1 line
No EOL
339 KiB
Text
1 line
No EOL
339 KiB
Text
<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>CMS Information System Contingency Plan (ISCP) Handbook | CMS Information Security & Privacy Group</title><meta name="description" content="Guidance for CMS teams for creating and updating your Information System Contingency Plan (ISCP)"/><link rel="canonical" href="https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="CMS Information System Contingency Plan (ISCP) Handbook | CMS Information Security & Privacy Group"/><meta property="og:description" content="Guidance for CMS teams for creating and updating your Information System Contingency Plan (ISCP)"/><meta property="og:url" content="https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook/opengraph-image.jpg?a856d5522b751df7"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="CMS Information System Contingency Plan (ISCP) Handbook | CMS Information Security & Privacy Group"/><meta name="twitter:description" content="Guidance for CMS teams for creating and updating your Information System Contingency Plan (ISCP)"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook/opengraph-image.jpg?a856d5522b751df7"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=16&q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=32&q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=32&q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here's how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here's how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance & Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance & Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments & Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy & Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy & Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools & Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools & Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting & Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests & Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-library undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">CMS Information System Contingency Plan (ISCP) Handbook</h1><p class="hero__description">Guidance for CMS teams for creating and updating your Information System Contingency Plan (ISCP)</p><p class="font-sans-2xs line-height-sans-5 margin-bottom-0">Last reviewed<!-- -->: <!-- -->7/30/2024</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8"><section class="resource-collection radius-md padding-y-2 padding-x-3 bg-base-lightest"><h1 class="resource-collection__header h3 margin-top-0 margin-bottom-2">Related Resources</h1><div class="grid-row grid-gap-4"><div class="tablet:grid-col-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="https://csrc.nist.gov/pubs/sp/800/34/r1/upd1/final">Contingency Planning Guide for Federal Information Systems (NIST)<svg class="usa-icon" aria-hidden="true" role="img" data-testid="library-resources-external"><use href="/assets/img/sprite.svg#launch"></use></svg></a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook">CMS ISCP Exercise Handbook<svg class="usa-icon" aria-hidden="true" role="img" data-testid="library-resources-external"><use href="/assets/img/sprite.svg#launch"></use></svg></a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards<svg class="usa-icon" aria-hidden="true" role="img" data-testid="library-resources-external"><use href="/assets/img/sprite.svg#launch"></use></svg></a></div></div></section><section><div class="text-block text-block--theme-library"><h2 dir="ltr">What is an Information System Contingency Plan?</h2><p dir="ltr">Contingency planning at the Center for Medicare and Medicaid Services (CMS) is essential for protecting the organization from potential risks and ensuring the continuity of its operations. An <strong>Information System Contingency Plan</strong> (ISCP) is the cornerstone document of contingency planning, and every CMS system must have one in place. The ISCP provides a framework for responding to and mitigating the effects of unexpected events, such as natural disasters, data breaches, and public health crises. </p><p dir="ltr">The ISCP outlines risk management strategies, such as crisis management protocols, data backup and recovery procedures, business continuity plans, and roles and responsibilities. </p><p dir="ltr">The plan generally includes one or more of the following approaches to restore disrupted services:</p><ul><li dir="ltr">Restoring information systems using alternate equipment in case of an equipment failure</li><li dir="ltr">Alternate data processing means</li><li dir="ltr">Alternate location(s) in case of a natural disaster </li></ul><p dir="ltr">Contingency planning also involves establishing clear communication channels between CMS and its stakeholders, such as healthcare providers, patients, and the general public. By being prepared for potential risks, CMS can ensure that its operations remain uninterrupted and that its stakeholders are kept informed of any changes.</p><h2 dir="ltr">Federal guidance for contingency planning</h2><p dir="ltr">CMS utilizes guidance provided by the <a href="https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final">National Institute of Standards and Technology (NIST) SP 800-53</a> and the <a href="https://security.cms.gov/learn/federal-information-security-modernization-act-fisma">Federal Information Systems Management Act</a> (FISMA) to inform its internal contingency planning process. FISMA defines three security objectives for information and information systems:</p><p dir="ltr"><strong>Confidentiality: </strong>Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.</p><p dir="ltr"><strong>Integrity</strong>: Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. </p><p dir="ltr"><strong>Availability</strong>: Ensuring timely and reliable access to and use of information. </p><p dir="ltr">CMS’s Information Security and Privacy Group (ISPG) has also identified all controls relevant to the contingency planning process for CMS systems in the <a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards</a>. You can use this document to inform your contingency planning efforts.</p><h2 dir="ltr">Roles and responsibilities </h2><p dir="ltr">Contingency planning involves cooperation between every person on a system team including the System/Business Owner, the Information System Security Officer (ISSO), the system’s data center or hosting facility, and senior CMS leadership.</p><p dir="ltr">Specifically, System/Business Owners and ISSOs play an integral role in the development and maintenance of Information System Contingency Plans for FISMA systems at CMS. For specific responsibilities of various roles, refer to the <a href="https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#program-and-information-system-roles">CMS Information Systems Security and Privacy Policy</a> (IS2P2).</p><h2 dir="ltr">ISCP prerequisite: BIA</h2><p dir="ltr">Before you start creating or updating your Information System Contingency Plan, you need to complete a Business Impact Analysis (BIA). Without this crucial document included as an appendix, <strong>your ISCP will be incomplete</strong>.</p><h3 dir="ltr">What is a Business Impact Analysis (BIA)?</h3><p dir="ltr">The <strong>Business Impact Analysis (BIA) </strong>is an essential part of the contingency planning process. It helps System/Business Owners identify preventative actions required to mitigate risk, and the resources available to keep systems safe. The ISSO coordinates with the System/Business Owner to identify key processes and determine how critical they are to overall system functionality. This effort will result in a completed BIA. </p><p dir="ltr">BIAs serve as the primary requirement document for determining the key recovery metrics that are addressed in the ISCP including: </p><ul><li dir="ltr">Recovery Point Objective (RPO)</li><li dir="ltr">Recovery Time Objective (RTO)</li><li dir="ltr">Maximum Tolerable Downtime (MTD)</li><li dir="ltr">Work Recovery Time (WRT)</li></ul><p dir="ltr">The goal is to ensure that there are plans in place to restore business functionality within the Maximum Tolerable Downtime (MTD). Note that this may involve restoring the system as originally constructed, moving to alternate processing facilities, or even moving to alternate processing methods. </p><p dir="ltr">The following information should be used to create the system BIA. Once the BIA is completed, it <strong>must be included as an appendix to the ISCP</strong> and reviewed annually. When it’s time to review and recertify your ISCP, you must attach the BIA as an appendix again, even if the BIA hasn’t changed from the previous year.</p><h3 dir="ltr">BIA template</h3><p dir="ltr"><em>Use this sample template to perform your Business Impact Analysis (BIA) and create a BIA document as part of your contingency planning process. This template is meant to be a guide that can be adjusted to best meet the needs of your system. </em></p><p dir="ltr"><em>In this template, words in <strong>italics</strong> are instructional and are meant to be deleted from the final document. Words in regular (non-italic) text are intended to remain. Copy and paste the BIA instructions and template below into a document to begin your BIA process. </em></p><table><tbody><tr><td><p dir="ltr">BIA TEMPLATE BEGINS BELOW</p></td></tr></tbody></table><h4 dir="ltr">Overview</h4><p dir="ltr">This Business Impact Analysis (BIA) is developed as part of the contingency planning process for the {system name (system acronym)}. It was prepared on {insert BIA completion date}.</p><h4 dir="ltr">Purpose</h4><p dir="ltr">The purpose of this BIA is to identify and prioritize system components by correlating them to the mission / business processes the system supports, and using this information to characterize the impact on the processes if the system were unavailable.</p><p dir="ltr">The BIA is composed of the following three steps:</p><ol><li dir="ltr"><strong>Determine mission / business processes and recovery criticality.</strong> Mission / business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum that an organization can tolerate while still maintaining the mission.</li><li dir="ltr"><strong>Identify resource requirements</strong>. Realistic recovery efforts require a thorough evaluation of the resources required to resume mission / business processes and related interdependencies as quickly as possible. Examples of resources that should be identified include facilities, personnel, equipment, software, data files, system components, and vital records.</li><li dir="ltr"><strong>Identify recovery priorities for system resources</strong>. Based upon the results from the previous activities, system resources can more clearly be linked to critical mission / business processes. Priority levels can be established for sequencing recovery activities and resources.</li></ol><p dir="ltr">This document is used to build the {system name} Information System Contingency Plan (ISCP) and is included as a key component of the ISCP. It also may be used to support the development of other contingency plans associated with the system, including the Disaster Recovery Plan (DRP) or Cyber Incident Response Plan.</p><h4 dir="ltr">System Description</h4><p dir="ltr"><em>Provide a general description of system architecture and functionality. Indicate the operating environment, physical location, general location of users, and partnerships with external organizations/systems. Include information regarding any other technical considerations that are important for recovery purposes, such as backup procedures. </em></p><p dir="ltr"><em>Diagrams of architecture, inputs / outputs, and telecommunications <strong>are not required</strong> as part of the BIA. Those are provided in </em><a href="https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook#appendix-g-diagrams"><em>Appendix G for ISCPs at CMS</em></a><em>.</em></p><h4 dir="ltr">Mission and business processes</h4><p dir="ltr"><em>To complete this section, you will work with input from users, managers, mission/business process owners, and other internal or external points of contact (POC), to identify the specific mission/business processes that depend on or support the information system. To collect all this information, you can use interviews with individuals or groups, workshops, email, questionnaires, or any combination of those methods.</em></p><p dir="ltr"><em>In later sections, you will also identify the criticality of those processes.</em></p><p dir="ltr"><em>An example of a mission/business process and description is below. Create your own list for the system that needs the BIA.</em></p><p dir="ltr"><em><strong>Sample Mission/Business Process</strong>: Pay vendor invoice</em></p><p dir="ltr"><em><strong>Sample Description</strong>: Process of obligating funds, issuing check or electronic payment, and acknowledging receipt</em></p><p dir="ltr">The following list outlines the mission / business processes for {system name}.</p><p dir="ltr"><strong>Mission/Business Process</strong>:</p><p dir="ltr"><strong>Description</strong>:</p><p dir="ltr"><em>(add more as needed)</em></p><h4>Outage Impacts</h4><p dir="ltr"><em>This section identifies and characterizes the types of impact categories that a system disruption is likely to create in addition to those identified by the </em><a href="https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization"><em>FIPS 199 impact level</em></a><em>, as well as the estimated downtime that the organization can tolerate for a given process. </em></p><p dir="ltr"><em>Impact categories should be created and values assigned to these categories in order to measure the level or type of impact a disruption may cause. An example of cost as an impact category has been provided below. Organizations should consider other categories like harm to individuals and ability to perform mission. Create as many categories as you need to reflect what is appropriate for your organization.</em></p><p dir="ltr">The following impact categories represent important areas for consideration in the event of a disruption or impact.</p><p dir="ltr"><em>Sample impact category: Cost</em></p><p dir="ltr"><em>Sample values for assessing category impact:</em></p><ul><li dir="ltr"><em>Severe = Temp staffing, overtime, fees greater than $1 million</em></li><li dir="ltr"><em>Moderate = fines, penalties, liabilities potential $550K</em></li><li dir="ltr"><em>Minimal = new contracts, supplies $75K</em></li></ul><p dir="ltr">Impact category: {insert category name}</p><p dir="ltr">Impact values for assessing category impact:</p><ul><li dir="ltr">Severe = {insert value}</li><li dir="ltr">Moderate = {insert value}</li><li dir="ltr">Minimal = {insert value} </li></ul><p><em>(add more categories and their values as needed)</em></p><p dir="ltr">The table below summarizes the impact on each mission/business process if {system name} were unavailable, based on the following criteria:</p><table><thead><tr><th><p dir="ltr"><strong>Mission/Business Process</strong></p></th><th colspan="5"><p dir="ltr"><strong>Impact Category</strong></p></th></tr></thead><tbody><tr><td> </td><td><p dir="ltr"><strong>{</strong><em><strong>insert</strong></em><strong>}</strong></p></td><td><p dir="ltr"><strong>{</strong><em><strong>insert</strong></em><strong>}</strong></p></td><td><p dir="ltr"><strong>{</strong><em><strong>insert</strong></em><strong>}</strong></p></td><td><p dir="ltr"><strong>{</strong><em><strong>insert</strong></em><strong>}</strong></p></td><td><p dir="ltr"><strong>Impact</strong></p></td></tr><tr><td><p dir="ltr"><em>Pay vendor invoice (example)</em></p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr></tbody></table><h4>Estimated downtime </h4><p dir="ltr"><em>Working directly with mission/business process owners, departmental staff, managers, and other stakeholders, estimate the downtime factors for consideration as a result of a disruptive event.</em></p><p dir="ltr">The following are the downtime factors considered in the result of a disruptive event for {system name}.</p><ul><li dir="ltr"><strong>Maximum Tolerable Downtime (MTD). </strong> The MTD represents the total amount of time leaders/managers are willing to accept for a mission/business process outage or disruption and includes all impact considerations. Determining MTD is important because it could leave continuity planners with imprecise direction on (1) selection of an appropriate recovery method, and (2) the depth of detail which will be required when developing recovery procedures, including their scope and content. </li><li dir="ltr"><strong>Recovery Time Objective (RTO).</strong> RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD. Determining the information system resource RTO is important for selecting appropriate technologies that are best suited for meeting the MTD.</li><li dir="ltr"><strong>Recovery Point Objective (RPO</strong>). The RPO represents the point in time, prior to a disruption or system outage, to which mission/business process data must be recovered (given the most recent backup copy of the data) after an outage. </li></ul><p dir="ltr">The list below identifies the MTD, RTO, and RPO (as applicable) for the organizational mission/business processes that rely on {system name}.</p><p dir="ltr"><em>Values for MTDs and RPOs are expected to be specific time frames, identified in hourly increments (e.g., 8 hours, 36 hours, etc.)</em></p><p dir="ltr"><em><strong>Sample Mission/Business Process</strong>: Pay vendor invoice</em></p><ul><li dir="ltr"><em>MTD: 72 hours</em></li><li dir="ltr"><em>RTO: 48 hours</em></li><li dir="ltr"><em>RPO: 12 hours (last backup)</em></li></ul><p dir="ltr"><em><strong>Drivers for MTD, RTO, and RPO</strong>: For each Mission/Business Process, include a description of the drivers for the MTD, RTO, and RPO (e.g., mandate, workload, performance measure, etc.). Include a description of any alternate means (secondary processing or manual workaround) for recovering the Mission/Business Processes that rely on the system. If none exist, so state.</em></p><p dir="ltr"><strong>Mission/Business Process</strong>:</p><ul><li dir="ltr">MTD:</li><li dir="ltr">RTO:</li><li dir="ltr">RPO:</li></ul><p dir="ltr"><strong>Drivers for MTD, RTO, and RPO</strong>:</p><h4>Resource Requirements</h4><p dir="ltr">The following list identifies the resources that compose {system name} including hardware, software, and other resources such as data files. It is assumed that all identified resources support the Mission/Business Processes identified above unless otherwise stated.</p><p dir="ltr"><em><strong>Sample System Resource/Component</strong>: Web Server 1</em></p><ul><li dir="ltr"><em>Platform/OS/Version: Optiplex GX280</em></li><li dir="ltr"><em>Description: Website host</em></li></ul><p dir="ltr"><strong>System Resource/Component</strong>:</p><ul><li dir="ltr">Platform/OS/Version:</li><li dir="ltr">Description:</li></ul><h4>Recovery priorities for system resources</h4><p dir="ltr">The list below shows the order of recovery for {system name} resources. The highest priority resources are listed first. The list also identifies the expected time for recovering the resource (RTO) following a “worst case” (complete rebuild/repair or replacement) disruption.</p><p dir="ltr"><em><strong>Sample Priority Resource</strong>: Web Server 1</em></p><ul><li dir="ltr"><em>System Platform/Component: Optiplex GX280</em></li><li dir="ltr"><em>Recovery Time Objective (RTO): 24 hours to rebuild or replace</em></li></ul><p dir="ltr"><strong>Priority Resource</strong>:</p><ul><li dir="ltr">System Platform/Component:</li><li dir="ltr">Recovery Time Objective (RTO):</li></ul><table><tbody><tr><td><p dir="ltr">END BIA TEMPLATE</p></td></tr></tbody></table><h2 dir="ltr">ISCP steps</h2><p dir="ltr">With your BIA complete (and ONLY when it’s complete!), you can begin the process of creating or updating your Information System Contingency Plan. If you already have a completed BIA from the previous year, review it for accuracy and update if needed. <strong>Attach it as an appendix to the ISCP</strong> regardless of whether updates were made.</p><p dir="ltr">Guidance for each step is listed below.</p><h3 dir="ltr">1. Create or update ISCP document</h3><p dir="ltr">To create your ISCP document, use the <a href="https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook#iscp-template">ISCP template</a> provided for use by all CMS FISMA systems. This template is adapted from the NIST ISCP template for High risk level systems. This ensures that all ISCPs for CMS systems meet or exceed compliance requirements for contingency planning.</p><p dir="ltr">Using the template to create your own ISCP document, you will be capturing information specific to your system including:</p><ul><li dir="ltr">Key recovery metrics for your system</li><li dir="ltr">Pre-defined descriptions of conditions that constitute a need for action</li><li dir="ltr">Pre-defined actions based on the severity of an identified incident</li><li dir="ltr">Key staff, contact information, and specific duties for each person</li><li dir="ltr">Item-level understanding of all of the system hardware and software</li><li dir="ltr">If your ISCP references other documents (such as diagrams), they must be included in the ISCP as appendices</li></ul><h3 dir="ltr">2. System/Business Owner signs ISCP</h3><p dir="ltr">Once completed, the ISCP must be attested to (signed) by the FISMA System Owner. The signature process is repeated annually when the ISCP is reviewed and / or updated.</p><h3 dir="ltr">3. Exercise (test) the ISCP</h3><p dir="ltr">The Information System Contingency Plan must be tested at least once every 365 days to ensure that everyone knows their part in the process of recovering CMS systems in case of an incident. This is commonly referred to as the “Tabletop Exercise”, but a tabletop exercise is only one way to test the ISCP. </p><p dir="ltr">A test plan must be prepared and followed during the execution of the test. All staff who participate in an actual contingency plan event must be available for the test, and key staff members must be trained annually in their contingency responsibilities.</p><p dir="ltr"><a href="https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook"><strong>Learn how to plan and conduct an ISCP exercise here</strong></a><strong>.</strong></p><h3 dir="ltr">4. Create the After Action Report (AAR)</h3><p dir="ltr">After the test is conducted, an After Action Report (AAR) must be generated to describe the test and highlight specific deficiencies that must be corrected. These deficiencies may be easily correctable, or may result in the creation of one or more <a href="https://security.cms.gov/learn/plan-action-and-milestones-poam">Plan of Action and Milestones</a> (POA&Ms). </p><p dir="ltr"><a href="https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook#after-action-report-aar-template"><strong>Here is the template for making your After Action Report</strong></a><strong>.</strong></p><h3 dir="ltr">5. Achieve ISCP recertification</h3><p dir="ltr">For ISPCs that are being reviewed and updated, the updated ISCP must be re-certified by the System/Business Owner. Make sure that all key staff members receive updated ISCP documents that they have access to (<strong>even away from the office or after hours</strong>). Destroy (or return) older copies.</p><h3 dir="ltr">6. Plan for next year’s exercises</h3><p dir="ltr">It’s never too early to start planning for next year’s ISCP exercises. Whether you’re engaging in a tabletop exercise or have chosen a different way to evaluate your plan, it’s important to leave plenty of time to complete the exercise so that your FISMA system remains compliant. If your FISMA system is involved in an outage that causes you to exercise the ISCP, you should consider documenting the event as an exercise of your plan.</p><h2 dir="ltr">ISCP template</h2><p dir="ltr"><em>The following template provides placeholder content for an ISCP that you can copy and paste into a document. Add information specific to your system to create your ISCP. In this template, words in italics are instructional and are meant to be deleted from the final document.</em></p><table><tbody><tr><td><p dir="ltr">ISCP TEMPLATE BEGINS BELOW</p></td></tr></tbody></table><h3 dir="ltr">Introduction</h3><p dir="ltr">Information systems are vital to {insert CMS Center or Office} mission/business processes; therefore, it is critical that services provided by {system name} are able to operate effectively without excessive interruption. This Information System Contingency Plan (ISCP) establishes comprehensive procedures to recover {system name} quickly and effectively following a service disruption. </p><h3 dir="ltr">Concept of operations</h3><p dir="ltr"><em>The Concept of Operations section provides details about your system, and a description of roles and responsibilities of your Center or Office personnel during a contingency activation. Start with the text below, and then continue with as much detail as needed to describe your system's specific operations.</em></p><p dir="ltr">This section provides details about {system name}, and a description of roles and responsibilities of {insert CMS Center or Office} personnel during a contingency activation.</p><h4 dir="ltr">System description</h4><p dir="ltr"><em>Information to populate the system description section can be found in the General tab in CFACTS. Ensure the information is correct and use it for this section. Make any updates to the CFACTS record for consistency.</em></p><h4 dir="ltr">Roles and responsibilities</h4><p dir="ltr">The ISCP establishes several roles for {system name} recovery and reconstitution support. Persons or teams assigned ISCP roles have been trained to respond to a contingency event affecting {system name}.</p><p dir="ltr"><em>Describe each team and role responsible for executing or supporting system recovery and reconstitution. Include responsibilities for each team/role, leadership roles, and coordination with other recovery and reconstitution teams, as applicable. At a minimum, a role should be established for a system owner or business unit point of contact, a recovery coordinator, and a technical recovery point of contact. Example format below.</em></p><p dir="ltr"><strong>Team or individual name: {insert name}</strong></p><p dir="ltr">Role: {insert role / title}</p><p dir="ltr">Responsibilities: {list responsibilities}</p><p dir="ltr">Contact information: {insert contact information}</p><p dir="ltr"><em>Add more teams or individuals, along with additional details, as needed</em>.</p><h3 dir="ltr">Activation and notification</h3><p dir="ltr">The <strong>Activation and Notification Phase</strong> defines initial actions taken once a disruption to {system name} has been detected or appears to be imminent. This phase includes activities to notify recovery personnel, conduct an outage assessment, and activate the ISCP. At the completion of the Activation and Notification Phase, {system name} ISCP staff will be prepared to perform recovery measures. </p><h4 dir="ltr">Activation criteria and procedure</h4><p>The {system name} ISCP may be activated if one or more of the following criteria are met:</p><ul><li dir="ltr">The type of outage indicates {system name} will be down for more than {RTO hours <em>(copy the RTO from the BIA)</em>}</li><li dir="ltr">The facility housing {system name} is damaged and may not be available within {RTO hours <em>(copy the RTO from the BIA)</em>}</li><li dir="ltr">Other criteria, as appropriate</li></ul><p dir="ltr">The following persons or roles may activate the ISCP if one or more of the above criteria are met:</p><ul><li dir="ltr"><em>List people or roles from the <strong>Roles and responsibilities</strong> section above</em></li></ul><h4 dir="ltr">Notification </h4><p dir="ltr">The first step upon activation of the ISCP for {system name} is notification of appropriate business and system support personnel. Contact information for appropriate POCs is included in <strong>Appendix A: Personnel Contact List</strong>. </p><p dir="ltr">For {system name}, the following method and procedure for notifications are used:</p><p dir="ltr"><em>Describe established notification procedures. Notification procedures should include who makes the initial notifications, the sequence in which personnel are notified (e.g., system owner, technical POC, ISCP Coordinator, business unit or user unit POC, and recovery team POC), and the method of notification (e.g., email blast, call tree, automated notification system, etc.)</em>.</p><h3 dir="ltr">Outage assessment</h3><p dir="ltr">Following notification, a thorough outage assessment is necessary to determine the extent of the disruption, any damage, and expected recovery time. This outage assessment is conducted by the system team. Assessment results are provided to the ISCP Coordinator to assist in the coordination of the recovery of {system name}.</p><p dir="ltr"><em>Outline detailed procedures to include how to determine the cause of the outage; identification of potential for additional disruption or damage; assessment of affected physical area(s); and determination of the physical infrastructure status, IS equipment functionality, and inventory. Procedures should include notation of items that will need to be replaced and estimated time to restore service to normal operations</em>.</p><h3 dir="ltr">Recovery</h3><p dir="ltr">The <strong>Recovery Phase</strong> provides formal recovery operations that begin after the ISCP has been activated, outage assessments have been completed (if possible), personnel have been notified, and appropriate teams have been mobilized. Recovery Phase activities focus on implementing recovery strategies to restore system capabilities, repair damage, and resume operational capabilities at the original or an alternate location. At the completion of the Recovery Phase, {system name} will be functional and capable of performing the functions identified. </p><h4 dir="ltr">Sequence of recovery activities</h4><p dir="ltr">The following activities occur during recovery of {system name}:</p><p dir="ltr"><em>Modify the following list as appropriate for the selected system recovery strategy.</em></p><ul><li dir="ltr">Identify recovery location (if not at original location)</li><li dir="ltr">Identify required resources to perform recovery procedures</li><li dir="ltr">Retrieve backup and system installation media</li><li dir="ltr">Recover hardware and operating system (if required)</li><li dir="ltr">Recover system from backup and system installation media</li></ul><h4 dir="ltr">Recovery procedures</h4><p dir="ltr">The following procedures are provided for recovery of {system name} at the original or established alternate location. Recovery procedures are outlined per team and should be executed in the sequence presented to maintain an efficient recovery effort.</p><p dir="ltr"><em>Provide general procedures for the recovery of the system from backup media. Specific keystroke-level procedures may be provided in an appendix. If specific procedures are provided in an appendix, a reference to that appendix should be included in this section. Teams or persons responsible for each procedure should be identified.</em></p><h4 dir="ltr">Recovery escalation notices / awareness</h4><p dir="ltr"><em>Provide appropriate procedures for escalation notices during recovery efforts. Notifications during recovery include problem escalation to leadership and status awareness to system owners and users. Teams or persons responsible for each escalation and awareness procedure should be identified.</em></p><h3 dir="ltr">Reconstitution</h3><p dir="ltr"><strong>Reconstitution</strong> is the process by which recovery activities are completed and normal system operations are resumed. If the original facility is unrecoverable, the activities in this phase can also be applied to preparing a new permanent location to support system processing requirements. A determination must be made on whether the system has undergone significant change and will require reassessment and reauthorization. The phase consists of two major activities: validating successful reconstitution and deactivation of the ISCP plan.</p><h4 dir="ltr">Concurrent Processing </h4><p dir="ltr"><em>Concurrent Processing (in which a system operates at two separate locations concurrently for a time period) is not required. If concurrent processing does occur for the system prior to making it operational, procedures should be inserted here. Procedures should include length of time for concurrent processing, processing information on both concurrent systems, and validating information on the new permanent system</em>.</p><p dir="ltr"><em>For systems that will not require concurrent processing, this section may either be removed, or the following may be used:</em></p><p dir="ltr">In concurrent processing, a system operates at two separate locations concurrently until there is a level of assurance that the recovered system is operating correctly. {system name} does not have concurrent processing as part of validation. Once the system has been tested and validated, it will be placed into normal operations.</p><h4 dir="ltr">Validation Data Testing</h4><p dir="ltr">Validation data testing is the process of testing and validating recovered data to ensure that data files or databases have been recovered completely. The following procedures will be used to determine that the recovered data is complete and current to the last available backup: </p><p dir="ltr"><em>Provide procedures for testing or validation of recovered data to ensure that data is correct and up to date. This section may be combined with the Functionality Testing section if procedures test both the functionality and data validity. Teams or persons responsible for each procedure should be identified. An example of a validation data test for a system would be to log into the system database and check the audit logs to determine that all transactions and updates are current. Detailed data test procedures may be provided in an appendix titled <strong>System Validation Test Plan</strong>.</em></p><h4 dir="ltr">Validation Functionality Testing</h4><p dir="ltr">Validation functionality testing is the process of verifying that functionality for {system name} has been tested, and the system is ready to return to normal operations.</p><p dir="ltr"><em>Provide system functionality testing and validation procedures to ensure that the system is operating correctly. This section may be combined with the Data Testing section if procedures test both the functionality and data validity. Teams or persons responsible for each procedure should be identified. An example of a functional test for a system may be logging into the system and running a series of operations as a test or real user to ensure that all parts of the system are operating correctly. Detailed functionality test procedures may be provided in an appendix titled, <strong>System Validation Test Plan</strong>.</em></p><h4 dir="ltr">Recovery Declaration</h4><p dir="ltr">Upon successfully completing testing and validation, the System/Business Owner will formally declare recovery efforts complete, and that {system name} is in normal operations. {system name} business and technical POCs will be notified of the declaration by the ISCP Coordinator.</p><h4 dir="ltr">Notification to system users</h4><p dir="ltr">Upon return to normal system operations, {system name} users will be notified by the {role of individual in charge of notification} using predetermined notification procedures (e.g., email, broadcast message, phone calls, etc.).</p><h4 dir="ltr">Cleanup</h4><p dir="ltr">Cleanup is the process of cleaning up or dismantling any temporary recovery locations, restocking supplies used, returning manuals or other documentation to their original locations, and readying the system for a possible future contingency event.</p><p dir="ltr"><em>Provide any specific cleanup procedures for the system, including preferred locations for manuals and documents and returning backup or installation media to its original location.</em></p><h4 dir="ltr">Offsite Data Storage</h4><p dir="ltr">It is important that all backup and installation media used during recovery be returned to the offsite data storage location. The following procedures should be followed to return backup and installation media to its offsite data storage location.</p><p dir="ltr"><em>Provide procedures for returning retrieved backup or installation media to its offsite data storage location. This may include proper logging and packaging of backup and installation media, preparing for transportation, and validating that media is securely stored at the offsite location.</em></p><h4 dir="ltr">Data Backup</h4><p dir="ltr">As soon as reasonably possible following recovery, the system should be fully backed up and a new copy of the current operational system stored for future recovery efforts. This full backup is then kept with other system backups. The procedures for conducting a full system backup are:</p><p dir="ltr"><em>Provide appropriate procedures for ensuring that a full system backup is conducted within a reasonable time frame, ideally at the next scheduled backup period. This backup should go offsite with the other media in Offsite Data Storage.</em></p><h3 dir="ltr">Event documentation</h3><p dir="ltr"><em>It is important that all recovery events be well-documented, including actions taken and problems encountered during the recovery and reconstitution effort, and lessons learned for inclusion and update to this ISCP. It is the responsibility of each ISCP team or person to document their actions during the recovery and reconstitution effort, and to provide that documentation to the ISCP Coordinator.</em></p><p dir="ltr"><em>Provide details about the types of information each ISCP team member is required to provide or collect for updating the ISCP with lessons learned. Types of documentation that should be generated and collected after a contingency activation include:</em></p><ul><li dir="ltr"><em>Activity logs (including recovery steps performed and by whom, the time the steps were initiated and completed, and any problems or concerns encountered while executing activities)</em></li><li dir="ltr"><em>Functionality and data testing results</em></li><li dir="ltr"><em>Lessons learned documentation </em></li><li dir="ltr"><em>After Action Report</em></li></ul><p dir="ltr"><em>Event documentation procedures should detail responsibilities for development, collection, approval, and maintenance</em>.</p><h3 dir="ltr">Deactivation of ISCP</h3><p dir="ltr">Once all activities have been completed and documentation has been updated, the System/Business Owner will formally deactivate the ISCP recovery and reconstitution effort. Notification of this declaration will be provided to all business and technical POCs.</p><h3 dir="ltr">Document change and approval</h3><p dir="ltr">Modifications made to this plan since the last update are as follows:</p><table><tbody><tr><td><p dir="ltr"><strong>Page No.</strong></p></td><td><p dir="ltr"><strong>Change Comment</strong></p></td><td><p dir="ltr"><strong>Date of Change</strong></p></td><td><p dir="ltr"><strong>Signature</strong></p></td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr></tbody></table><h3 dir="ltr">Appendix A: Personnel Contact List</h3><p dir="ltr"><em>Provide contact information for each person with a role or responsibility for activation or implementation of the ISCP, or coordination with the ISCP. For each person listed, at least one office and one non-office contact number is recommended. Note: Information may contain personally identifiable information (PII) and should be protected.</em></p><h4 dir="ltr">ISCP Director</h4><p dir="ltr">Name and title:</p><p dir="ltr">Address (street, city, state, zip code):</p><p dir="ltr">Email:</p><p dir="ltr">Phone (home):</p><p dir="ltr">Phone (cell):</p><p dir="ltr">Phone (work):</p><h4 dir="ltr">ISCP Director (Alternate)</h4><p dir="ltr">Name and title:</p><p dir="ltr">Address (street, city, state, zip code):</p><p dir="ltr">Email:</p><p dir="ltr">Phone (home):</p><p dir="ltr">Phone (cell):</p><p dir="ltr">Phone (work):</p><h4 dir="ltr">ISCP Coordinator</h4><p dir="ltr">Name and title:</p><p dir="ltr">Address (street, city, state, zip code):</p><p dir="ltr">Email:</p><p dir="ltr">Phone (home):</p><p dir="ltr">Phone (cell):</p><p dir="ltr">Phone (work):</p><h4 dir="ltr">ISCP Coordinator (Alternate)</h4><p dir="ltr">Name and title:</p><p dir="ltr">Address (street, city, state, zip code):</p><p dir="ltr">Email:</p><p dir="ltr">Phone (home):</p><p dir="ltr">Phone (cell):</p><p dir="ltr">Phone (work):</p><h4 dir="ltr">ISCP Team Lead</h4><p dir="ltr">Name and title:</p><p dir="ltr">Address (street, city, state, zip code):</p><p dir="ltr">Email:</p><p dir="ltr">Phone (home):</p><p dir="ltr">Phone (cell):</p><p dir="ltr">Phone (work):</p><h4 dir="ltr">ISCP Team Members</h4><p dir="ltr">Name and title:</p><p dir="ltr">Address (street, city, state, zip code):</p><p dir="ltr">Email:</p><p dir="ltr">Phone (home):</p><p dir="ltr">Phone (cell):</p><p dir="ltr">Phone (work):</p><p dir="ltr"><em>List additional team members as needed</em></p><h3 dir="ltr">Appendix B: Vendor contact list</h3><p dir="ltr"><em>Contact information for all key maintenance or support vendors should be included in this appendix. Contact information, such as emergency phone numbers, contact names, contract numbers, and contractual response and onsite times should be included.</em></p><h3 dir="ltr">Appendix C: Detailed recovery procedures</h3><p dir="ltr"><em>To create this appendix, describe the detailed recovery procedures for the system, which may include items such as:</em></p><ul><li dir="ltr"><em>Keystroke-level recovery steps</em></li><li dir="ltr"><em>System installation instructions from tape, CD, or other media</em></li><li dir="ltr"><em>Required configuration settings or changes</em></li><li dir="ltr"><em>Recovery of data from tape and audit logs</em></li><li dir="ltr"><em>Other system recovery procedures, as appropriate</em></li></ul><p dir="ltr"><em>If the system relies totally on another group or system for its recovery and reconstitution (such as a mainframe system), information provided should include contact information and locations of detailed recovery and reconstitution procedures for that supporting system.</em></p><h3 dir="ltr">Appendix D: Alternate processing procedures </h3><p dir="ltr"><em>This section should identify any alternate manual or technical processing procedures available that allow the business unit to continue some processing of information that would normally be done by the affected system. Examples of alternate processes include manual forms processing, input into workstations to store data until it can be uploaded and processed, or queuing of data input.</em></p><h3 dir="ltr">Appendix E: System validation test plan</h3><p dir="ltr"><em>To create this appendix, describe system acceptance procedures that are performed after the system has been recovered and prior to putting the system into full operation and returned to users. The system validation test plan may include the regression or functionality testing conducted prior to implementation of a system upgrade or change.</em></p><p dir="ltr"><em>An example of a system validation test plan is below. Create your own test plan using steps that will validate the functionality of your system.</em></p><p dir="ltr">Once the system has been recovered, the following steps will be performed to validate system data and functionality:</p><table><thead><tr><th><p dir="ltr"><strong>Procedure</strong></p></th><th><p dir="ltr"><strong>Expected results</strong></p></th><th><p dir="ltr"><strong>Actual results</strong></p></th><th><p dir="ltr"><strong>Successful?</strong></p></th><th><p dir="ltr"><strong>Performed by</strong></p></th></tr></thead><tbody><tr><td><p dir="ltr">At the Command Prompt, type in sysname</p></td><td><p dir="ltr">System Log-in Screen appears</p></td><td> </td><td> </td><td> </td></tr><tr><td><p dir="ltr">Log in as user testuser, using password testpass</p></td><td><p dir="ltr">Initial Screen with Main Menu shows</p></td><td> </td><td> </td><td> </td></tr><tr><td><p dir="ltr">From Menu, select 5: Generate Report</p></td><td><p dir="ltr">Report Generation Screen shows</p></td><td> </td><td> </td><td> </td></tr><tr><td><p dir="ltr">Select Current Date Report; Select Weekly; Select To Screen</p></td><td><p dir="ltr">Report is generated on screen with last successful transaction included</p></td><td> </td><td> </td><td> </td></tr><tr><td><p dir="ltr">Select Close</p></td><td><p dir="ltr">Report Generation Screen shows</p></td><td> </td><td> </td><td> </td></tr><tr><td><p dir="ltr">Select Return to Main Menu</p></td><td><p dir="ltr">Initial Screen with Main Menu shows</p></td><td> </td><td> </td><td> </td></tr><tr><td><p dir="ltr">Select Log-Off</p></td><td><p dir="ltr">Log-in Screen appears</p></td><td> </td><td> </td><td> </td></tr></tbody></table><p> </p><h3 dir="ltr">Appendix F: Alternate storage, site, and telecommunications</h3><p dir="ltr">This appendix provides information for alternate storage, alternate processing site, and alternate telecommunications for the system. </p><p dir="ltr"><em>Alternate storage, site, and telecommunications information is required for high-impact systems, per NIST SP 800-53 Rev. 5. Refer to NIST SP 800-53 Rev. 5, for details on control specifics. (Moderate or Low systems may not have the same control specifics for this item.)</em></p><p dir="ltr"><em>Information that should be provided for each area includes:</em></p><p dir="ltr"><em><strong>Alternate Storage</strong></em></p><ul><li dir="ltr"><em>City and state of alternate storage facility, and distance from primary facility;</em></li><li dir="ltr"><em>Whether the alternate storage facility is owned by the organization or is a third-party storage provider</em></li><li dir="ltr"><em>Name and points of contact for the alternate storage facility</em></li><li dir="ltr"><em>Delivery schedule and procedures for packaging media to go to alternate storage facility</em></li><li dir="ltr"><em>Procedures for retrieving media from the alternate storage facility</em></li><li dir="ltr"><em>Names and contact information for those persons authorized to retrieve media</em></li><li dir="ltr"><em>Alternate storage configuration features that facilitate recovery operations (such as keyed or card reader access by authorized retrieval personnel)</em></li><li dir="ltr"><em>Any potential accessibility problems to the alternate storage site in the event of a widespread disruption or disaster </em></li><li dir="ltr"><em>Mitigation steps to access alternate storage site in the event of a widespread disruption or disaster</em></li><li dir="ltr"><em>Types of data located at alternate storage site, including databases, application software, operating systems, and other critical information system software</em></li><li dir="ltr"><em>Other information as appropriate</em></li></ul><p dir="ltr"><em><strong>Alternate Processing Site</strong></em></p><ul><li dir="ltr"><em>City and state of alternate processing site, and distance from primary facility</em></li><li dir="ltr"><em>Whether the alternate processing site is owned by the organization or is a third-party site provider</em></li><li dir="ltr"><em>Name and points of contact for the alternate processing site</em></li><li dir="ltr"><em>Procedures for accessing and using the alternate processing site, and access security features of alternate processing site</em></li><li dir="ltr"><em>Names and contact information for those persons authorized to go to alternate processing site</em></li><li dir="ltr"><em>Type of alternate processing site, and equipment available at site</em></li><li dir="ltr"><em>Alternate processing site configuration information (such as available power, floor space, office space, telecommunications availability, etc.)</em></li><li dir="ltr"><em>Any potential accessibility problems to the alternate processing site in the event of a widespread disruption or disaster</em></li><li dir="ltr"><em>Mitigation steps to access alternate processing site in the event of a widespread disruption or disaster</em></li><li dir="ltr"><em>SLAs or other agreements of use of alternate processing site, available office/support space, setup times, etc.</em></li><li dir="ltr"><em>Other information as appropriate</em></li></ul><p dir="ltr"><em><strong>Alternate Telecommunications</strong></em></p><ul><li dir="ltr"><em>Name and contact information of alternate telecommunications vendors</em></li><li dir="ltr"><em>Geographic locations of alternate telecommunications vendors facilities (such as central offices, switch centers, etc.)</em></li><li dir="ltr"><em>Contracted capacity of alternate telecommunications</em></li><li dir="ltr"><em>SLAs or other agreements for implementation of alternate telecommunications capacity</em></li><li dir="ltr"><em>Information on alternate telecommunications vendor contingency plans</em></li><li dir="ltr"><em>Names and contact information for those persons authorized to implement or use alternate telecommunications capacity</em></li><li dir="ltr"><em>Other information as appropriate</em></li></ul><h3 dir="ltr">Appendix G: Diagrams</h3><p dir="ltr"><em>Information for this section should be available from the system’s </em><a href="https://security.cms.gov/learn/system-security-and-privacy-plan-sspp"><em>System Security and Privacy Plan</em></a><em> (SSPP) and can be copied from the SSPP,<strong> </strong>or reference the applicable section in the SSPP and attach the latest version of the SSPP to this ISCP.<strong> </strong>Include any system architecture, input/output, or other technical or logical diagrams that may be useful in recovering the system. Diagrams may also identify information about interconnection with other systems.</em></p><h3 dir="ltr">Appendix H: Test and maintenance schedule</h3><p dir="ltr"><em>All ISCPs should be </em><a href="https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook"><em>reviewed and tested</em></a><em> at the organization defined frequency (e.g. yearly) or whenever there is a significant change to the system. Provide information and a schedule for the testing of the system. The ISCP test should include all ISCP points of contact and be facilitated by an outside or impartial observer. A formal test plan is developed prior to the functional test, and test procedures are developed to include key sections of the ISCP, including the following:</em></p><ul><li dir="ltr"><em>Notification procedures</em></li><li dir="ltr"><em>System recovery on an alternate platform from backup media</em></li><li dir="ltr"><em>Internal and external connectivity</em></li><li dir="ltr"><em>Reconstitution procedures</em></li></ul><p dir="ltr"><em>Results of the test are documented in an After Action Report (AAR), and Lessons Learned are developed for updating information in the ISCP.</em></p><p dir="ltr"><em><strong>NOTE</strong>: Full functional tests of systems normally are failover tests to the alternate locations, and may be very disruptive to system operations if not planned well. Other systems located in the same physical location may be affected by or included in the full functional test. It is highly recommended that several functional tests be conducted and evaluated prior to conducting a full functional (failover) test.</em></p><p dir="ltr"><em>Examples of functional tests that may be performed prior to a full functional test include:</em></p><ul><li dir="ltr"><em>Full notification and response of key personnel to recovery location</em></li><li dir="ltr"><em>Recovery of a server or database from backup media</em></li><li dir="ltr"><em>Setup and processing from a server at an alternate location</em></li></ul><p dir="ltr"><em><strong>Not all systems</strong> are required to perform a full functional test as part of ISCP testing. Moderate or low systems may have different requirements. Check the </em><a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars"><em>CMS Acceptable Risk Safeguards</em></a><em> (ARS) to find out specific requirements for your system.</em></p><p dir="ltr"><em>The following is a sample of a yearly test and maintenance schedule for a high-impact system:</em></p><table><thead><tr><th><p dir="ltr">Step</p></th><th><p dir="ltr">Date due by</p></th><th><p dir="ltr">Responsible party</p></th><th><p dir="ltr">Date scheduled</p></th><th><p dir="ltr">Date held</p></th></tr></thead><tbody><tr><td><p dir="ltr">Identify failover test facilitator.</p></td><td><p dir="ltr">March 1 </p></td><td><p dir="ltr">ISCP Coordinator</p></td><td> </td><td> </td></tr><tr><td><p dir="ltr">Determine scope of failover test (include other systems?).</p></td><td><p dir="ltr">March 15</p></td><td><p dir="ltr">ISCP Coordinator, Test Facilitator</p></td><td> </td><td> </td></tr><tr><td><p dir="ltr">Develop failover test plan.</p></td><td><p dir="ltr">April 1 </p></td><td><p dir="ltr">Test Facilitator</p></td><td> </td><td> </td></tr><tr><td><p dir="ltr">Invite participants.</p></td><td><p dir="ltr">July 10</p></td><td><p dir="ltr">Test Facilitator</p></td><td> </td><td> </td></tr><tr><td><p dir="ltr">Conduct functional test.</p></td><td><p dir="ltr">July 31</p></td><td><p dir="ltr">Test Facilitator, ISCP Coordinator, POCs</p></td><td> </td><td> </td></tr><tr><td><p dir="ltr">Finalize after action report and lessons learned.</p></td><td><p dir="ltr">August 15</p></td><td><p dir="ltr">ISCP Coordinator</p></td><td> </td><td> </td></tr><tr><td><p dir="ltr">Update ISCP based on lessons learned.</p></td><td><p dir="ltr">September 15</p></td><td><p dir="ltr">ISCP Coordinator</p></td><td> </td><td> </td></tr><tr><td><p dir="ltr">Approve and distribute updated version of ISCP.</p></td><td><p dir="ltr">September 30</p></td><td><p dir="ltr">ISCP Director, ISCP Coordinator</p></td><td> </td><td> </td></tr></tbody></table><h3 dir="ltr">Appendix I: Associated plans and procedures</h3><p dir="ltr">Information for this section should be available from the system’s <a href="https://security.cms.gov/learn/system-security-and-privacy-plan-sspp">System Security and Privacy Plan</a> (SSPP) and can be copied from the SSPP or reference the applicable section in the SSPP and attach the latest version of the SSPP to this ISCP.<strong> </strong>ISCPs for other systems that either interconnect or support the system should be identified in this appendix. The most current version of the ISCP, location of ISCP, and primary point of contact (such as the ISCP Coordinator) should be noted. </p><h3 dir="ltr">Appendix J: Business Impact Analysis</h3><p dir="ltr"><em>Include the </em><a href="https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook#iscp-prerequisite-bia"><em>Business Impact Analysis (BIA)</em></a><em> that was completed prior to populating this Information System Contingency Plan.</em></p><table><tbody><tr><td><p dir="ltr">END ISCP TEMPLATE</p></td></tr></tbody></table></div></section></div></div></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare & Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"cms-information-system-contingency-plan-iscp-handbook\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"policy-guidance\",\"cms-information-system-contingency-plan-iscp-handbook\"],\"initialTree\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"cms-information-system-contingency-plan-iscp-handbook\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"cms-information-system-contingency-plan-iscp-handbook\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[3055,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"907\",\"static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js\"],\"default\"]\n18:Td765,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eWhat is an Information System Contingency Plan?\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eContingency planning at the Center for Medicare and Medicaid Services (CMS) is essential for protecting the organization from potential risks and ensuring the continuity of its operations. An\u0026nbsp;\u003cstrong\u003eInformation System Contingency Plan\u003c/strong\u003e (ISCP) is the cornerstone document of contingency planning, and every CMS system must have one in place. The ISCP provides a framework for responding to and mitigating the effects of unexpected events, such as natural disasters, data breaches, and public health crises.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe ISCP outlines risk management strategies, such as crisis management protocols, data backup and recovery procedures, business continuity plans, and roles and responsibilities.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe plan generally includes one or more of the following approaches to restore disrupted services:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRestoring information systems using alternate equipment in case of an equipment failure\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAlternate data processing means\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAlternate location(s) in case of a natural disaster\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eContingency planning also involves establishing clear communication channels between CMS and its stakeholders, such as healthcare providers, patients, and the general public. By being prepared for potential risks, CMS can ensure that its operations remain uninterrupted and that its stakeholders are kept informed of any changes.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eFederal guidance for contingency planning\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eCMS utilizes guidance provided by the\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNational Institute of Standards and Technology (NIST) SP 800-53\u003c/a\u003e\u0026nbsp;and the\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma\"\u003eFederal Information Systems Management Act\u003c/a\u003e (FISMA) to inform its internal contingency planning process. FISMA defines three security objectives for information and information systems:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eConfidentiality:\u0026nbsp;\u003c/strong\u003ePreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eIntegrity\u003c/strong\u003e: Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eAvailability\u003c/strong\u003e: Ensuring timely and reliable access to and use of information.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCMS’s Information Security and Privacy Group (ISPG) has also identified all controls relevant to the contingency planning process for CMS systems in the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards\u003c/a\u003e. You can use this document to inform your contingency planning efforts.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eRoles and responsibilities\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eContingency planning involves cooperation between every person on a system team including the System/Business Owner, the Information System Security Officer (ISSO), the system’s data center or hosting facility, and senior CMS leadership.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eSpecifically, System/Business Owners and ISSOs play an integral role in the development and maintenance of Information System Contingency Plans for FISMA systems at CMS. For specific responsibilities of various roles, refer to the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#program-and-information-system-roles\"\u003eCMS Information Systems Security and Privacy Policy\u003c/a\u003e (IS2P2).\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eISCP prerequisite: BIA\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eBefore you start creating or updating your Information System Contingency Plan, you need to complete a Business Impact Analysis (BIA). Without this crucial document included as an appendix,\u0026nbsp;\u003cstrong\u003eyour ISCP will be incomplete\u003c/strong\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eWhat is a Business Impact Analysis (BIA)?\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003cstrong\u003eBusiness Impact Analysis (BIA)\u0026nbsp;\u003c/strong\u003eis an essential part of the contingency planning process. It helps System/Business Owners identify preventative actions required to mitigate risk, and the resources available to keep systems safe. The ISSO coordinates with the System/Business Owner to identify key processes and determine how critical they are to overall system functionality. This effort will result in a completed BIA.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eBIAs serve as the primary requirement document for determining the key recovery metrics that are addressed in the ISCP including:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRecovery Point Objective (RPO)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecovery Time Objective (RTO)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eMaximum Tolerable Downtime (MTD)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWork Recovery Time (WRT)\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe goal is to ensure that there are plans in place to restore business functionality within the Maximum Tolerable Downtime (MTD). Note that this may involve restoring the system as originally constructed, moving to alternate processing facilities, or even moving to alternate processing methods.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe following information should be used to create the system BIA. Once the BIA is completed, it\u0026nbsp;\u003cstrong\u003emust be included as an appendix to the ISCP\u003c/strong\u003e and reviewed annually. When it’s time to review and recertify your ISCP, you must attach the BIA as an appendix again, even if the BIA hasn’t changed from the previous year.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eBIA template\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eUse this sample template to perform your Business Impact Analysis (BIA) and create a BIA document as part of your contingency planning process. This template is meant to be a guide that can be adjusted to best meet the needs of your system.\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eIn this template, words in\u0026nbsp;\u003cstrong\u003eitalics\u003c/strong\u003e are instructional and are meant to be deleted from the final document. Words in regular (non-italic) text are intended to remain. Copy and paste the BIA instructions and template below into a document to begin your BIA process.\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eBIA TEMPLATE BEGINS BELOW\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eOverview\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThis Business Impact Analysis (BIA) is developed as part of the contingency planning process for the {system name (system acronym)}. It was prepared on {insert BIA completion date}.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003ePurpose\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe purpose of this BIA is to identify and prioritize system components by correlating them to the mission / business processes the system supports, and using this information to characterize the impact on the processes if the system were unavailable.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe BIA is composed of the following three steps:\u003c/p\u003e\u003col\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eDetermine mission / business processes and recovery criticality.\u003c/strong\u003e Mission / business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum that an organization can tolerate while still maintaining the mission.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eIdentify resource requirements\u003c/strong\u003e. Realistic recovery efforts require a thorough evaluation of the resources required to resume mission / business processes and related interdependencies as quickly as possible. Examples of resources that should be identified include facilities, personnel, equipment, software, data files, system components, and vital records.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eIdentify recovery priorities for system resources\u003c/strong\u003e. Based upon the results from the previous activities, system resources can more clearly be linked to critical mission / business processes. Priority levels can be established for sequencing recovery activities and resources.\u003c/li\u003e\u003c/ol\u003e\u003cp dir=\"ltr\"\u003eThis document is used to build the {system name} Information System Contingency Plan (ISCP) and is included as a key component of the ISCP. It also may be used to support the development of other contingency plans associated with the system, including the Disaster Recovery Plan (DRP) or Cyber Incident Response Plan.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eSystem Description\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide a general description of system architecture and functionality. Indicate the operating environment, physical location, general location of users, and partnerships with external organizations/systems. Include information regarding any other technical considerations that are important for recovery purposes, such as backup procedures.\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eDiagrams of architecture, inputs / outputs, and telecommunications\u0026nbsp;\u003cstrong\u003eare not required\u003c/strong\u003e as part of the BIA. Those are provided in \u003c/em\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook#appendix-g-diagrams\"\u003e\u003cem\u003eAppendix G for ISCPs at CMS\u003c/em\u003e\u003c/a\u003e\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eMission and business processes\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eTo complete this section, you will work with input from\u0026nbsp;users, managers, mission/business process owners, and other internal or external points of contact (POC), to identify the specific mission/business processes that depend on or support the information system. To collect all this information, you can use interviews with individuals or groups, workshops, email, questionnaires, or any combination of those methods.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eIn later sections, you will also identify the criticality of those processes.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eAn example of a mission/business process and description is below. Create your own list for the system that needs the BIA.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eSample Mission/Business Process\u003c/strong\u003e: Pay vendor invoice\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eSample Description\u003c/strong\u003e: Process of obligating funds, issuing check or electronic payment, and acknowledging receipt\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe following list outlines the mission / business processes for {system name}.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eMission/Business Process\u003c/strong\u003e:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eDescription\u003c/strong\u003e:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e(add more as needed)\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eOutage Impacts\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThis section identifies and characterizes the types of impact categories that a system disruption is likely to create in addition to those identified by the\u0026nbsp;\u003c/em\u003e\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\"\u003e\u003cem\u003eFIPS 199 impact level\u003c/em\u003e\u003c/a\u003e\u003cem\u003e, as well as the estimated downtime that the organization can tolerate for a given process.\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eImpact categories should be created and values assigned to these categories in order to measure the level or type of impact a disruption may cause. An example of cost as an impact category has been provided below. Organizations should consider other categories like harm to individuals and ability to perform mission. Create as many categories as you need to reflect what is appropriate for your organization.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe following impact categories represent important areas for consideration in the event of a disruption or impact.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eSample impact category: Cost\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eSample values for assessing category impact:\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eSevere = Temp staffing, overtime, fees greater than $1 million\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eModerate = fines, penalties, liabilities potential $550K\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eMinimal = new contracts, supplies $75K\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eImpact category: {insert category name}\u003c/p\u003e\u003cp dir=\"ltr\"\u003eImpact values for assessing category impact:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eSevere = {insert value}\u003c/li\u003e\u003cli dir=\"ltr\"\u003eModerate = {insert value}\u003c/li\u003e\u003cli dir=\"ltr\"\u003eMinimal = {insert value}\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e(add more categories and their values as needed)\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe table below summarizes the impact on each mission/business process if {system name} were unavailable, based on the following criteria:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eMission/Business Process\u003c/strong\u003e\u003c/p\u003e\u003c/th\u003e\u003cth colspan=\"5\"\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eImpact Category\u003c/strong\u003e\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003e{\u003c/strong\u003e\u003cem\u003e\u003cstrong\u003einsert\u003c/strong\u003e\u003c/em\u003e\u003cstrong\u003e}\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003e{\u003c/strong\u003e\u003cem\u003e\u003cstrong\u003einsert\u003c/strong\u003e\u003c/em\u003e\u003cstrong\u003e}\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003e{\u003c/strong\u003e\u003cem\u003e\u003cstrong\u003einsert\u003c/strong\u003e\u003c/em\u003e\u003cstrong\u003e}\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003e{\u003c/strong\u003e\u003cem\u003e\u003cstrong\u003einsert\u003c/strong\u003e\u003c/em\u003e\u003cstrong\u003e}\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eImpact\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003ePay vendor invoice (example)\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eEstimated downtime\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eWorking directly with mission/business process owners, departmental staff, managers, and other stakeholders, estimate the downtime factors for consideration as a result of a disruptive event.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe following are the downtime factors considered in the result of a disruptive event for {system name}.\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eMaximum Tolerable Downtime (MTD).\u0026nbsp;\u003c/strong\u003e\u0026nbsp;The MTD represents the total amount of time leaders/managers are willing to accept for a mission/business process outage or disruption and includes all impact considerations.\u0026nbsp; Determining MTD is important because it could leave continuity planners with imprecise direction on (1) selection of an appropriate recovery method, and (2) the depth of detail which will be required when developing recovery procedures, including their scope and content.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eRecovery Time Objective (RTO).\u003c/strong\u003e\u0026nbsp; RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD.\u0026nbsp; Determining the information system resource RTO is important for selecting appropriate technologies that are best suited for meeting the MTD.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eRecovery Point Objective (RPO\u003c/strong\u003e).\u0026nbsp; The RPO represents the point in time, prior to a disruption or system outage, to which mission/business process data must be recovered (given the most recent backup copy of the data) after an outage.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe list below identifies the MTD, RTO, and RPO (as applicable) for the organizational mission/business processes that rely on {system name}.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eValues for MTDs and RPOs are expected to be specific time frames, identified in hourly increments (e.g., 8 hours, 36 hours, etc.)\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eSample Mission/Business Process\u003c/strong\u003e: Pay vendor invoice\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eMTD: 72 hours\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eRTO: 48 hours\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eRPO: 12 hours (last backup)\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eDrivers for MTD, RTO, and RPO\u003c/strong\u003e: For each Mission/Business Process, include a description of the drivers for the MTD, RTO, and RPO (e.g., mandate, workload, performance measure, etc.). Include a description of any alternate means (secondary processing or manual workaround) for recovering the Mission/Business Processes that rely on the system. If none exist, so state.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eMission/Business Process\u003c/strong\u003e:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eMTD:\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRTO:\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRPO:\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eDrivers for MTD, RTO, and RPO\u003c/strong\u003e:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResource Requirements\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe following list identifies the resources that compose {system name} including hardware, software, and other resources such as data files. It is assumed that all identified resources support the Mission/Business Processes identified above unless otherwise stated.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eSample System Resource/Component\u003c/strong\u003e: Web Server 1\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003ePlatform/OS/Version: Optiplex GX280\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eDescription: Website host\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eSystem Resource/Component\u003c/strong\u003e:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePlatform/OS/Version:\u003c/li\u003e\u003cli dir=\"ltr\"\u003eDescription:\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eRecovery priorities for system resources\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe list below shows the order of recovery for {system name} resources. The highest priority resources are listed first. The list also identifies the expected time for recovering the resource (RTO) following a “worst case” (complete rebuild/repair or replacement) disruption.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eSample Priority Resource\u003c/strong\u003e: Web Server 1\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eSystem Platform/Component: Optiplex GX280\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eRecovery Time Objective (RTO): 24 hours to rebuild or replace\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003ePriority Resource\u003c/strong\u003e:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eSystem Platform/Component:\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecovery Time Objective (RTO):\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eEND BIA TEMPLATE\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eISCP steps\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eWith your BIA complete (and ONLY when it’s complete!), you can begin the process of creating or updating your Information System Contingency Plan. If you already have a completed BIA from the previous year, review it for accuracy and update if needed. \u003cstrong\u003eAttach it as an appendix to the ISCP\u003c/strong\u003e regardless of whether updates were made.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eGuidance for each step is listed below.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003e1. Create or update ISCP document\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eTo create your ISCP document, use the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook#iscp-template\"\u003eISCP template\u003c/a\u003e provided for use by all CMS FISMA systems. This template is adapted from the NIST ISCP template for High risk level systems. This ensures that all ISCPs for CMS systems meet or exceed compliance requirements for contingency planning.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eUsing the template to create your own ISCP document, you will be capturing information specific to your system including:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eKey recovery metrics for your system\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePre-defined descriptions of conditions that constitute a need for action\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePre-defined actions based on the severity of an identified incident\u003c/li\u003e\u003cli dir=\"ltr\"\u003eKey staff, contact information, and specific duties for each person\u003c/li\u003e\u003cli dir=\"ltr\"\u003eItem-level understanding of all of the system hardware and software\u003c/li\u003e\u003cli dir=\"ltr\"\u003eIf your ISCP references other documents (such as diagrams), they must be included in the ISCP as appendices\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003e2. System/Business Owner signs ISCP\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eOnce completed, the ISCP must be attested to (signed) by the FISMA System Owner. The signature process is repeated annually when the ISCP is reviewed and / or updated.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003e3. Exercise (test) the ISCP\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe Information System Contingency Plan must be tested at least once every 365 days to ensure that everyone knows their part in the process of recovering CMS systems in case of an incident. This is commonly referred to as the “Tabletop Exercise”, but a tabletop exercise is only one way to test the ISCP.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eA test plan must be prepared and followed during the execution of the test. All staff who participate in an actual contingency plan event must be available for the test, and key staff members must be trained annually in their contingency responsibilities.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003e\u003cstrong\u003eLearn how to plan and conduct an ISCP exercise here\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e.\u003c/strong\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003e4. Create the After Action Report (AAR)\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAfter the test is conducted, an After Action Report (AAR) must be generated to describe the test and highlight specific deficiencies that must be corrected.\u0026nbsp; These deficiencies may be easily correctable, or may result in the creation of one or more\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones\u003c/a\u003e (POA\u0026amp;Ms).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook#after-action-report-aar-template\"\u003e\u003cstrong\u003eHere is the template for making your After Action Report\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e.\u003c/strong\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003e5. Achieve ISCP recertification\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFor ISPCs that are being reviewed and updated, the updated ISCP must be re-certified by the System/Business Owner. Make sure that all key staff members receive updated ISCP documents that they have access to (\u003cstrong\u003eeven away from the office or after hours\u003c/strong\u003e). Destroy (or return) older copies.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003e6. Plan for next year’s exercises\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eIt’s never too early to start planning for next year’s ISCP exercises. Whether you’re engaging in a tabletop exercise or have chosen a different way to evaluate your plan, it’s important to leave plenty of time to complete the exercise so that your FISMA system remains compliant. If your FISMA system is involved in an outage that causes you to exercise the ISCP, you should consider documenting the event as an exercise of your plan.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eISCP template\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThe following template provides placeholder content for an ISCP that you can copy and paste into a document. Add information specific to your system to create your ISCP. In this template, words in italics are instructional and are meant to be deleted from the final document.\u003c/em\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eISCP TEMPLATE BEGINS BELOW\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eInformation systems are vital to {insert CMS Center or Office} mission/business processes; therefore,\u0026nbsp;it is critical that\u0026nbsp;services provided by {system name} are able to operate effectively without excessive interruption. This Information System Contingency Plan (ISCP) establishes comprehensive\u0026nbsp;procedures\u0026nbsp;to recover {system name} quickly and effectively following a service disruption.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eConcept of operations\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThe Concept of Operations section provides details about your system, and a description of\u0026nbsp;roles and responsibilities of your Center or Office personnel during a contingency activation. Start with the text below, and then continue with as much detail as needed to describe your system's specific operations.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThis section provides details about {system name}, and a description of\u0026nbsp;roles and responsibilities of {insert CMS Center or Office} personnel during a contingency activation.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eSystem description\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eInformation to populate the system description section can be found in the General tab in CFACTS.\u0026nbsp; Ensure the information is correct and use it for this section. Make any updates to the CFACTS record for consistency.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eRoles and responsibilities\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe ISCP establishes several roles for {system name} recovery and reconstitution support.\u0026nbsp; Persons or teams assigned ISCP roles have been trained to respond to a contingency event affecting {system name}.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eDescribe each team and role responsible for executing or supporting system recovery and reconstitution.\u0026nbsp; Include responsibilities for each team/role, leadership roles, and coordination with other recovery and reconstitution teams, as applicable. At a minimum, a role should be established for a system owner or business unit point of contact, a recovery coordinator, and a technical recovery point of contact. Example format below.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eTeam or individual name: {insert name}\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eRole: {insert role / title}\u003c/p\u003e\u003cp dir=\"ltr\"\u003eResponsibilities: {list responsibilities}\u003c/p\u003e\u003cp dir=\"ltr\"\u003eContact information: {insert contact information}\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eAdd more teams or individuals, along with additional details, as needed\u003c/em\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eActivation and notification\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003cstrong\u003eActivation and Notification Phase\u003c/strong\u003e defines initial actions taken once a disruption to {system name} has been detected or appears to be imminent.\u0026nbsp;This phase includes activities to notify recovery personnel, conduct an outage assessment, and activate the ISCP.\u0026nbsp;At the completion of the Activation and Notification Phase, {system name} ISCP staff will be prepared to perform recovery measures.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eActivation criteria and procedure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe {system name} ISCP may be activated if one or more of the following criteria are met:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eThe type of outage indicates {system name} will be down for more than {RTO hours\u0026nbsp;\u003cem\u003e(copy the RTO from the BIA)\u003c/em\u003e}\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe facility housing {system name} is damaged and may not be available within {RTO hours\u0026nbsp;\u003cem\u003e(copy the RTO from the BIA)\u003c/em\u003e}\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOther criteria, as appropriate\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe following persons or roles may activate the ISCP if one or more of the above criteria are met:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eList people or roles from the\u0026nbsp;\u003cstrong\u003eRoles and responsibilities\u003c/strong\u003e section above\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eNotification\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe first step upon activation of the ISCP for {system name} is notification of appropriate business and system support personnel. Contact information for appropriate POCs is included in\u0026nbsp;\u003cstrong\u003eAppendix A: Personnel Contact List\u003c/strong\u003e.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eFor {system name}, the following method and procedure for notifications are used:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eDescribe established notification procedures.\u0026nbsp; Notification procedures should include who makes the initial notifications, the sequence in which personnel are notified (e.g., system owner, technical POC, ISCP Coordinator, business unit or user unit POC, and recovery team POC), and the method of notification (e.g., email blast, call tree, automated notification system, etc.)\u003c/em\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eOutage assessment\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFollowing notification, a thorough outage assessment is necessary to determine the extent of the disruption, any damage, and expected recovery time.\u0026nbsp; This outage assessment is conducted by the system team. Assessment results are provided to the ISCP Coordinator to assist in the coordination of the recovery of {system name}.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eOutline detailed procedures to include how to determine the cause of the outage; identification of potential for additional disruption or damage; assessment of affected physical area(s); and determination of the physical infrastructure status, IS equipment functionality, and inventory.\u0026nbsp; Procedures should include notation of items that will need to be replaced and estimated time to restore service to normal operations\u003c/em\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eRecovery\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003cstrong\u003eRecovery Phase\u003c/strong\u003e provides formal\u0026nbsp;recovery operations that begin after the ISCP has been activated, outage assessments have been completed (if possible), personnel have been notified, and appropriate teams have been mobilized.\u0026nbsp;Recovery Phase activities focus on implementing recovery strategies to restore system capabilities, repair damage, and resume operational capabilities at the original or an alternate location.\u0026nbsp;At the completion of the Recovery Phase, {system name} will be functional and capable of performing the functions identified.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eSequence of recovery activities\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe following activities occur during recovery of {system name}:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eModify the following list as appropriate for the selected system recovery strategy.\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eIdentify recovery location (if not at original location)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eIdentify required resources to perform recovery procedures\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRetrieve backup and system installation media\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecover hardware and operating system (if required)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecover system from backup and system installation media\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eRecovery procedures\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe following procedures are provided for recovery of {system name} at the original or established alternate location. Recovery procedures are outlined per team and should be executed in the sequence presented to maintain an efficient recovery effort.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide general procedures for the recovery of the system from backup media. Specific keystroke-level procedures may be provided in an appendix. If specific procedures are provided in an appendix, a reference to that appendix should be included in this section.\u0026nbsp; Teams or persons responsible for each procedure should be identified.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eRecovery escalation notices / awareness\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide appropriate procedures for escalation notices during recovery efforts.\u0026nbsp; Notifications during recovery include problem escalation to leadership and status awareness to system owners and users. Teams or persons responsible for each escalation and awareness procedure should be identified.\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eReconstitution\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eReconstitution\u003c/strong\u003e is the process by which recovery activities are completed and normal system operations are resumed.\u0026nbsp; If the original facility is unrecoverable, the activities in this phase can also be applied to preparing a new permanent location to support system processing requirements. A determination must be made on whether the system has undergone significant change and will require reassessment and reauthorization. The phase consists of two major activities: validating successful reconstitution and deactivation of the ISCP plan.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eConcurrent Processing\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eConcurrent Processing (in which a system operates at two separate locations concurrently for a time period) is not required. If concurrent processing does occur for the system prior to making it operational, procedures should be inserted here.\u0026nbsp; Procedures should include length of time for concurrent processing, processing information on both concurrent systems, and validating information on the new permanent system\u003c/em\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eFor systems that will not require concurrent processing, this section may either be removed, or the following may be used:\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIn concurrent processing, a system operates at two separate locations concurrently until there is a level of assurance that the recovered system is operating correctly.\u0026nbsp; {system name} does not have concurrent processing as part of validation. Once the system has been tested and validated, it will be placed into normal operations.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eValidation Data Testing\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eValidation data testing is the process of testing and validating recovered data to ensure that data files or databases have been recovered completely. The following procedures will be used to determine that the recovered data is complete and current to the last available backup:\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide procedures for testing or validation of recovered data to ensure that data is correct and up to date. This section may be combined with the Functionality Testing section if procedures test both the functionality and data validity. Teams or persons responsible for each procedure should be identified. An example of a validation data test for a system would be to log into the system database and check the audit logs to determine that all transactions and updates are current. Detailed data test procedures may be provided in an appendix titled\u0026nbsp;\u003cstrong\u003eSystem Validation Test Plan\u003c/strong\u003e.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eValidation Functionality Testing\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eValidation functionality testing is the process of verifying that functionality for {system name} has been tested, and the system is ready to return to normal operations.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide system functionality testing and validation procedures to ensure that the system is operating correctly. This section may be combined with the Data Testing section if procedures test both the functionality and data validity. Teams or persons responsible for each procedure should be identified. An example of a functional test for a system may be logging into the system and running a series of operations as a test or real user to ensure that all parts of the system are operating correctly. Detailed functionality test procedures may be provided in an appendix titled,\u0026nbsp;\u003cstrong\u003eSystem Validation Test Plan\u003c/strong\u003e.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eRecovery Declaration\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eUpon successfully completing testing and validation, the System/Business Owner will formally declare recovery efforts complete, and that {system name} is in normal operations.\u0026nbsp; {system name} business and technical POCs will be notified of the declaration by the ISCP Coordinator.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eNotification to system users\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eUpon return to normal system operations, {system name} users will be notified by the {role of individual in charge of notification} using predetermined notification procedures (e.g., email, broadcast message, phone calls, etc.).\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eCleanup\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eCleanup is the process of cleaning up or dismantling any temporary recovery locations, restocking supplies used, returning manuals or other documentation to their original locations, and readying the system for a possible future contingency event.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide any specific cleanup procedures for the system, including preferred locations for manuals and documents and returning backup or installation media to its original location.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eOffsite Data Storage\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eIt is important that all backup and installation media used during recovery be returned to the offsite data storage location. The following procedures should be followed to return backup and installation media to its offsite data storage location.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide procedures for returning retrieved backup or installation media to its offsite data storage location. This may include proper logging and packaging of backup and installation media, preparing for transportation, and validating that media is securely stored at the offsite location.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eData Backup\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eAs soon as reasonably possible following recovery, the system should be fully backed up and a new copy of the current operational system stored for future recovery efforts. This full backup is then kept with other system backups. The procedures for conducting a full system backup are:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide appropriate procedures for ensuring that a full system backup is conducted within a reasonable time frame, ideally at the next scheduled backup period. This backup should go offsite with the other media in Offsite Data Storage.\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eEvent documentation\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eIt is important that all recovery events be well-documented, including actions taken and problems encountered during the recovery and reconstitution effort, and lessons learned for inclusion and update to this ISCP. It is the responsibility of each ISCP team or person to document their actions during the recovery and reconstitution effort, and to provide that documentation to the ISCP Coordinator.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide details about the types of information each ISCP team member is required to provide or collect for updating the ISCP with lessons learned. Types of documentation that should be generated and collected after a contingency activation include:\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eActivity logs (including recovery steps performed and by whom, the time the steps were initiated and completed, and any problems or concerns encountered while executing activities)\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eFunctionality and data testing results\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eLessons learned documentation\u0026nbsp;\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eAfter Action Report\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEvent documentation procedures should detail responsibilities for development, collection, approval, and maintenance\u003c/em\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eDeactivation of ISCP\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eOnce all activities have been completed and documentation has been updated, the System/Business Owner will formally deactivate the ISCP recovery and reconstitution effort. Notification of this declaration will be provided to all business and technical POCs.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eDocument change and approval\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eModifications made to this plan since the last update are as follows:\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003ePage No.\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eChange Comment\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eDate of Change\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eSignature\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix A: Personnel Contact List\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide contact information for each person with a role or responsibility for activation or implementation of the ISCP, or coordination with the ISCP. For each person listed, at least one office and one non-office contact number is recommended. Note: Information may contain personally identifiable information (PII) and should be protected.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eISCP Director\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eName and title:\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAddress (street, city, state, zip code):\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEmail:\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (home):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (cell):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (work):\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eISCP Director (Alternate)\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eName and title:\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAddress (street, city, state, zip code):\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEmail:\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (home):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (cell):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (work):\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eISCP Coordinator\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eName and title:\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAddress (street, city, state, zip code):\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEmail:\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (home):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (cell):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (work):\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eISCP Coordinator (Alternate)\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eName and title:\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAddress (street, city, state, zip code):\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEmail:\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (home):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (cell):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (work):\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eISCP Team Lead\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eName and title:\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAddress (street, city, state, zip code):\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEmail:\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (home):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (cell):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (work):\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eISCP Team Members\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eName and title:\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAddress (street, city, state, zip code):\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEmail:\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (home):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (cell):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (work):\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eList additional team members as needed\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix B: Vendor contact list\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eContact information for all key maintenance or support vendors should be included in this appendix. Contact information, such as emergency phone numbers, contact names, contract numbers, and contractual response and onsite times should be included.\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix C: Detailed recovery procedures\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eTo create this appendix, describe the detailed recovery procedures for the system, which may include items such as:\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eKeystroke-level recovery steps\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eSystem installation instructions from tape, CD, or other media\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eRequired configuration settings or changes\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eRecovery of data from tape and audit logs\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eOther system recovery procedures, as appropriate\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eIf the system relies totally on another group or system for its recovery and reconstitution (such as a mainframe system), information provided should include contact information and locations of detailed recovery and reconstitution procedures for that supporting system.\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix D: Alternate processing procedures\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThis section should identify any alternate manual or technical processing procedures available that allow the business unit to continue some processing of information that would normally be done by the affected system. Examples of alternate processes include manual forms processing, input into workstations to store data until it can be uploaded and processed, or queuing of data input.\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix E: System validation test plan\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eTo create this appendix, describe system acceptance procedures that are performed after the system has been recovered and prior to putting the system into full operation and returned to users. The system validation test plan may include the regression or functionality testing conducted prior to implementation of a system upgrade or change.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eAn example of a system validation test plan is below. Create your own test plan using steps that will validate the functionality of your system.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eOnce the system has been recovered, the following steps will be performed to validate system data and functionality:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eProcedure\u003c/strong\u003e\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eExpected results\u003c/strong\u003e\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eActual results\u003c/strong\u003e\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eSuccessful?\u003c/strong\u003e\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003ePerformed by\u003c/strong\u003e\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eAt the Command Prompt, type in sysname\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eSystem Log-in Screen appears\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eLog in as user testuser, using password testpass\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eInitial Screen with Main Menu shows\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eFrom Menu, select 5: Generate Report\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eReport Generation Screen shows\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eSelect Current Date Report; Select Weekly; Select To Screen\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eReport is generated on screen with last successful transaction included\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eSelect Close\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eReport Generation Screen shows\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eSelect Return to Main Menu\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eInitial Screen with Main Menu shows\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eSelect Log-Off\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eLog-in Screen appears\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix F: Alternate storage, site, and telecommunications\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThis appendix provides information for alternate storage, alternate processing site, and alternate telecommunications for the system.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eAlternate storage, site, and telecommunications information is required for high-impact systems, per NIST SP 800-53 Rev. 5.\u0026nbsp; Refer to NIST SP 800-53 Rev. 5, for details on control specifics. (Moderate or Low systems may not have the same control specifics for this item.)\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eInformation that should be provided for each area includes:\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eAlternate Storage\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eCity and state of alternate storage facility, and distance from primary facility;\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eWhether the alternate storage facility is owned by the organization or is a third-party storage provider\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eName and points of contact for the alternate storage facility\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eDelivery schedule and procedures for packaging media to go to alternate storage facility\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eProcedures for retrieving media from the alternate storage facility\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNames and contact information for those persons authorized to retrieve media\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eAlternate storage configuration features that facilitate recovery operations (such as keyed or card reader access by authorized retrieval personnel)\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eAny potential accessibility problems to the alternate storage site in the event of a widespread disruption or disaster\u0026nbsp;\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eMitigation steps to access alternate storage site in the event of a widespread disruption or disaster\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eTypes of data located at alternate storage site, including databases, application software, operating systems, and other critical information system software\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eOther information as appropriate\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eAlternate Processing Site\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eCity and state of alternate processing site, and distance from primary facility\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eWhether the alternate processing site is owned by the organization or is a third-party site provider\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eName and points of contact for the alternate processing site\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eProcedures for accessing and using the alternate\u0026nbsp; processing site, and access security features of alternate processing site\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNames and contact information for those persons authorized to go to alternate processing site\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eType of alternate processing site, and equipment available at site\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eAlternate processing site configuration information (such as available power, floor space, office space, telecommunications availability, etc.)\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eAny potential accessibility problems to the alternate processing site in the event of a widespread disruption or disaster\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eMitigation steps to access alternate processing site in the event of a widespread disruption or disaster\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eSLAs or other agreements of use of alternate processing site, available office/support space, setup times, etc.\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eOther information as appropriate\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eAlternate Telecommunications\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eName and contact information of alternate telecommunications vendors\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eGeographic locations of alternate telecommunications vendors facilities (such as central offices, switch centers, etc.)\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eContracted capacity of alternate telecommunications\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eSLAs or other agreements for implementation of alternate telecommunications capacity\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eInformation on alternate telecommunications vendor contingency plans\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNames and contact information for those persons authorized to implement or use alternate telecommunications capacity\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eOther information as appropriate\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix G: Diagrams\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eInformation for this section should be available from the system’s\u0026nbsp;\u003c/em\u003e\u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003e\u003cem\u003eSystem Security and Privacy Plan\u003c/em\u003e\u003c/a\u003e\u003cem\u003e (SSPP) and can be copied from the SSPP,\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003eor reference the applicable section in the SSPP and attach the latest version of the SSPP to this ISCP.\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003eInclude any system architecture, input/output, or other technical or logical diagrams that may be useful in recovering the system. Diagrams may also identify information about interconnection with other systems.\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix H: Test and maintenance schedule\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eAll ISCPs should be\u0026nbsp;\u003c/em\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003e\u003cem\u003ereviewed and tested\u003c/em\u003e\u003c/a\u003e\u003cem\u003e at the organization defined frequency (e.g. yearly) or whenever there is a significant change to the system. Provide information and a schedule for the testing of the system. The ISCP test should include all ISCP points of contact and be facilitated by an outside or impartial observer.\u0026nbsp; A formal test plan is developed prior to the functional test, and test procedures are developed to include key sections of the ISCP, including the following:\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNotification procedures\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eSystem recovery on an alternate platform from backup media\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eInternal and external connectivity\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eReconstitution procedures\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eResults of the test are documented in an After Action Report (AAR), and Lessons Learned are developed for updating information in the ISCP.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eNOTE\u003c/strong\u003e: Full functional tests of systems normally are failover tests to the alternate locations, and may be very disruptive to system operations if not planned well. Other systems located in the same physical location may be affected by or included in the full functional test. It is highly recommended that several functional tests be conducted and evaluated prior to conducting a full functional (failover) test.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eExamples of functional tests that may be performed prior to a full functional test include:\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eFull notification and response of key personnel to recovery location\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eRecovery of a server or database from backup media\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eSetup and processing from a server at an alternate location\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eNot all systems\u003c/strong\u003e are required to perform a full functional test as part of ISCP testing. Moderate or low systems may have different requirements. Check the\u0026nbsp;\u003c/em\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003e\u003cem\u003eCMS Acceptable Risk Safeguards\u003c/em\u003e\u003c/a\u003e\u003cem\u003e (ARS) to find out specific requirements for your system.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThe following is a sample of a yearly test and maintenance schedule for a high-impact system:\u003c/em\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003eStep\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003eDate due by\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003eResponsible party\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003eDate scheduled\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003eDate held\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eIdentify failover test facilitator.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eMarch 1\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eISCP Coordinator\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eDetermine scope of failover test (include other systems?).\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eMarch 15\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eISCP Coordinator, Test Facilitator\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eDevelop failover test plan.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eApril 1\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eTest Facilitator\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eInvite participants.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eJuly 10\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eTest Facilitator\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eConduct functional test.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eJuly 31\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eTest Facilitator, ISCP Coordinator, POCs\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eFinalize after action report and lessons learned.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eAugust 15\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eISCP Coordinator\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eUpdate ISCP based on lessons learned.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eSeptember 15\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eISCP Coordinator\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eApprove and distribute updated version of ISCP.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eSeptember 30\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eISCP Director, ISCP Coordinator\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix I: Associated plans and procedures\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eInformation for this section should be available from the system’s\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan\u003c/a\u003e (SSPP) and can be copied from the SSPP or reference the applicable section in the SSPP and attach the latest version of the SSPP to this ISCP.\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003eISCPs for other systems that either interconnect or support the system should be identified in this appendix. The most current version of the ISCP, location of ISCP, and primary point of contact (such as the ISCP Coordinator) should be noted.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix J: Business Impact Analysis\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eInclude the \u003c/em\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook#iscp-prerequisite-bia\"\u003e\u003cem\u003eBusiness Impact Analysis (BIA)\u003c/em\u003e\u003c/a\u003e\u003cem\u003e that was completed prior to populating this Information System Contingency Plan.\u003c/em\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eEND ISCP TEMPLATE\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"19:Td765,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eWhat is an Information System Contingency Plan?\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eContingency planning at the Center for Medicare and Medicaid Services (CMS) is essential for protecting the organization from potential risks and ensuring the continuity of its operations. An\u0026nbsp;\u003cstrong\u003eInformation System Contingency Plan\u003c/strong\u003e (ISCP) is the cornerstone document of contingency planning, and every CMS system must have one in place. The ISCP provides a framework for responding to and mitigating the effects of unexpected events, such as natural disasters, data breaches, and public health crises.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe ISCP outlines risk management strategies, such as crisis management protocols, data backup and recovery procedures, business continuity plans, and roles and responsibilities.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe plan generally includes one or more of the following approaches to restore disrupted services:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRestoring information systems using alternate equipment in case of an equipment failure\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAlternate data processing means\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAlternate location(s) in case of a natural disaster\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eContingency planning also involves establishing clear communication channels between CMS and its stakeholders, such as healthcare providers, patients, and the general public. By being prepared for potential risks, CMS can ensure that its operations remain uninterrupted and that its stakeholders are kept informed of any changes.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eFederal guidance for contingency planning\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eCMS utilizes guidance provided by the\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNational Institute of Standards and Technology (NIST) SP 800-53\u003c/a\u003e\u0026nbsp;and the\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma\"\u003eFederal Information Systems Management Act\u003c/a\u003e (FISMA) to inform its internal contingency planning process. FISMA defines three security objectives for information and information systems:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eConfidentiality:\u0026nbsp;\u003c/strong\u003ePreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eIntegrity\u003c/strong\u003e: Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eAvailability\u003c/strong\u003e: Ensuring timely and reliable access to and use of information.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCMS’s Information Security and Privacy Group (ISPG) has also identified all controls relevant to the contingency planning process for CMS systems in the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards\u003c/a\u003e. You can use this document to inform your contingency planning efforts.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eRoles and responsibilities\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eContingency planning involves cooperation between every person on a system team including the System/Business Owner, the Information System Security Officer (ISSO), the system’s data center or hosting facility, and senior CMS leadership.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eSpecifically, System/Business Owners and ISSOs play an integral role in the development and maintenance of Information System Contingency Plans for FISMA systems at CMS. For specific responsibilities of various roles, refer to the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#program-and-information-system-roles\"\u003eCMS Information Systems Security and Privacy Policy\u003c/a\u003e (IS2P2).\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eISCP prerequisite: BIA\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eBefore you start creating or updating your Information System Contingency Plan, you need to complete a Business Impact Analysis (BIA). Without this crucial document included as an appendix,\u0026nbsp;\u003cstrong\u003eyour ISCP will be incomplete\u003c/strong\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eWhat is a Business Impact Analysis (BIA)?\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003cstrong\u003eBusiness Impact Analysis (BIA)\u0026nbsp;\u003c/strong\u003eis an essential part of the contingency planning process. It helps System/Business Owners identify preventative actions required to mitigate risk, and the resources available to keep systems safe. The ISSO coordinates with the System/Business Owner to identify key processes and determine how critical they are to overall system functionality. This effort will result in a completed BIA.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eBIAs serve as the primary requirement document for determining the key recovery metrics that are addressed in the ISCP including:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRecovery Point Objective (RPO)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecovery Time Objective (RTO)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eMaximum Tolerable Downtime (MTD)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWork Recovery Time (WRT)\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe goal is to ensure that there are plans in place to restore business functionality within the Maximum Tolerable Downtime (MTD). Note that this may involve restoring the system as originally constructed, moving to alternate processing facilities, or even moving to alternate processing methods.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe following information should be used to create the system BIA. Once the BIA is completed, it\u0026nbsp;\u003cstrong\u003emust be included as an appendix to the ISCP\u003c/strong\u003e and reviewed annually. When it’s time to review and recertify your ISCP, you must attach the BIA as an appendix again, even if the BIA hasn’t changed from the previous year.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eBIA template\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eUse this sample template to perform your Business Impact Analysis (BIA) and create a BIA document as part of your contingency planning process. This template is meant to be a guide that can be adjusted to best meet the needs of your system.\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eIn this template, words in\u0026nbsp;\u003cstrong\u003eitalics\u003c/strong\u003e are instructional and are meant to be deleted from the final document. Words in regular (non-italic) text are intended to remain. Copy and paste the BIA instructions and template below into a document to begin your BIA process.\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eBIA TEMPLATE BEGINS BELOW\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eOverview\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThis Business Impact Analysis (BIA) is developed as part of the contingency planning process for the {system name (system acronym)}. It was prepared on {insert BIA completion date}.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003ePurpose\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe purpose of this BIA is to identify and prioritize system components by correlating them to the mission / business processes the system supports, and using this information to characterize the impact on the processes if the system were unavailable.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe BIA is composed of the following three steps:\u003c/p\u003e\u003col\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eDetermine mission / business processes and recovery criticality.\u003c/strong\u003e Mission / business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum that an organization can tolerate while still maintaining the mission.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eIdentify resource requirements\u003c/strong\u003e. Realistic recovery efforts require a thorough evaluation of the resources required to resume mission / business processes and related interdependencies as quickly as possible. Examples of resources that should be identified include facilities, personnel, equipment, software, data files, system components, and vital records.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eIdentify recovery priorities for system resources\u003c/strong\u003e. Based upon the results from the previous activities, system resources can more clearly be linked to critical mission / business processes. Priority levels can be established for sequencing recovery activities and resources.\u003c/li\u003e\u003c/ol\u003e\u003cp dir=\"ltr\"\u003eThis document is used to build the {system name} Information System Contingency Plan (ISCP) and is included as a key component of the ISCP. It also may be used to support the development of other contingency plans associated with the system, including the Disaster Recovery Plan (DRP) or Cyber Incident Response Plan.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eSystem Description\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide a general description of system architecture and functionality. Indicate the operating environment, physical location, general location of users, and partnerships with external organizations/systems. Include information regarding any other technical considerations that are important for recovery purposes, such as backup procedures.\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eDiagrams of architecture, inputs / outputs, and telecommunications\u0026nbsp;\u003cstrong\u003eare not required\u003c/strong\u003e as part of the BIA. Those are provided in \u003c/em\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook#appendix-g-diagrams\"\u003e\u003cem\u003eAppendix G for ISCPs at CMS\u003c/em\u003e\u003c/a\u003e\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eMission and business processes\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eTo complete this section, you will work with input from\u0026nbsp;users, managers, mission/business process owners, and other internal or external points of contact (POC), to identify the specific mission/business processes that depend on or support the information system. To collect all this information, you can use interviews with individuals or groups, workshops, email, questionnaires, or any combination of those methods.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eIn later sections, you will also identify the criticality of those processes.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eAn example of a mission/business process and description is below. Create your own list for the system that needs the BIA.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eSample Mission/Business Process\u003c/strong\u003e: Pay vendor invoice\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eSample Description\u003c/strong\u003e: Process of obligating funds, issuing check or electronic payment, and acknowledging receipt\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe following list outlines the mission / business processes for {system name}.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eMission/Business Process\u003c/strong\u003e:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eDescription\u003c/strong\u003e:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e(add more as needed)\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eOutage Impacts\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThis section identifies and characterizes the types of impact categories that a system disruption is likely to create in addition to those identified by the\u0026nbsp;\u003c/em\u003e\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\"\u003e\u003cem\u003eFIPS 199 impact level\u003c/em\u003e\u003c/a\u003e\u003cem\u003e, as well as the estimated downtime that the organization can tolerate for a given process.\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eImpact categories should be created and values assigned to these categories in order to measure the level or type of impact a disruption may cause. An example of cost as an impact category has been provided below. Organizations should consider other categories like harm to individuals and ability to perform mission. Create as many categories as you need to reflect what is appropriate for your organization.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe following impact categories represent important areas for consideration in the event of a disruption or impact.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eSample impact category: Cost\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eSample values for assessing category impact:\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eSevere = Temp staffing, overtime, fees greater than $1 million\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eModerate = fines, penalties, liabilities potential $550K\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eMinimal = new contracts, supplies $75K\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eImpact category: {insert category name}\u003c/p\u003e\u003cp dir=\"ltr\"\u003eImpact values for assessing category impact:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eSevere = {insert value}\u003c/li\u003e\u003cli dir=\"ltr\"\u003eModerate = {insert value}\u003c/li\u003e\u003cli dir=\"ltr\"\u003eMinimal = {insert value}\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e(add more categories and their values as needed)\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe table below summarizes the impact on each mission/business process if {system name} were unavailable, based on the following criteria:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eMission/Business Process\u003c/strong\u003e\u003c/p\u003e\u003c/th\u003e\u003cth colspan=\"5\"\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eImpact Category\u003c/strong\u003e\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003e{\u003c/strong\u003e\u003cem\u003e\u003cstrong\u003einsert\u003c/strong\u003e\u003c/em\u003e\u003cstrong\u003e}\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003e{\u003c/strong\u003e\u003cem\u003e\u003cstrong\u003einsert\u003c/strong\u003e\u003c/em\u003e\u003cstrong\u003e}\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003e{\u003c/strong\u003e\u003cem\u003e\u003cstrong\u003einsert\u003c/strong\u003e\u003c/em\u003e\u003cstrong\u003e}\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003e{\u003c/strong\u003e\u003cem\u003e\u003cstrong\u003einsert\u003c/strong\u003e\u003c/em\u003e\u003cstrong\u003e}\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eImpact\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003ePay vendor invoice (example)\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eEstimated downtime\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eWorking directly with mission/business process owners, departmental staff, managers, and other stakeholders, estimate the downtime factors for consideration as a result of a disruptive event.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe following are the downtime factors considered in the result of a disruptive event for {system name}.\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eMaximum Tolerable Downtime (MTD).\u0026nbsp;\u003c/strong\u003e\u0026nbsp;The MTD represents the total amount of time leaders/managers are willing to accept for a mission/business process outage or disruption and includes all impact considerations.\u0026nbsp; Determining MTD is important because it could leave continuity planners with imprecise direction on (1) selection of an appropriate recovery method, and (2) the depth of detail which will be required when developing recovery procedures, including their scope and content.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eRecovery Time Objective (RTO).\u003c/strong\u003e\u0026nbsp; RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD.\u0026nbsp; Determining the information system resource RTO is important for selecting appropriate technologies that are best suited for meeting the MTD.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eRecovery Point Objective (RPO\u003c/strong\u003e).\u0026nbsp; The RPO represents the point in time, prior to a disruption or system outage, to which mission/business process data must be recovered (given the most recent backup copy of the data) after an outage.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe list below identifies the MTD, RTO, and RPO (as applicable) for the organizational mission/business processes that rely on {system name}.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eValues for MTDs and RPOs are expected to be specific time frames, identified in hourly increments (e.g., 8 hours, 36 hours, etc.)\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eSample Mission/Business Process\u003c/strong\u003e: Pay vendor invoice\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eMTD: 72 hours\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eRTO: 48 hours\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eRPO: 12 hours (last backup)\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eDrivers for MTD, RTO, and RPO\u003c/strong\u003e: For each Mission/Business Process, include a description of the drivers for the MTD, RTO, and RPO (e.g., mandate, workload, performance measure, etc.). Include a description of any alternate means (secondary processing or manual workaround) for recovering the Mission/Business Processes that rely on the system. If none exist, so state.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eMission/Business Process\u003c/strong\u003e:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eMTD:\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRTO:\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRPO:\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eDrivers for MTD, RTO, and RPO\u003c/strong\u003e:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResource Requirements\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe following list identifies the resources that compose {system name} including hardware, software, and other resources such as data files. It is assumed that all identified resources support the Mission/Business Processes identified above unless otherwise stated.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eSample System Resource/Component\u003c/strong\u003e: Web Server 1\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003ePlatform/OS/Version: Optiplex GX280\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eDescription: Website host\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eSystem Resource/Component\u003c/strong\u003e:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePlatform/OS/Version:\u003c/li\u003e\u003cli dir=\"ltr\"\u003eDescription:\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eRecovery priorities for system resources\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe list below shows the order of recovery for {system name} resources. The highest priority resources are listed first. The list also identifies the expected time for recovering the resource (RTO) following a “worst case” (complete rebuild/repair or replacement) disruption.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eSample Priority Resource\u003c/strong\u003e: Web Server 1\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eSystem Platform/Component: Optiplex GX280\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eRecovery Time Objective (RTO): 24 hours to rebuild or replace\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003ePriority Resource\u003c/strong\u003e:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eSystem Platform/Component:\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecovery Time Objective (RTO):\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eEND BIA TEMPLATE\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eISCP steps\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eWith your BIA complete (and ONLY when it’s complete!), you can begin the process of creating or updating your Information System Contingency Plan. If you already have a completed BIA from the previous year, review it for accuracy and update if needed. \u003cstrong\u003eAttach it as an appendix to the ISCP\u003c/strong\u003e regardless of whether updates were made.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eGuidance for each step is listed below.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003e1. Create or update ISCP document\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eTo create your ISCP document, use the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook#iscp-template\"\u003eISCP template\u003c/a\u003e provided for use by all CMS FISMA systems. This template is adapted from the NIST ISCP template for High risk level systems. This ensures that all ISCPs for CMS systems meet or exceed compliance requirements for contingency planning.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eUsing the template to create your own ISCP document, you will be capturing information specific to your system including:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eKey recovery metrics for your system\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePre-defined descriptions of conditions that constitute a need for action\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePre-defined actions based on the severity of an identified incident\u003c/li\u003e\u003cli dir=\"ltr\"\u003eKey staff, contact information, and specific duties for each person\u003c/li\u003e\u003cli dir=\"ltr\"\u003eItem-level understanding of all of the system hardware and software\u003c/li\u003e\u003cli dir=\"ltr\"\u003eIf your ISCP references other documents (such as diagrams), they must be included in the ISCP as appendices\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003e2. System/Business Owner signs ISCP\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eOnce completed, the ISCP must be attested to (signed) by the FISMA System Owner. The signature process is repeated annually when the ISCP is reviewed and / or updated.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003e3. Exercise (test) the ISCP\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe Information System Contingency Plan must be tested at least once every 365 days to ensure that everyone knows their part in the process of recovering CMS systems in case of an incident. This is commonly referred to as the “Tabletop Exercise”, but a tabletop exercise is only one way to test the ISCP.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eA test plan must be prepared and followed during the execution of the test. All staff who participate in an actual contingency plan event must be available for the test, and key staff members must be trained annually in their contingency responsibilities.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003e\u003cstrong\u003eLearn how to plan and conduct an ISCP exercise here\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e.\u003c/strong\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003e4. Create the After Action Report (AAR)\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAfter the test is conducted, an After Action Report (AAR) must be generated to describe the test and highlight specific deficiencies that must be corrected.\u0026nbsp; These deficiencies may be easily correctable, or may result in the creation of one or more\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones\u003c/a\u003e (POA\u0026amp;Ms).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook#after-action-report-aar-template\"\u003e\u003cstrong\u003eHere is the template for making your After Action Report\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e.\u003c/strong\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003e5. Achieve ISCP recertification\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFor ISPCs that are being reviewed and updated, the updated ISCP must be re-certified by the System/Business Owner. Make sure that all key staff members receive updated ISCP documents that they have access to (\u003cstrong\u003eeven away from the office or after hours\u003c/strong\u003e). Destroy (or return) older copies.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003e6. Plan for next year’s exercises\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eIt’s never too early to start planning for next year’s ISCP exercises. Whether you’re engaging in a tabletop exercise or have chosen a different way to evaluate your plan, it’s important to leave plenty of time to complete the exercise so that your FISMA system remains compliant. If your FISMA system is involved in an outage that causes you to exercise the ISCP, you should consider documenting the event as an exercise of your plan.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eISCP template\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThe following template provides placeholder content for an ISCP that you can copy and paste into a document. Add information specific to your system to create your ISCP. In this template, words in italics are instructional and are meant to be deleted from the final document.\u003c/em\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eISCP TEMPLATE BEGINS BELOW\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eInformation systems are vital to {insert CMS Center or Office} mission/business processes; therefore,\u0026nbsp;it is critical that\u0026nbsp;services provided by {system name} are able to operate effectively without excessive interruption. This Information System Contingency Plan (ISCP) establishes comprehensive\u0026nbsp;procedures\u0026nbsp;to recover {system name} quickly and effectively following a service disruption.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eConcept of operations\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThe Concept of Operations section provides details about your system, and a description of\u0026nbsp;roles and responsibilities of your Center or Office personnel during a contingency activation. Start with the text below, and then continue with as much detail as needed to describe your system's specific operations.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThis section provides details about {system name}, and a description of\u0026nbsp;roles and responsibilities of {insert CMS Center or Office} personnel during a contingency activation.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eSystem description\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eInformation to populate the system description section can be found in the General tab in CFACTS.\u0026nbsp; Ensure the information is correct and use it for this section. Make any updates to the CFACTS record for consistency.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eRoles and responsibilities\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe ISCP establishes several roles for {system name} recovery and reconstitution support.\u0026nbsp; Persons or teams assigned ISCP roles have been trained to respond to a contingency event affecting {system name}.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eDescribe each team and role responsible for executing or supporting system recovery and reconstitution.\u0026nbsp; Include responsibilities for each team/role, leadership roles, and coordination with other recovery and reconstitution teams, as applicable. At a minimum, a role should be established for a system owner or business unit point of contact, a recovery coordinator, and a technical recovery point of contact. Example format below.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eTeam or individual name: {insert name}\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eRole: {insert role / title}\u003c/p\u003e\u003cp dir=\"ltr\"\u003eResponsibilities: {list responsibilities}\u003c/p\u003e\u003cp dir=\"ltr\"\u003eContact information: {insert contact information}\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eAdd more teams or individuals, along with additional details, as needed\u003c/em\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eActivation and notification\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003cstrong\u003eActivation and Notification Phase\u003c/strong\u003e defines initial actions taken once a disruption to {system name} has been detected or appears to be imminent.\u0026nbsp;This phase includes activities to notify recovery personnel, conduct an outage assessment, and activate the ISCP.\u0026nbsp;At the completion of the Activation and Notification Phase, {system name} ISCP staff will be prepared to perform recovery measures.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eActivation criteria and procedure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe {system name} ISCP may be activated if one or more of the following criteria are met:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eThe type of outage indicates {system name} will be down for more than {RTO hours\u0026nbsp;\u003cem\u003e(copy the RTO from the BIA)\u003c/em\u003e}\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe facility housing {system name} is damaged and may not be available within {RTO hours\u0026nbsp;\u003cem\u003e(copy the RTO from the BIA)\u003c/em\u003e}\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOther criteria, as appropriate\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe following persons or roles may activate the ISCP if one or more of the above criteria are met:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eList people or roles from the\u0026nbsp;\u003cstrong\u003eRoles and responsibilities\u003c/strong\u003e section above\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eNotification\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe first step upon activation of the ISCP for {system name} is notification of appropriate business and system support personnel. Contact information for appropriate POCs is included in\u0026nbsp;\u003cstrong\u003eAppendix A: Personnel Contact List\u003c/strong\u003e.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eFor {system name}, the following method and procedure for notifications are used:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eDescribe established notification procedures.\u0026nbsp; Notification procedures should include who makes the initial notifications, the sequence in which personnel are notified (e.g., system owner, technical POC, ISCP Coordinator, business unit or user unit POC, and recovery team POC), and the method of notification (e.g., email blast, call tree, automated notification system, etc.)\u003c/em\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eOutage assessment\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFollowing notification, a thorough outage assessment is necessary to determine the extent of the disruption, any damage, and expected recovery time.\u0026nbsp; This outage assessment is conducted by the system team. Assessment results are provided to the ISCP Coordinator to assist in the coordination of the recovery of {system name}.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eOutline detailed procedures to include how to determine the cause of the outage; identification of potential for additional disruption or damage; assessment of affected physical area(s); and determination of the physical infrastructure status, IS equipment functionality, and inventory.\u0026nbsp; Procedures should include notation of items that will need to be replaced and estimated time to restore service to normal operations\u003c/em\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eRecovery\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003cstrong\u003eRecovery Phase\u003c/strong\u003e provides formal\u0026nbsp;recovery operations that begin after the ISCP has been activated, outage assessments have been completed (if possible), personnel have been notified, and appropriate teams have been mobilized.\u0026nbsp;Recovery Phase activities focus on implementing recovery strategies to restore system capabilities, repair damage, and resume operational capabilities at the original or an alternate location.\u0026nbsp;At the completion of the Recovery Phase, {system name} will be functional and capable of performing the functions identified.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eSequence of recovery activities\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe following activities occur during recovery of {system name}:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eModify the following list as appropriate for the selected system recovery strategy.\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eIdentify recovery location (if not at original location)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eIdentify required resources to perform recovery procedures\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRetrieve backup and system installation media\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecover hardware and operating system (if required)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecover system from backup and system installation media\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eRecovery procedures\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe following procedures are provided for recovery of {system name} at the original or established alternate location. Recovery procedures are outlined per team and should be executed in the sequence presented to maintain an efficient recovery effort.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide general procedures for the recovery of the system from backup media. Specific keystroke-level procedures may be provided in an appendix. If specific procedures are provided in an appendix, a reference to that appendix should be included in this section.\u0026nbsp; Teams or persons responsible for each procedure should be identified.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eRecovery escalation notices / awareness\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide appropriate procedures for escalation notices during recovery efforts.\u0026nbsp; Notifications during recovery include problem escalation to leadership and status awareness to system owners and users. Teams or persons responsible for each escalation and awareness procedure should be identified.\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eReconstitution\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eReconstitution\u003c/strong\u003e is the process by which recovery activities are completed and normal system operations are resumed.\u0026nbsp; If the original facility is unrecoverable, the activities in this phase can also be applied to preparing a new permanent location to support system processing requirements. A determination must be made on whether the system has undergone significant change and will require reassessment and reauthorization. The phase consists of two major activities: validating successful reconstitution and deactivation of the ISCP plan.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eConcurrent Processing\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eConcurrent Processing (in which a system operates at two separate locations concurrently for a time period) is not required. If concurrent processing does occur for the system prior to making it operational, procedures should be inserted here.\u0026nbsp; Procedures should include length of time for concurrent processing, processing information on both concurrent systems, and validating information on the new permanent system\u003c/em\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eFor systems that will not require concurrent processing, this section may either be removed, or the following may be used:\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIn concurrent processing, a system operates at two separate locations concurrently until there is a level of assurance that the recovered system is operating correctly.\u0026nbsp; {system name} does not have concurrent processing as part of validation. Once the system has been tested and validated, it will be placed into normal operations.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eValidation Data Testing\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eValidation data testing is the process of testing and validating recovered data to ensure that data files or databases have been recovered completely. The following procedures will be used to determine that the recovered data is complete and current to the last available backup:\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide procedures for testing or validation of recovered data to ensure that data is correct and up to date. This section may be combined with the Functionality Testing section if procedures test both the functionality and data validity. Teams or persons responsible for each procedure should be identified. An example of a validation data test for a system would be to log into the system database and check the audit logs to determine that all transactions and updates are current. Detailed data test procedures may be provided in an appendix titled\u0026nbsp;\u003cstrong\u003eSystem Validation Test Plan\u003c/strong\u003e.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eValidation Functionality Testing\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eValidation functionality testing is the process of verifying that functionality for {system name} has been tested, and the system is ready to return to normal operations.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide system functionality testing and validation procedures to ensure that the system is operating correctly. This section may be combined with the Data Testing section if procedures test both the functionality and data validity. Teams or persons responsible for each procedure should be identified. An example of a functional test for a system may be logging into the system and running a series of operations as a test or real user to ensure that all parts of the system are operating correctly. Detailed functionality test procedures may be provided in an appendix titled,\u0026nbsp;\u003cstrong\u003eSystem Validation Test Plan\u003c/strong\u003e.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eRecovery Declaration\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eUpon successfully completing testing and validation, the System/Business Owner will formally declare recovery efforts complete, and that {system name} is in normal operations.\u0026nbsp; {system name} business and technical POCs will be notified of the declaration by the ISCP Coordinator.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eNotification to system users\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eUpon return to normal system operations, {system name} users will be notified by the {role of individual in charge of notification} using predetermined notification procedures (e.g., email, broadcast message, phone calls, etc.).\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eCleanup\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eCleanup is the process of cleaning up or dismantling any temporary recovery locations, restocking supplies used, returning manuals or other documentation to their original locations, and readying the system for a possible future contingency event.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide any specific cleanup procedures for the system, including preferred locations for manuals and documents and returning backup or installation media to its original location.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eOffsite Data Storage\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eIt is important that all backup and installation media used during recovery be returned to the offsite data storage location. The following procedures should be followed to return backup and installation media to its offsite data storage location.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide procedures for returning retrieved backup or installation media to its offsite data storage location. This may include proper logging and packaging of backup and installation media, preparing for transportation, and validating that media is securely stored at the offsite location.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eData Backup\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eAs soon as reasonably possible following recovery, the system should be fully backed up and a new copy of the current operational system stored for future recovery efforts. This full backup is then kept with other system backups. The procedures for conducting a full system backup are:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide appropriate procedures for ensuring that a full system backup is conducted within a reasonable time frame, ideally at the next scheduled backup period. This backup should go offsite with the other media in Offsite Data Storage.\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eEvent documentation\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eIt is important that all recovery events be well-documented, including actions taken and problems encountered during the recovery and reconstitution effort, and lessons learned for inclusion and update to this ISCP. It is the responsibility of each ISCP team or person to document their actions during the recovery and reconstitution effort, and to provide that documentation to the ISCP Coordinator.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide details about the types of information each ISCP team member is required to provide or collect for updating the ISCP with lessons learned. Types of documentation that should be generated and collected after a contingency activation include:\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eActivity logs (including recovery steps performed and by whom, the time the steps were initiated and completed, and any problems or concerns encountered while executing activities)\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eFunctionality and data testing results\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eLessons learned documentation\u0026nbsp;\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eAfter Action Report\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEvent documentation procedures should detail responsibilities for development, collection, approval, and maintenance\u003c/em\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eDeactivation of ISCP\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eOnce all activities have been completed and documentation has been updated, the System/Business Owner will formally deactivate the ISCP recovery and reconstitution effort. Notification of this declaration will be provided to all business and technical POCs.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eDocument change and approval\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eModifications made to this plan since the last update are as follows:\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003ePage No.\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eChange Comment\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eDate of Change\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eSignature\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix A: Personnel Contact List\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eProvide contact information for each person with a role or responsibility for activation or implementation of the ISCP, or coordination with the ISCP. For each person listed, at least one office and one non-office contact number is recommended. Note: Information may contain personally identifiable information (PII) and should be protected.\u003c/em\u003e\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eISCP Director\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eName and title:\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAddress (street, city, state, zip code):\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEmail:\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (home):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (cell):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (work):\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eISCP Director (Alternate)\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eName and title:\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAddress (street, city, state, zip code):\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEmail:\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (home):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (cell):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (work):\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eISCP Coordinator\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eName and title:\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAddress (street, city, state, zip code):\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEmail:\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (home):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (cell):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (work):\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eISCP Coordinator (Alternate)\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eName and title:\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAddress (street, city, state, zip code):\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEmail:\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (home):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (cell):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (work):\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eISCP Team Lead\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eName and title:\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAddress (street, city, state, zip code):\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEmail:\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (home):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (cell):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (work):\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eISCP Team Members\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eName and title:\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAddress (street, city, state, zip code):\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEmail:\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (home):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (cell):\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePhone (work):\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eList additional team members as needed\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix B: Vendor contact list\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eContact information for all key maintenance or support vendors should be included in this appendix. Contact information, such as emergency phone numbers, contact names, contract numbers, and contractual response and onsite times should be included.\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix C: Detailed recovery procedures\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eTo create this appendix, describe the detailed recovery procedures for the system, which may include items such as:\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eKeystroke-level recovery steps\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eSystem installation instructions from tape, CD, or other media\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eRequired configuration settings or changes\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eRecovery of data from tape and audit logs\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eOther system recovery procedures, as appropriate\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eIf the system relies totally on another group or system for its recovery and reconstitution (such as a mainframe system), information provided should include contact information and locations of detailed recovery and reconstitution procedures for that supporting system.\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix D: Alternate processing procedures\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThis section should identify any alternate manual or technical processing procedures available that allow the business unit to continue some processing of information that would normally be done by the affected system. Examples of alternate processes include manual forms processing, input into workstations to store data until it can be uploaded and processed, or queuing of data input.\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix E: System validation test plan\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eTo create this appendix, describe system acceptance procedures that are performed after the system has been recovered and prior to putting the system into full operation and returned to users. The system validation test plan may include the regression or functionality testing conducted prior to implementation of a system upgrade or change.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eAn example of a system validation test plan is below. Create your own test plan using steps that will validate the functionality of your system.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eOnce the system has been recovered, the following steps will be performed to validate system data and functionality:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eProcedure\u003c/strong\u003e\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eExpected results\u003c/strong\u003e\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eActual results\u003c/strong\u003e\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eSuccessful?\u003c/strong\u003e\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003ePerformed by\u003c/strong\u003e\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eAt the Command Prompt, type in sysname\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eSystem Log-in Screen appears\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eLog in as user testuser, using password testpass\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eInitial Screen with Main Menu shows\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eFrom Menu, select 5: Generate Report\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eReport Generation Screen shows\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eSelect Current Date Report; Select Weekly; Select To Screen\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eReport is generated on screen with last successful transaction included\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eSelect Close\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eReport Generation Screen shows\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eSelect Return to Main Menu\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eInitial Screen with Main Menu shows\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eSelect Log-Off\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eLog-in Screen appears\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix F: Alternate storage, site, and telecommunications\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThis appendix provides information for alternate storage, alternate processing site, and alternate telecommunications for the system.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eAlternate storage, site, and telecommunications information is required for high-impact systems, per NIST SP 800-53 Rev. 5.\u0026nbsp; Refer to NIST SP 800-53 Rev. 5, for details on control specifics. (Moderate or Low systems may not have the same control specifics for this item.)\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eInformation that should be provided for each area includes:\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eAlternate Storage\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eCity and state of alternate storage facility, and distance from primary facility;\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eWhether the alternate storage facility is owned by the organization or is a third-party storage provider\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eName and points of contact for the alternate storage facility\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eDelivery schedule and procedures for packaging media to go to alternate storage facility\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eProcedures for retrieving media from the alternate storage facility\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNames and contact information for those persons authorized to retrieve media\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eAlternate storage configuration features that facilitate recovery operations (such as keyed or card reader access by authorized retrieval personnel)\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eAny potential accessibility problems to the alternate storage site in the event of a widespread disruption or disaster\u0026nbsp;\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eMitigation steps to access alternate storage site in the event of a widespread disruption or disaster\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eTypes of data located at alternate storage site, including databases, application software, operating systems, and other critical information system software\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eOther information as appropriate\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eAlternate Processing Site\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eCity and state of alternate processing site, and distance from primary facility\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eWhether the alternate processing site is owned by the organization or is a third-party site provider\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eName and points of contact for the alternate processing site\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eProcedures for accessing and using the alternate\u0026nbsp; processing site, and access security features of alternate processing site\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNames and contact information for those persons authorized to go to alternate processing site\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eType of alternate processing site, and equipment available at site\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eAlternate processing site configuration information (such as available power, floor space, office space, telecommunications availability, etc.)\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eAny potential accessibility problems to the alternate processing site in the event of a widespread disruption or disaster\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eMitigation steps to access alternate processing site in the event of a widespread disruption or disaster\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eSLAs or other agreements of use of alternate processing site, available office/support space, setup times, etc.\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eOther information as appropriate\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eAlternate Telecommunications\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eName and contact information of alternate telecommunications vendors\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eGeographic locations of alternate telecommunications vendors facilities (such as central offices, switch centers, etc.)\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eContracted capacity of alternate telecommunications\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eSLAs or other agreements for implementation of alternate telecommunications capacity\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eInformation on alternate telecommunications vendor contingency plans\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNames and contact information for those persons authorized to implement or use alternate telecommunications capacity\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eOther information as appropriate\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix G: Diagrams\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eInformation for this section should be available from the system’s\u0026nbsp;\u003c/em\u003e\u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003e\u003cem\u003eSystem Security and Privacy Plan\u003c/em\u003e\u003c/a\u003e\u003cem\u003e (SSPP) and can be copied from the SSPP,\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003eor reference the applicable section in the SSPP and attach the latest version of the SSPP to this ISCP.\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003eInclude any system architecture, input/output, or other technical or logical diagrams that may be useful in recovering the system. Diagrams may also identify information about interconnection with other systems.\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix H: Test and maintenance schedule\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eAll ISCPs should be\u0026nbsp;\u003c/em\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003e\u003cem\u003ereviewed and tested\u003c/em\u003e\u003c/a\u003e\u003cem\u003e at the organization defined frequency (e.g. yearly) or whenever there is a significant change to the system. Provide information and a schedule for the testing of the system. The ISCP test should include all ISCP points of contact and be facilitated by an outside or impartial observer.\u0026nbsp; A formal test plan is developed prior to the functional test, and test procedures are developed to include key sections of the ISCP, including the following:\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNotification procedures\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eSystem recovery on an alternate platform from backup media\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eInternal and external connectivity\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eReconstitution procedures\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eResults of the test are documented in an After Action Report (AAR), and Lessons Learned are developed for updating information in the ISCP.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eNOTE\u003c/strong\u003e: Full functional tests of systems normally are failover tests to the alternate locations, and may be very disruptive to system operations if not planned well. Other systems located in the same physical location may be affected by or included in the full functional test. It is highly recommended that several functional tests be conducted and evaluated prior to conducting a full functional (failover) test.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eExamples of functional tests that may be performed prior to a full functional test include:\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eFull notification and response of key personnel to recovery location\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eRecovery of a server or database from backup media\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eSetup and processing from a server at an alternate location\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003e\u003cstrong\u003eNot all systems\u003c/strong\u003e are required to perform a full functional test as part of ISCP testing. Moderate or low systems may have different requirements. Check the\u0026nbsp;\u003c/em\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003e\u003cem\u003eCMS Acceptable Risk Safeguards\u003c/em\u003e\u003c/a\u003e\u003cem\u003e (ARS) to find out specific requirements for your system.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThe following is a sample of a yearly test and maintenance schedule for a high-impact system:\u003c/em\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003eStep\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003eDate due by\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003eResponsible party\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003eDate scheduled\u003c/p\u003e\u003c/th\u003e\u003cth\u003e\u003cp dir=\"ltr\"\u003eDate held\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eIdentify failover test facilitator.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eMarch 1\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eISCP Coordinator\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eDetermine scope of failover test (include other systems?).\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eMarch 15\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eISCP Coordinator, Test Facilitator\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eDevelop failover test plan.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eApril 1\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eTest Facilitator\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eInvite participants.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eJuly 10\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eTest Facilitator\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eConduct functional test.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eJuly 31\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eTest Facilitator, ISCP Coordinator, POCs\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eFinalize after action report and lessons learned.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eAugust 15\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eISCP Coordinator\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eUpdate ISCP based on lessons learned.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eSeptember 15\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eISCP Coordinator\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eApprove and distribute updated version of ISCP.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eSeptember 30\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eISCP Director, ISCP Coordinator\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix I: Associated plans and procedures\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eInformation for this section should be available from the system’s\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan\u003c/a\u003e (SSPP) and can be copied from the SSPP or reference the applicable section in the SSPP and attach the latest version of the SSPP to this ISCP.\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003eISCPs for other systems that either interconnect or support the system should be identified in this appendix. The most current version of the ISCP, location of ISCP, and primary point of contact (such as the ISCP Coordinator) should be noted.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eAppendix J: Business Impact Analysis\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eInclude the \u003c/em\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook#iscp-prerequisite-bia\"\u003e\u003cem\u003eBusiness Impact Analysis (BIA)\u003c/em\u003e\u003c/a\u003e\u003cem\u003e that was completed prior to populating this Information System Contingency Plan.\u003c/em\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp dir=\"ltr\"\u003eEND ISCP TEMPLATE\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"1c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}\n1b:{\"self\":\"$1c\"}\n1f:[\"menu_ui\",\"scheduler\"]\n1e:{\"module\":\"$1f\"}\n22:[]\n21:{\"available_menus\":\"$22\",\"parent\":\"\"}\n23:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n20:{\"menu_ui\":\"$21\",\"scheduler\":\"$23\"}\n1d:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$1e\",\"third_party_settings\":\"$20\",\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1a:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":\"$1b\",\"attributes\":\"$1d\"}\n26:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}\n25:{\"self\":\"$26\"}\n27:{\"display_name\":\"mburgess\"}\n24:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":\"$25\",\"attributes\":\"$27\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}\n29:{\"self\":\"$2a\"}\n2c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n2b:{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$2c\"}\n30:{\"drupal_internal__target_id\":\"resource_type\"}\n2f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$30\"}\n32:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_typ"])</script><script>self.__next_f.push([1,"e/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"}\n33:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}\n31:{\"related\":\"$32\",\"self\":\"$33\"}\n2e:{\"data\":\"$2f\",\"links\":\"$31\"}\n36:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"}\n37:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}\n35:{\"related\":\"$36\",\"self\":\"$37\"}\n34:{\"data\":null,\"links\":\"$35\"}\n3e:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n3d:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$3e\"}\n3c:{\"help\":\"$3d\"}\n3b:{\"links\":\"$3c\"}\n3a:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$3b\"}\n39:[\"$3a\"]\n40:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"}\n41:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}\n3f:{\"related\":\"$40\",\"self\":\"$41\"}\n38:{\"data\":\"$39\",\"links\":\"$3f\"}\n2d:{\"vid\":\"$2e\",\"revision_user\":\"$34\",\"parent\":\"$38\"}\n28:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":\"$29\",\"attributes\":\"$2b\",\"relationships\":\"$2d\"}\n44:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n43:{\"self\":\"$44\"}\n46:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n45:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$46\"}"])</script><script>self.__next_f.push([1,"\n4a:{\"drupal_internal__target_id\":\"roles\"}\n49:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$4a\"}\n4c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n4d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n4b:{\"related\":\"$4c\",\"self\":\"$4d\"}\n48:{\"data\":\"$49\",\"links\":\"$4b\"}\n50:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n51:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n4f:{\"related\":\"$50\",\"self\":\"$51\"}\n4e:{\"data\":null,\"links\":\"$4f\"}\n58:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n57:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$58\"}\n56:{\"help\":\"$57\"}\n55:{\"links\":\"$56\"}\n54:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$55\"}\n53:[\"$54\"]\n5a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n5b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n59:{\"related\":\"$5a\",\"self\":\"$5b\"}\n52:{\"data\":\"$53\",\"links\":\"$59\"}\n47:{\"vid\":\"$48\",\"revision_user\":\"$4e\",\"parent\":\"$52\"}\n42:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$43\",\"attributes\":\"$45\",\"relationships\":\"$47\"}\n5e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n5d:{\"self\":\"$5e\"}\n60:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n5f:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner"])</script><script>self.__next_f.push([1,"\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$60\"}\n64:{\"drupal_internal__target_id\":\"roles\"}\n63:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$64\"}\n66:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n67:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n65:{\"related\":\"$66\",\"self\":\"$67\"}\n62:{\"data\":\"$63\",\"links\":\"$65\"}\n6a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n6b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n69:{\"related\":\"$6a\",\"self\":\"$6b\"}\n68:{\"data\":null,\"links\":\"$69\"}\n72:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n71:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$72\"}\n70:{\"help\":\"$71\"}\n6f:{\"links\":\"$70\"}\n6e:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$6f\"}\n6d:[\"$6e\"]\n74:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n75:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n73:{\"related\":\"$74\",\"self\":\"$75\"}\n6c:{\"data\":\"$6d\",\"links\":\"$73\"}\n61:{\"vid\":\"$62\",\"revision_user\":\"$68\",\"parent\":\"$6c\"}\n5c:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$5d\",\"attributes\":\"$5f\",\"relationships\":\"$61\"}\n78:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\n77:{\"self\":\"$78\"}\n7a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n79:{\"drupal_internal__tid\":7"])</script><script>self.__next_f.push([1,"1,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$7a\"}\n7e:{\"drupal_internal__target_id\":\"roles\"}\n7d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$7e\"}\n80:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\n81:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\n7f:{\"related\":\"$80\",\"self\":\"$81\"}\n7c:{\"data\":\"$7d\",\"links\":\"$7f\"}\n84:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\n85:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\n83:{\"related\":\"$84\",\"self\":\"$85\"}\n82:{\"data\":null,\"links\":\"$83\"}\n8c:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n8b:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$8c\"}\n8a:{\"help\":\"$8b\"}\n89:{\"links\":\"$8a\"}\n88:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$89\"}\n87:[\"$88\"]\n8e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\n8f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\n8d:{\"related\":\"$8e\",\"self\":\"$8f\"}\n86:{\"data\":\"$87\",\"links\":\"$8d\"}\n7b:{\"vid\":\"$7c\",\"revision_user\":\"$82\",\"parent\":\"$86\"}\n76:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$77\",\"attributes\":\"$79\",\"relationships\":\"$7b\"}\n92:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-9"])</script><script>self.__next_f.push([1,"03f-0470aad63bf0?resourceVersion=id%3A16\"}\n91:{\"self\":\"$92\"}\n94:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n93:{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$94\"}\n98:{\"drupal_internal__target_id\":\"topics\"}\n97:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$98\"}\n9a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"}\n9b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}\n99:{\"related\":\"$9a\",\"self\":\"$9b\"}\n96:{\"data\":\"$97\",\"links\":\"$99\"}\n9e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"}\n9f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}\n9d:{\"related\":\"$9e\",\"self\":\"$9f\"}\n9c:{\"data\":null,\"links\":\"$9d\"}\na6:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\na5:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$a6\"}\na4:{\"help\":\"$a5\"}\na3:{\"links\":\"$a4\"}\na2:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$a3\"}\na1:[\"$a2\"]\na8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"}\na9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}\na7:{\"related\":\"$a8\",\"self\":\"$a9\"}\na0:{\"data\":\"$a1\",\"links\":\"$a7\"}\n95:{\"vid\":\"$96\",\"revision_user\":\"$9c\",\"parent\":\"$a0\"}\n90:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470a"])</script><script>self.__next_f.push([1,"ad63bf0\",\"links\":\"$91\",\"attributes\":\"$93\",\"relationships\":\"$95\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--library\",\"id\":\"0bcff800-1480-456e-99d9-9d067d939987\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/0bcff800-1480-456e-99d9-9d067d939987?resourceVersion=id%3A5742\"}},\"attributes\":{\"drupal_internal__nid\":1207,\"drupal_internal__vid\":5742,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-02T20:17:20+00:00\",\"status\":true,\"title\":\"CMS Information System Contingency Plan (ISCP) Handbook\",\"created\":\"2024-07-30T17:56:50+00:00\",\"changed\":\"2024-08-02T20:17:20+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-information-system-contingency-plan-iscp-handbook\",\"pid\":1229,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2024-07-30\",\"field_related_resources\":[{\"uri\":\"https://csrc.nist.gov/pubs/sp/800/34/r1/upd1/final\",\"title\":\"Contingency Planning Guide for Federal Information Systems (NIST)\",\"options\":[],\"url\":\"https://csrc.nist.gov/pubs/sp/800/34/r1/upd1/final\"},{\"uri\":\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\",\"title\":\"CMS ISCP Exercise Handbook\",\"options\":[],\"url\":\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"},{\"uri\":\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"title\":\"CMS Acceptable Risk Safeguards\",\"options\":[],\"url\":\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"}],\"field_short_description\":{\"value\":\"Guidance for CMS teams for creating and updating your Information System Contingency Plan (ISCP)\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eGuidance for CMS teams for creating and updating your Information System Contingency Plan (ISCP)\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/0bcff800-1480-456e-99d9-9d067d939987/node_type?resourceVersion=id%3A5742\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/0bcff800-1480-456e-99d9-9d067d939987/relationships/node_type?resourceVersion=id%3A5742\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/0bcff800-1480-456e-99d9-9d067d939987/revision_uid?resourceVersion=id%3A5742\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/0bcff800-1480-456e-99d9-9d067d939987/relationships/revision_uid?resourceVersion=id%3A5742\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/0bcff800-1480-456e-99d9-9d067d939987/uid?resourceVersion=id%3A5742\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/0bcff800-1480-456e-99d9-9d067d939987/relationships/uid?resourceVersion=id%3A5742\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/0bcff800-1480-456e-99d9-9d067d939987/field_resource_type?resourceVersion=id%3A5742\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/0bcff800-1480-456e-99d9-9d067d939987/relationships/field_resource_type?resourceVersion=id%3A5742\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/0bcff800-1480-456e-99d9-9d067d939987/field_roles?resourceVersion=id%3A5742\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/0bcff800-1480-456e-99d9-9d067d939987/relationships/field_roles?resourceVersion=id%3A5742\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/0bcff800-1480-456e-99d9-9d067d939987/field_topics?resourceVersion=id%3A5742\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/0bcff800-1480-456e-99d9-9d067d939987/relationships/field_topics?resourceVersion=id%3A5742\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}},\"attributes\":{\"display_name\":\"mburgess\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}},\"attributes\":{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}},\"attributes\":{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}}}}}],\"includedMap\":{\"ab4b0312-f678-40b9-ae06-79025f52ff43\":\"$1a\",\"e352e203-fe9c-47ba-af75-2c7f8302fca8\":\"$24\",\"e3394b9a-cbff-4bad-b68e-c6fad326132e\":\"$28\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$42\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$5c\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$76\",\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\":\"$90\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"CMS Information System Contingency Plan (ISCP) Handbook | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Guidance for CMS teams for creating and updating your Information System Contingency Plan (ISCP)\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"CMS Information System Contingency Plan (ISCP) Handbook | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Guidance for CMS teams for creating and updating your Information System Contingency Plan (ISCP)\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"CMS Information System Contingency Plan (ISCP) Handbook | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Guidance for CMS teams for creating and updating your Information System Contingency Plan (ISCP)\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html> |