee:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6f4e3323-98c9-4f4f-b2b7-62a581f7e16f/paragraph_type?resourceVersion=id%3A16247\"}\nef:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6f4e3323-98c9-4f4f-b2b7-62a581f7e16f/relationships/paragraph_type?resourceVersion=id%3A16247\"}\ned:{\"related\":\"$ee\",\"self\":\"$ef\"}\nea:{\"data\":\"$eb\",\"links\":\"$ed\"}\nf2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6f4e3323-98c9-4f4f-b2b7-62a581f7e16f/field_specialty_item?resourceVersion=id%3A16247\"}\nf3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6f4e3323-98c9-4f4f-b2b7-62a581f7e16f/relationships/field_specialty_item?resourceVersion=id%3A16247\"}\nf1:{\"related\":\"$f2\",\"self\":\"$f3\"}\nf0:{\"data\":null,\"links\":\"$f1\"}\ne9:{\"paragraph_type\":\"$ea\",\"field_specialty_item\":\"$f0\"}\ne1:{\"type\":\"para"])</script><script>self.__next_f.push([1,"graph--page_section\",\"id\":\"6f4e3323-98c9-4f4f-b2b7-62a581f7e16f\",\"links\":\"$e2\",\"attributes\":\"$e4\",\"relationships\":\"$e9\"}\nf6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/c42c665f-aca6-4b61-9083-28eb938db0b8?resourceVersion=id%3A16245\"}\nf5:{\"self\":\"$f6\"}\nf8:[]\nfa:[]\nf9:{\"uri\":\"https://www.youtube.com/watch?v=6yljBKKl8Vo\u0026list=PLO2lqCK7WyTDpVmcHsy6R2HWftFkUp6zG\u0026index=1\",\"title\":\"\",\"options\":\"$fa\",\"url\":\"https://www.youtube.com/watch?v=6yljBKKl8Vo\u0026list=PLO2lqCK7WyTDpVmcHsy6R2HWftFkUp6zG\u0026index=1\"}\nfb:{\"value\":\"The National Telecommunications and Information Administration (NTIA) has produced a series of explainer videos about Software Bill of Materials (SBOM) that can help you understand their value and how to use them.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThe National Telecommunications and Information Administration (NTIA) has produced a series of explainer videos about Software Bill of Materials (SBOM) that can help you understand their value and how to use them.\u003c/p\u003e\\n\"}\nf7:{\"drupal_internal__id\":2801,\"drupal_internal__revision_id\":16245,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-20T16:36:07+00:00\",\"parent_id\":\"2806\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$f8\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":\"$f9\",\"field_call_out_link_text\":\"See the playlist\",\"field_call_out_text\":\"$fb\",\"field_header\":\"SBOM videos from NTIA\"}\nff:{\"drupal_internal__target_id\":\"call_out_box\"}\nfe:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$ff\"}\n101:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/c42c665f-aca6-4b61-9083-28eb938db0b8/paragraph_type?resourceVersion=id%3A16245\"}\n102:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/c42c665f-aca6-4b61-9083-28eb938db0b8/relationships/paragraph_type?resourceVersion=id%3A16245\"}\n100:{\"related\":\"$101\",\"self\":\"$102\"}\nfd:{\"data\":\"$fe\",\"links\":\"$100\"}\nfc:{\"paragraph_type\":\"$fd\"}\nf4:{\"type\":\"paragraph-"])</script><script>self.__next_f.push([1,"-call_out_box\",\"id\":\"c42c665f-aca6-4b61-9083-28eb938db0b8\",\"links\":\"$f5\",\"attributes\":\"$f7\",\"relationships\":\"$fc\"}\n105:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/0a2d57c8-01b3-4087-8fa7-8ef0044e662b?resourceVersion=id%3A16248\"}\n104:{\"self\":\"$105\"}\n107:[]\n106:{\"drupal_internal__id\":3453,\"drupal_internal__revision_id\":16248,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-29T14:21:48+00:00\",\"parent_id\":\"851\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$107\",\"default_langcode\":true,\"revision_translation_affected\":true}\n10b:{\"drupal_internal__target_id\":\"internal_link\"}\n10a:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$10b\"}\n10d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/0a2d57c8-01b3-4087-8fa7-8ef0044e662b/paragraph_type?resourceVersion=id%3A16248\"}\n10e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/0a2d57c8-01b3-4087-8fa7-8ef0044e662b/relationships/paragraph_type?resourceVersion=id%3A16248\"}\n10c:{\"related\":\"$10d\",\"self\":\"$10e\"}\n109:{\"data\":\"$10a\",\"links\":\"$10c\"}\n111:{\"drupal_internal__target_id\":736}\n110:{\"type\":\"node--explainer\",\"id\":\"96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a\",\"meta\":\"$111\"}\n113:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/0a2d57c8-01b3-4087-8fa7-8ef0044e662b/field_link?resourceVersion=id%3A16248\"}\n114:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/0a2d57c8-01b3-4087-8fa7-8ef0044e662b/relationships/field_link?resourceVersion=id%3A16248\"}\n112:{\"related\":\"$113\",\"self\":\"$114\"}\n10f:{\"data\":\"$110\",\"links\":\"$112\"}\n108:{\"paragraph_type\":\"$109\",\"field_link\":\"$10f\"}\n103:{\"type\":\"paragraph--internal_link\",\"id\":\"0a2d57c8-01b3-4087-8fa7-8ef0044e662b\",\"links\":\"$104\",\"attributes\":\"$106\",\"relationships\":\"$108\"}\n117:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1ddadcf3-87d4-44f4-8d92-44bdd359f870?resourceVersion=id%3A16249\"}\n116:{\"self\":\"$117\"}\n119:[]\n118:{\"drupal_internal__id\":3454,\"drupal_inte"])</script><script>self.__next_f.push([1,"rnal__revision_id\":16249,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-29T14:28:12+00:00\",\"parent_id\":\"851\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$119\",\"default_langcode\":true,\"revision_translation_affected\":true}\n11d:{\"drupal_internal__target_id\":\"internal_link\"}\n11c:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$11d\"}\n11f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1ddadcf3-87d4-44f4-8d92-44bdd359f870/paragraph_type?resourceVersion=id%3A16249\"}\n120:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1ddadcf3-87d4-44f4-8d92-44bdd359f870/relationships/paragraph_type?resourceVersion=id%3A16249\"}\n11e:{\"related\":\"$11f\",\"self\":\"$120\"}\n11b:{\"data\":\"$11c\",\"links\":\"$11e\"}\n123:{\"drupal_internal__target_id\":1006}\n122:{\"type\":\"node--blog\",\"id\":\"bc27186f-c3a4-490d-b541-021bf0ba3f82\",\"meta\":\"$123\"}\n125:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1ddadcf3-87d4-44f4-8d92-44bdd359f870/field_link?resourceVersion=id%3A16249\"}\n126:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1ddadcf3-87d4-44f4-8d92-44bdd359f870/relationships/field_link?resourceVersion=id%3A16249\"}\n124:{\"related\":\"$125\",\"self\":\"$126\"}\n121:{\"data\":\"$122\",\"links\":\"$124\"}\n11a:{\"paragraph_type\":\"$11b\",\"field_link\":\"$121\"}\n115:{\"type\":\"paragraph--internal_link\",\"id\":\"1ddadcf3-87d4-44f4-8d92-44bdd359f870\",\"links\":\"$116\",\"attributes\":\"$118\",\"relationships\":\"$11a\"}\n129:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a?resourceVersion=id%3A5934\"}\n12a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a?resourceVersion=rel%3Aworking-copy\"}\n128:{\"self\":\"$129\",\"working-copy\":\"$12a\"}\n12c:{\"alias\":\"/learn/saas-governance-saasg\",\"pid\":726,\"langcode\":\"en\"}\n12d:{\"value\":\"Considerations and guidelines for CMS business units wanting to use SaaS applications\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eConsiderations and g"])</script><script>self.__next_f.push([1,"uidelines for CMS business units wanting to use SaaS applications\u003c/p\u003e\\n\"}\n12e:[\"#ispg-saas-governance\"]\n12b:{\"drupal_internal__nid\":736,\"drupal_internal__vid\":5934,\"langcode\":\"en\",\"revision_timestamp\":\"2024-09-28T13:01:56+00:00\",\"status\":true,\"title\":\"SaaS Governance (SaaSG)\",\"created\":\"2023-02-13T19:52:17+00:00\",\"changed\":\"2024-09-28T13:01:56+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$12c\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"saasg@cms.hhs.gov\",\"field_contact_name\":\"SaaSG Team\",\"field_short_description\":\"$12d\",\"field_slack_channel\":\"$12e\"}\n132:{\"drupal_internal__target_id\":\"explainer\"}\n131:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$132\"}\n134:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/node_type?resourceVersion=id%3A5934\"}\n135:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/node_type?resourceVersion=id%3A5934\"}\n133:{\"related\":\"$134\",\"self\":\"$135\"}\n130:{\"data\":\"$131\",\"links\":\"$133\"}\n138:{\"drupal_internal__target_id\":6}\n137:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$138\"}\n13a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/revision_uid?resourceVersion=id%3A5934\"}\n13b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/revision_uid?resourceVersion=id%3A5934\"}\n139:{\"related\":\"$13a\",\"self\":\"$13b\"}\n136:{\"data\":\"$137\",\"links\":\"$139\"}\n13e:{\"drupal_internal__target_id\":6}\n13d:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$13e\"}\n140:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/uid?resourceVersion=id%3A5934\"}\n141:{\"href\":\"https://cybergeek"])</script><script>self.__next_f.push([1,".cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/uid?resourceVersion=id%3A5934\"}\n13f:{\"related\":\"$140\",\"self\":\"$141\"}\n13c:{\"data\":\"$13d\",\"links\":\"$13f\"}\n145:{\"target_revision_id\":19389,\"drupal_internal__target_id\":1446}\n144:{\"type\":\"paragraph--page_section\",\"id\":\"32796f74-9a4b-49be-b101-133dce4c4568\",\"meta\":\"$145\"}\n147:{\"target_revision_id\":19396,\"drupal_internal__target_id\":3528}\n146:{\"type\":\"paragraph--page_section\",\"id\":\"23cc1637-59ba-448f-8e17-e5aed202cb74\",\"meta\":\"$147\"}\n149:{\"target_revision_id\":19397,\"drupal_internal__target_id\":3529}\n148:{\"type\":\"paragraph--page_section\",\"id\":\"53da5747-8514-4ea5-9f3d-2905f9a61edb\",\"meta\":\"$149\"}\n14b:{\"target_revision_id\":19398,\"drupal_internal__target_id\":1451}\n14a:{\"type\":\"paragraph--page_section\",\"id\":\"c1fc448a-a41f-4061-9bc9-59b74374d79a\",\"meta\":\"$14b\"}\n143:[\"$144\",\"$146\",\"$148\",\"$14a\"]\n14d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_page_section?resourceVersion=id%3A5934\"}\n14e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_page_section?resourceVersion=id%3A5934\"}\n14c:{\"related\":\"$14d\",\"self\":\"$14e\"}\n142:{\"data\":\"$143\",\"links\":\"$14c\"}\n152:{\"target_revision_id\":19399,\"drupal_internal__target_id\":1671}\n151:{\"type\":\"paragraph--internal_link\",\"id\":\"e0d07bf6-c606-4a38-ba34-9521f9e77733\",\"meta\":\"$152\"}\n154:{\"target_revision_id\":19400,\"drupal_internal__target_id\":1676}\n153:{\"type\":\"paragraph--internal_link\",\"id\":\"be5c8dd0-860f-4570-bf13-358733b392ca\",\"meta\":\"$154\"}\n156:{\"target_revision_id\":19401,\"drupal_internal__target_id\":1681}\n155:{\"type\":\"paragraph--internal_link\",\"id\":\"10abb234-5289-40da-9df3-f4e6e9c06a80\",\"meta\":\"$156\"}\n150:[\"$151\",\"$153\",\"$155\"]\n158:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_related_collection?resourceVersion=id%3A5934\"}\n159:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_"])</script><script>self.__next_f.push([1,"related_collection?resourceVersion=id%3A5934\"}\n157:{\"related\":\"$158\",\"self\":\"$159\"}\n14f:{\"data\":\"$150\",\"links\":\"$157\"}\n15c:{\"drupal_internal__target_id\":121}\n15b:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$15c\"}\n15e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_resource_type?resourceVersion=id%3A5934\"}\n15f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_resource_type?resourceVersion=id%3A5934\"}\n15d:{\"related\":\"$15e\",\"self\":\"$15f\"}\n15a:{\"data\":\"$15b\",\"links\":\"$15d\"}\n163:{\"drupal_internal__target_id\":61}\n162:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$163\"}\n165:{\"drupal_internal__target_id\":76}\n164:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$165\"}\n161:[\"$162\",\"$164\"]\n167:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_roles?resourceVersion=id%3A5934\"}\n168:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_roles?resourceVersion=id%3A5934\"}\n166:{\"related\":\"$167\",\"self\":\"$168\"}\n160:{\"data\":\"$161\",\"links\":\"$166\"}\n16c:{\"drupal_internal__target_id\":41}\n16b:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":\"$16c\"}\n16e:{\"drupal_internal__target_id\":16}\n16d:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$16e\"}\n16a:[\"$16b\",\"$16d\"]\n170:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_topics?resourceVersion=id%3A5934\"}\n171:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_topics?resourceVersion=id%3A5934\"}\n16f:{\"related\":\"$170\",\"self\":\"$171\"}\n169:{\"data\":\"$16a\",\"links\":\"$16f\"}\n12f:{\"node_type\":\"$130\",\"revision_uid\":\"$136\",\"uid\":\"$13c\",\"field_page_section\":\"$142\",\"field_related_collec"])</script><script>self.__next_f.push([1,"tion\":\"$14f\",\"field_resource_type\":\"$15a\",\"field_roles\":\"$160\",\"field_topics\":\"$169\"}\n127:{\"type\":\"node--explainer\",\"id\":\"96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a\",\"links\":\"$128\",\"attributes\":\"$12b\",\"relationships\":\"$12f\"}\n174:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82?resourceVersion=id%3A5790\"}\n173:{\"self\":\"$174\"}\n176:{\"alias\":\"/posts/executive-order-improving-nations-cybersecurity-what-it-means-you\",\"pid\":861,\"langcode\":\"en\"}\n178:T9fd,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the Executive Order?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe \u003ca href=\"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\"\u003eExecutive Order on Improving the Nation's Cybersecurity (Executive Order 14028)\u003c/a\u003e is an important step forward in protecting Americans from cyber threats. The order, signed by President Biden on May 11, 2021, focuses on strengthening the cybersecurity of the federal government, critical infrastructure, and the private sector.\u003c/p\u003e\u003cp\u003eThe order requires federal agencies to adopt and implement a series of measures to improve their cybersecurity. These measures include developing a cybersecurity risk management program, conducting regular risk assessments, and implementing measures to protect against attacks and reduce cyber risk. It also requires agencies to implement multi-factor authentication to better protect against account hijacking, and to use encryption to protect data and communications.\u003c/p\u003e\u003cp\u003eIn addition, the order calls for the creation of a Cybersecurity Safety Review Board. This board will be charged with reviewing and assessing the effectiveness of the cybersecurity measures being implemented by the federal government and by critical infrastructure. It will also review cybersecurity incidents that have occurred and make recommendations for improving the nation's cybersecurity posture.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat does this mean for CMS?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) is taking steps to improve its cybersecurity posture, including strengthening its identity and access management, network monitoring and detection, and incident response capabilities. Additionally, CMS is working with its partners to identify areas of improvement and to develop and implement new and enhanced security controls. CMS is also focused on increasing employee awareness of cybersecurity threats and best practices. Finally, CMS is actively engaging with the healthcare industry to ensure that all organizations are taking the necessary steps to safeguard patient health data.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow is ISPG involved?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eISPG is at the forefront of the efforts to:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eImprove incident response practices\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplement new security controls with the adoption of the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eAcceptable Risk Safeguards (ARS) 5.0\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCreate a culture of cybersecurity awareness through training\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"179:T9fd,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the Executive Order?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe \u003ca href=\"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\"\u003eExecutive Order on Improving the Nation's Cybersecurity (Executive Order 14028)\u003c/a\u003e is an important step forward in protecting Americans from cyber threats. The order, signed by President Biden on May 11, 2021, focuses on strengthening the cybersecurity of the federal government, critical infrastructure, and the private sector.\u003c/p\u003e\u003cp\u003eThe order requires federal agencies to adopt and implement a series of measures to improve their cybersecurity. These measures include developing a cybersecurity risk management program, conducting regular risk assessments, and implementing measures to protect against attacks and reduce cyber risk. It also requires agencies to implement multi-factor authentication to better protect against account hijacking, and to use encryption to protect data and communications.\u003c/p\u003e\u003cp\u003eIn addition, the order calls for the creation of a Cybersecurity Safety Review Board. This board will be charged with reviewing and assessing the effectiveness of the cybersecurity measures being implemented by the federal government and by critical infrastructure. It will also review cybersecurity incidents that have occurred and make recommendations for improving the nation's cybersecurity posture.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat does this mean for CMS?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) is taking steps to improve its cybersecurity posture, including strengthening its identity and access management, network monitoring and detection, and incident response capabilities. Additionally, CMS is working with its partners to identify areas of improvement and to develop and implement new and enhanced security controls. CMS is also focused on increasing employee awareness of cybersecurity threats and best practices. Finally, CMS is actively engaging with the healthcare industry to ensure that all organizations are taking the necessary steps to safeguard patient health data.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow is ISPG involved?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eISPG is at the forefront of the efforts to:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eImprove incident response practices\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplement new security controls with the adoption of the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eAcceptable Risk Safeguards (ARS) 5.0\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCreate a culture of cybersecurity awareness through training\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"177:{\"value\":\"$178\",\"format\":\"body_text\",\"processed\":\"$179\",\"summary\":\"\"}\n17a:{\"value\":\"Learn about the latest federal cybersecurity guidance from the White House and its application at CMS\\r\\n\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eLearn about the latest federal cybersecurity guidance from the White House and its application at CMS\u003c/p\u003e\\n\"}\n175:{\"drupal_internal__nid\":1006,\"drupal_internal__vid\":5790,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-06T15:42:37+00:00\",\"status\":true,\"title\":\"Executive Order on Improving the Nations Cybersecurity: What it means for you\",\"created\":\"2023-05-26T00:00:00+00:00\",\"changed\":\"2024-08-06T15:42:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$176\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$177\",\"field_short_description\":\"$17a\",\"field_video_link\":null}\n17e:{\"drupal_internal__target_id\":\"blog\"}\n17d:{\"type\":\"node_type--node_type\",\"id\":\"f382c03e-0cc5-4892-aa46-653a2d90fc05\",\"meta\":\"$17e\"}\n180:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/node_type?resourceVersion=id%3A5790\"}\n181:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/node_type?resourceVersion=id%3A5790\"}\n17f:{\"related\":\"$180\",\"self\":\"$181\"}\n17c:{\"data\":\"$17d\",\"links\":\"$17f\"}\n184:{\"drupal_internal__target_id\":159}\n183:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":\"$184\"}\n186:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/revision_uid?resourceVersion=id%3A5790\"}\n187:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/revision_uid?resourceVersion=id%3A5790\"}\n185:{\"related\":\"$186\",\"self\":\"$187\"}\n182:{\"data\":\"$183\",\"links\":\"$185\"}\n18a:{\"drupal_internal__target_id\":26}\n189:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f"])</script><script>self.__next_f.push([1,"-859d-a759444160a4\",\"meta\":\"$18a\"}\n18c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/uid?resourceVersion=id%3A5790\"}\n18d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/uid?resourceVersion=id%3A5790\"}\n18b:{\"related\":\"$18c\",\"self\":\"$18d\"}\n188:{\"data\":\"$189\",\"links\":\"$18b\"}\n190:{\"drupal_internal__target_id\":221}\n18f:{\"type\":\"media--blog_cover_image\",\"id\":\"ddd76d53-b84b-4de2-8c73-73ed5072381e\",\"meta\":\"$190\"}\n192:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/field_cover_image?resourceVersion=id%3A5790\"}\n193:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/field_cover_image?resourceVersion=id%3A5790\"}\n191:{\"related\":\"$192\",\"self\":\"$193\"}\n18e:{\"data\":\"$18f\",\"links\":\"$191\"}\n196:{\"drupal_internal__target_id\":32}\n195:{\"type\":\"group--team\",\"id\":\"52b65a87-4029-4447-8e2a-19108d81273f\",\"meta\":\"$196\"}\n198:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/field_publisher_group?resourceVersion=id%3A5790\"}\n199:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/field_publisher_group?resourceVersion=id%3A5790\"}\n197:{\"related\":\"$198\",\"self\":\"$199\"}\n194:{\"data\":\"$195\",\"links\":\"$197\"}\n19c:{\"drupal_internal__target_id\":106}\n19b:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"cccd136f-b478-40f0-8ff8-fd73f75f4ab0\",\"meta\":\"$19c\"}\n19e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/field_resource_type?resourceVersion=id%3A5790\"}\n19f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/field_resource_type?resourceVersion=id%3A5790\"}\n19d:{\"related\":\"$19e\",\"self\":\"$19f\"}\n19a:{\"data\":\"$19b\",\"links\":\"$19d\"}\n1a3:{\"drupal_internal__target_id\":66}\n1a2:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$1a3\"}\n1a5:{\"drupal_internal__target_id\""])</script><script>self.__next_f.push([1,":81}\n1a4:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\"$1a5\"}\n1a7:{\"drupal_internal__target_id\":61}\n1a6:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$1a7\"}\n1a9:{\"drupal_internal__target_id\":76}\n1a8:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$1a9\"}\n1ab:{\"drupal_internal__target_id\":71}\n1aa:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$1ab\"}\n1a1:[\"$1a2\",\"$1a4\",\"$1a6\",\"$1a8\",\"$1aa\"]\n1ad:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/field_roles?resourceVersion=id%3A5790\"}\n1ae:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/field_roles?resourceVersion=id%3A5790\"}\n1ac:{\"related\":\"$1ad\",\"self\":\"$1ae\"}\n1a0:{\"data\":\"$1a1\",\"links\":\"$1ac\"}\n1b2:{\"drupal_internal__target_id\":16}\n1b1:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$1b2\"}\n1b4:{\"drupal_internal__target_id\":21}\n1b3:{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":\"$1b4\"}\n1b0:[\"$1b1\",\"$1b3\"]\n1b6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/field_topics?resourceVersion=id%3A5790\"}\n1b7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/field_topics?resourceVersion=id%3A5790\"}\n1b5:{\"related\":\"$1b6\",\"self\":\"$1b7\"}\n1af:{\"data\":\"$1b0\",\"links\":\"$1b5\"}\n17b:{\"node_type\":\"$17c\",\"revision_uid\":\"$182\",\"uid\":\"$188\",\"field_cover_image\":\"$18e\",\"field_publisher_group\":\"$194\",\"field_resource_type\":\"$19a\",\"field_roles\":\"$1a0\",\"field_topics\":\"$1af\"}\n172:{\"type\":\"node--blog\",\"id\":\"bc27186f-c3a4-490d-b541-021bf0ba3f82\",\"links\":\"$173\",\"attributes\":\"$175\",\"relationships\":\"$17b\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"601a2f62-ea7f-48d0-b3cc-d4f80901587f\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f?resourceVersion=id%3A5717\"}},\"attributes\":{\"drupal_internal__nid\":851,\"drupal_internal__vid\":5717,\"langcode\":\"en\",\"revision_timestamp\":\"2024-01-05T17:44:12+00:00\",\"status\":true,\"title\":\"Software Bill of Materials (SBOM)\",\"created\":\"2023-04-20T16:29:43+00:00\",\"changed\":\"2024-01-05T17:44:12+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":null,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/software-bill-materials-sbom\",\"pid\":821,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"saasg@cms.hhs.gov\",\"field_contact_name\":\"SaaS Governance Team\",\"field_short_description\":{\"value\":\"A structured list of the components and modules that make up a piece of software, and the supply chain relationships between them\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA structured list of the components and modules that make up a piece of software, and the supply chain relationships between them\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-saas-governance\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/node_type?resourceVersion=id%3A5717\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/relationships/node_type?resourceVersion=id%3A5717\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"meta\":{\"drupal_internal__target_id\":36}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/revision_uid?resourceVersion=id%3A5717\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/relationships/revision_uid?resourceVersion=id%3A5717\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/uid?resourceVersion=id%3A5717\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/relationships/uid?resourceVersion=id%3A5717\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"13b80850-5640-4bde-8bbe-24310feb7831\",\"meta\":{\"target_revision_id\":16246,\"drupal_internal__target_id\":2806}},{\"type\":\"paragraph--page_section\",\"id\":\"6f4e3323-98c9-4f4f-b2b7-62a581f7e16f\",\"meta\":{\"target_revision_id\":16247,\"drupal_internal__target_id\":2811}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/field_page_section?resourceVersion=id%3A5717\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/relationships/field_page_section?resourceVersion=id%3A5717\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"0a2d57c8-01b3-4087-8fa7-8ef0044e662b\",\"meta\":{\"target_revision_id\":16248,\"drupal_internal__target_id\":3453}},{\"type\":\"paragraph--internal_link\",\"id\":\"1ddadcf3-87d4-44f4-8d92-44bdd359f870\",\"meta\":{\"target_revision_id\":16249,\"drupal_internal__target_id\":3454}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/field_related_collection?resourceVersion=id%3A5717\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/relationships/field_related_collection?resourceVersion=id%3A5717\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/field_resource_type?resourceVersion=id%3A5717\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/relationships/field_resource_type?resourceVersion=id%3A5717\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/field_roles?resourceVersion=id%3A5717\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/relationships/field_roles?resourceVersion=id%3A5717\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/field_topics?resourceVersion=id%3A5717\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/601a2f62-ea7f-48d0-b3cc-d4f80901587f/relationships/field_topics?resourceVersion=id%3A5717\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/663db243-0ec9-4d3f-9589-5a0ed308fbbc\"}},\"attributes\":{\"display_name\":\"alex.kerr\"}},{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}},\"attributes\":{\"display_name\":\"mburgess\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}},\"attributes\":{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c?resourceVersion=id%3A41\"}},\"attributes\":{\"drupal_internal__tid\":41,\"drupal_internal__revision_id\":41,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:04+00:00\",\"status\":true,\"name\":\"Application Security\",\"description\":null,\"weight\":0,\"changed\":\"2022-09-28T21:04:30+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/vid?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/vid?resourceVersion=id%3A41\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/revision_user?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/revision_user?resourceVersion=id%3A41\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/parent?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/parent?resourceVersion=id%3A41\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}},\"attributes\":{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"13b80850-5640-4bde-8bbe-24310feb7831\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/13b80850-5640-4bde-8bbe-24310feb7831?resourceVersion=id%3A16246\"}},\"attributes\":{\"drupal_internal__id\":2806,\"drupal_internal__revision_id\":16246,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-20T16:36:07+00:00\",\"parent_id\":\"851\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/13b80850-5640-4bde-8bbe-24310feb7831/paragraph_type?resourceVersion=id%3A16246\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/13b80850-5640-4bde-8bbe-24310feb7831/relationships/paragraph_type?resourceVersion=id%3A16246\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"c42c665f-aca6-4b61-9083-28eb938db0b8\",\"meta\":{\"target_revision_id\":16245,\"drupal_internal__target_id\":2801}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/13b80850-5640-4bde-8bbe-24310feb7831/field_specialty_item?resourceVersion=id%3A16246\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/13b80850-5640-4bde-8bbe-24310feb7831/relationships/field_specialty_item?resourceVersion=id%3A16246\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"6f4e3323-98c9-4f4f-b2b7-62a581f7e16f\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6f4e3323-98c9-4f4f-b2b7-62a581f7e16f?resourceVersion=id%3A16247\"}},\"attributes\":{\"drupal_internal__id\":2811,\"drupal_internal__revision_id\":16247,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-20T16:37:05+00:00\",\"parent_id\":\"851\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6f4e3323-98c9-4f4f-b2b7-62a581f7e16f/paragraph_type?resourceVersion=id%3A16247\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6f4e3323-98c9-4f4f-b2b7-62a581f7e16f/relationships/paragraph_type?resourceVersion=id%3A16247\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6f4e3323-98c9-4f4f-b2b7-62a581f7e16f/field_specialty_item?resourceVersion=id%3A16247\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/6f4e3323-98c9-4f4f-b2b7-62a581f7e16f/relationships/field_specialty_item?resourceVersion=id%3A16247\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"c42c665f-aca6-4b61-9083-28eb938db0b8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/c42c665f-aca6-4b61-9083-28eb938db0b8?resourceVersion=id%3A16245\"}},\"attributes\":{\"drupal_internal__id\":2801,\"drupal_internal__revision_id\":16245,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-20T16:36:07+00:00\",\"parent_id\":\"2806\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":{\"uri\":\"https://www.youtube.com/watch?v=6yljBKKl8Vo\u0026list=PLO2lqCK7WyTDpVmcHsy6R2HWftFkUp6zG\u0026index=1\",\"title\":\"\",\"options\":[],\"url\":\"https://www.youtube.com/watch?v=6yljBKKl8Vo\u0026list=PLO2lqCK7WyTDpVmcHsy6R2HWftFkUp6zG\u0026index=1\"},\"field_call_out_link_text\":\"See the playlist\",\"field_call_out_text\":{\"value\":\"The National Telecommunications and Information Administration (NTIA) has produced a series of explainer videos about Software Bill of Materials (SBOM) that can help you understand their value and how to use them.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThe National Telecommunications and Information Administration (NTIA) has produced a series of explainer videos about Software Bill of Materials (SBOM) that can help you understand their value and how to use them.\u003c/p\u003e\\n\"},\"field_header\":\"SBOM videos from NTIA\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/c42c665f-aca6-4b61-9083-28eb938db0b8/paragraph_type?resourceVersion=id%3A16245\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/c42c665f-aca6-4b61-9083-28eb938db0b8/relationships/paragraph_type?resourceVersion=id%3A16245\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"0a2d57c8-01b3-4087-8fa7-8ef0044e662b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/0a2d57c8-01b3-4087-8fa7-8ef0044e662b?resourceVersion=id%3A16248\"}},\"attributes\":{\"drupal_internal__id\":3453,\"drupal_internal__revision_id\":16248,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-29T14:21:48+00:00\",\"parent_id\":\"851\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/0a2d57c8-01b3-4087-8fa7-8ef0044e662b/paragraph_type?resourceVersion=id%3A16248\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/0a2d57c8-01b3-4087-8fa7-8ef0044e662b/relationships/paragraph_type?resourceVersion=id%3A16248\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a\",\"meta\":{\"drupal_internal__target_id\":736}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/0a2d57c8-01b3-4087-8fa7-8ef0044e662b/field_link?resourceVersion=id%3A16248\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/0a2d57c8-01b3-4087-8fa7-8ef0044e662b/relationships/field_link?resourceVersion=id%3A16248\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"1ddadcf3-87d4-44f4-8d92-44bdd359f870\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1ddadcf3-87d4-44f4-8d92-44bdd359f870?resourceVersion=id%3A16249\"}},\"attributes\":{\"drupal_internal__id\":3454,\"drupal_internal__revision_id\":16249,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-29T14:28:12+00:00\",\"parent_id\":\"851\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1ddadcf3-87d4-44f4-8d92-44bdd359f870/paragraph_type?resourceVersion=id%3A16249\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1ddadcf3-87d4-44f4-8d92-44bdd359f870/relationships/paragraph_type?resourceVersion=id%3A16249\"}}},\"field_link\":{\"data\":{\"type\":\"node--blog\",\"id\":\"bc27186f-c3a4-490d-b541-021bf0ba3f82\",\"meta\":{\"drupal_internal__target_id\":1006}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1ddadcf3-87d4-44f4-8d92-44bdd359f870/field_link?resourceVersion=id%3A16249\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/1ddadcf3-87d4-44f4-8d92-44bdd359f870/relationships/field_link?resourceVersion=id%3A16249\"}}}}},{\"type\":\"node--explainer\",\"id\":\"96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a?resourceVersion=id%3A5934\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__nid\":736,\"drupal_internal__vid\":5934,\"langcode\":\"en\",\"revision_timestamp\":\"2024-09-28T13:01:56+00:00\",\"status\":true,\"title\":\"SaaS Governance (SaaSG)\",\"created\":\"2023-02-13T19:52:17+00:00\",\"changed\":\"2024-09-28T13:01:56+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/saas-governance-saasg\",\"pid\":726,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"saasg@cms.hhs.gov\",\"field_contact_name\":\"SaaSG Team\",\"field_short_description\":{\"value\":\"Considerations and guidelines for CMS business units wanting to use SaaS applications\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eConsiderations and guidelines for CMS business units wanting to use SaaS applications\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-saas-governance\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/node_type?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/node_type?resourceVersion=id%3A5934\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/revision_uid?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/revision_uid?resourceVersion=id%3A5934\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/uid?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/uid?resourceVersion=id%3A5934\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"32796f74-9a4b-49be-b101-133dce4c4568\",\"meta\":{\"target_revision_id\":19389,\"drupal_internal__target_id\":1446}},{\"type\":\"paragraph--page_section\",\"id\":\"23cc1637-59ba-448f-8e17-e5aed202cb74\",\"meta\":{\"target_revision_id\":19396,\"drupal_internal__target_id\":3528}},{\"type\":\"paragraph--page_section\",\"id\":\"53da5747-8514-4ea5-9f3d-2905f9a61edb\",\"meta\":{\"target_revision_id\":19397,\"drupal_internal__target_id\":3529}},{\"type\":\"paragraph--page_section\",\"id\":\"c1fc448a-a41f-4061-9bc9-59b74374d79a\",\"meta\":{\"target_revision_id\":19398,\"drupal_internal__target_id\":1451}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_page_section?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_page_section?resourceVersion=id%3A5934\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"e0d07bf6-c606-4a38-ba34-9521f9e77733\",\"meta\":{\"target_revision_id\":19399,\"drupal_internal__target_id\":1671}},{\"type\":\"paragraph--internal_link\",\"id\":\"be5c8dd0-860f-4570-bf13-358733b392ca\",\"meta\":{\"target_revision_id\":19400,\"drupal_internal__target_id\":1676}},{\"type\":\"paragraph--internal_link\",\"id\":\"10abb234-5289-40da-9df3-f4e6e9c06a80\",\"meta\":{\"target_revision_id\":19401,\"drupal_internal__target_id\":1681}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_related_collection?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_related_collection?resourceVersion=id%3A5934\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_resource_type?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_resource_type?resourceVersion=id%3A5934\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_roles?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_roles?resourceVersion=id%3A5934\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_topics?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_topics?resourceVersion=id%3A5934\"}}}}},{\"type\":\"node--blog\",\"id\":\"bc27186f-c3a4-490d-b541-021bf0ba3f82\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82?resourceVersion=id%3A5790\"}},\"attributes\":{\"drupal_internal__nid\":1006,\"drupal_internal__vid\":5790,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-06T15:42:37+00:00\",\"status\":true,\"title\":\"Executive Order on Improving the Nations Cybersecurity: What it means for you\",\"created\":\"2023-05-26T00:00:00+00:00\",\"changed\":\"2024-08-06T15:42:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/posts/executive-order-improving-nations-cybersecurity-what-it-means-you\",\"pid\":861,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1c\",\"format\":\"body_text\",\"processed\":\"$1d\",\"summary\":\"\"},\"field_short_description\":{\"value\":\"Learn about the latest federal cybersecurity guidance from the White House and its application at CMS\\r\\n\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eLearn about the latest federal cybersecurity guidance from the White House and its application at CMS\u003c/p\u003e\\n\"},\"field_video_link\":null},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"f382c03e-0cc5-4892-aa46-653a2d90fc05\",\"meta\":{\"drupal_internal__target_id\":\"blog\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/node_type?resourceVersion=id%3A5790\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/node_type?resourceVersion=id%3A5790\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/revision_uid?resourceVersion=id%3A5790\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/revision_uid?resourceVersion=id%3A5790\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/uid?resourceVersion=id%3A5790\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/uid?resourceVersion=id%3A5790\"}}},\"field_cover_image\":{\"data\":{\"type\":\"media--blog_cover_image\",\"id\":\"ddd76d53-b84b-4de2-8c73-73ed5072381e\",\"meta\":{\"drupal_internal__target_id\":221}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/field_cover_image?resourceVersion=id%3A5790\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/field_cover_image?resourceVersion=id%3A5790\"}}},\"field_publisher_group\":{\"data\":{\"type\":\"group--team\",\"id\":\"52b65a87-4029-4447-8e2a-19108d81273f\",\"meta\":{\"drupal_internal__target_id\":32}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/field_publisher_group?resourceVersion=id%3A5790\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/field_publisher_group?resourceVersion=id%3A5790\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"cccd136f-b478-40f0-8ff8-fd73f75f4ab0\",\"meta\":{\"drupal_internal__target_id\":106}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/field_resource_type?resourceVersion=id%3A5790\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/field_resource_type?resourceVersion=id%3A5790\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/field_roles?resourceVersion=id%3A5790\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/field_roles?resourceVersion=id%3A5790\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":{\"drupal_internal__target_id\":21}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/field_topics?resourceVersion=id%3A5790\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/bc27186f-c3a4-490d-b541-021bf0ba3f82/relationships/field_topics?resourceVersion=id%3A5790\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1e\",\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\":\"$28\",\"e352e203-fe9c-47ba-af75-2c7f8302fca8\":\"$2c\",\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\":\"$30\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$4a\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$64\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$7e\",\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\":\"$98\",\"65ef6410-4066-4db4-be03-c8eb26b63305\":\"$b2\",\"13b80850-5640-4bde-8bbe-24310feb7831\":\"$cc\",\"6f4e3323-98c9-4f4f-b2b7-62a581f7e16f\":\"$e1\",\"c42c665f-aca6-4b61-9083-28eb938db0b8\":\"$f4\",\"0a2d57c8-01b3-4087-8fa7-8ef0044e662b\":\"$103\",\"1ddadcf3-87d4-44f4-8d92-44bdd359f870\":\"$115\",\"96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a\":\"$127\",\"bc27186f-c3a4-490d-b541-021bf0ba3f82\":\"$172\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Software Bill of Materials (SBOM) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"A structured list of the components and modules that make up a piece of software, and the supply chain relationships between them\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/software-bill-materials-sbom\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"Software Bill of Materials (SBOM) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"A structured list of the components and modules that make up a piece of software, and the supply chain relationships between them\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/software-bill-materials-sbom\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/software-bill-materials-sbom/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"Software Bill of Materials (SBOM) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"A structured list of the components and modules that make up a piece of software, and the supply chain relationships between them\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/software-bill-materials-sbom/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink