publicdata/cms-gov
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/policy-guidance/cms-media-protection-mp-handbook
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
277 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>CMS Media Protection (MP) Handbook | CMS Information Security &amp; Privacy Group</title><meta name="description" content="Guidance for protecting physical and digital media at CMS in accordance with requirements from NIST and the CMS Acceptable Risk Safeguards (ARS)"/><link rel="canonical" href="https://security.cms.gov/policy-guidance/cms-media-protection-mp-handbook"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="CMS Media Protection (MP) Handbook | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="Guidance for protecting physical and digital media at CMS in accordance with requirements from NIST and the CMS Acceptable Risk Safeguards (ARS)"/><meta property="og:url" content="https://security.cms.gov/policy-guidance/cms-media-protection-mp-handbook"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/policy-guidance/cms-media-protection-mp-handbook/opengraph-image.jpg?a856d5522b751df7"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="CMS Media Protection (MP) Handbook | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="Guidance for protecting physical and digital media at CMS in accordance with requirements from NIST and the CMS Acceptable Risk Safeguards (ARS)"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/policy-guidance/cms-media-protection-mp-handbook/opengraph-image.jpg?a856d5522b751df7"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-library undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">CMS Media Protection (MP) Handbook</h1><p class="hero__description">Guidance for protecting physical and digital media at CMS in accordance with requirements from NIST and the CMS Acceptable Risk Safeguards (ARS)</p><p class="font-sans-2xs line-height-sans-5 margin-bottom-0">Last reviewed<!-- -->: <!-- -->9/4/2024</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8"><section class="resource-collection radius-md padding-y-2 padding-x-3 bg-base-lightest"><h1 class="resource-collection__header h3 margin-top-0 margin-bottom-2">Related Resources</h1><div class="grid-row grid-gap-4"><div class="tablet:grid-col-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS)</a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#media-protection-mp">Media Protection (MP) in the CMS IS2P2<svg class="usa-icon" aria-hidden="true" role="img" data-testid="library-resources-external"><use href="/assets/img/sprite.svg#launch"></use></svg></a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf">NIST SP 800-53<svg class="usa-icon" aria-hidden="true" role="img" data-testid="library-resources-external"><use href="/assets/img/sprite.svg#launch"></use></svg></a></div></div></section><section><div class="text-block text-block--theme-library"><h2 dir="ltr">What is Media Protection (MP)?</h2><p dir="ltr">Media Protection (MP) is the safeguarding of media within an organization. The term “media” broadly refers to physical devices or writing surfaces. This includes all channels of communication with storage capabilities — everything from printed paper to digital data onto which information is recorded, stored, or printed within an information system.&nbsp;</p><p dir="ltr">Tracking the creation, distribution, storage and use of any form of media can be challenging, so its important for government agencies to have clear policies and guidance around media protections for their information systems. Organizations must clearly define:</p><ul><li dir="ltr">Who has the authority to access, transport, and share media</li><li dir="ltr">Which devices can be used to store and transport media</li><li dir="ltr">How to properly destroy expired media</li></ul><p dir="ltr">Having clear policies around these practices allows government agencies to protect the data that is critical to their missions. CMS provides this handbook as a guide for implementing the Media Protection (MP) family of controls at the organization, process, and/or system level for all CMS information assets and data.</p><h3 dir="ltr">Media Protection at CMS</h3><p dir="ltr">The MP security requirements addressed in this handbook are taken from the&nbsp;<a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf">National Institute of Standards and Technology (NIST) Special Publication 800-53, Rev 5</a> and tailored to the Centers for Medicare and Medicaid Services (CMS) environment in the&nbsp;<a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS)</a>.&nbsp;</p><p dir="ltr">The ARS MP minimum standard controls are designed to protect CMS media and files from unauthorized access, use, or disclosure to ensure the safe handling of media and files in their life cycle, and to ensure the safe destruction of media and files when they are no longer needed.</p><p dir="ltr">By following the processes outlined below, CMS can:</p><ul><li dir="ltr">Promote accountability for handling media responsibly</li><li dir="ltr">Reduce risk by limiting events that could expose media to unauthorized use or disclosure loss, theft, or other mishandling</li><li dir="ltr">Ensure CMS compliance with federal laws and regulations such as&nbsp;<a href="https://security.cms.gov/learn/federal-information-security-modernization-act-fisma">FISMA</a> and&nbsp;<a href="https://security.cms.gov/learn/health-insurance-portability-and-accountability-act-1996-hipaa">HIPAA</a></li></ul><h3 dir="ltr">Getting help</h3><p dir="ltr">For policy and guidance questions regarding Media Protection at CMS, contact the&nbsp;<strong>ISPG Policy and Privacy team</strong> via email at:<strong> </strong><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a>. Or find us in CMS Slack: <em>#ispg-sec_privacy-policy.</em></p><p dir="ltr">If you have questions or need assistance regarding various aspects of Media Protection at CMS, you can reach out to the following groups:</p><ul><li dir="ltr"><strong>CMS Office of Strategic Operations and Regulatory Affairs (OSORA)</strong> |&nbsp;<a href="mailto:OSORA_Regs_Scheduling@cms.hhs.gov">OSORA_Regs_Scheduling@cms.hhs.gov</a></li><li dir="ltr"><strong>CMS Records Retention</strong> |&nbsp;<a href="mailto:Records_Retention@cms.hhs.gov%C2%A0">Records_Retention@cms.hhs.gov&nbsp;</a></li></ul><h2 dir="ltr">Media Access</h2><p dir="ltr">As part of CMS media protection, there are rules about who can access CMS system media that contains sensitive information. This is known as Media Access control. It applies to both digital media and hard copy media (such as paper, microfilm, or microfiche). It applies to mobile devices with storage capabilities, and to systems that process, store, or transmit Personally Identifiable Information (PII) or Protected Health Information (PHI). Media Access guidelines are described below.</p><h3 dir="ltr">Limit access to people who need it</h3><p dir="ltr">The Media Access rules that identify who can access sensitive media are defined in the&nbsp;<a href="https://security.cms.gov/learn/system-security-and-privacy-plan-sspp">System Security and Privacy Plan</a> for any CMS system. Access is restricted to defined personnel or roles with a valid need to know based on the functions required to perform their job duties. Activities that limit access can include:</p><ul><li dir="ltr">Disabling Compact Disk (CD)/Digital Versatile Disk (DVD) writers</li><li dir="ltr">Allowing access to CD/DVD viewing and downloading capabilities only to authorized persons or roles (defined in the applicable&nbsp;<a href="https://security.cms.gov/learn/system-security-and-privacy-plan-sspp">System Security and Privacy Plan</a>)</li><li dir="ltr">Disabling access to Universal Serial Bus (USB) ports and allowing access to using USB device capabilities only to authorized persons or in defined roles (defined in the applicable&nbsp;<a href="https://security.cms.gov/learn/system-security-and-privacy-plan-sspp">System Security and Privacy Plan</a>)</li></ul><h3 dir="ltr">Require training before giving access</h3><p dir="ltr">Before accessing any CMS systems or data, all CMS employees and contractors with potential access to sensitive information, such as PII or PHI, must complete yearly&nbsp;<a href="https://security.cms.gov/policy-guidance/cms-cybersecurity-and-privacy-handbook#take-required-isspa-training">Information System Security and Privacy Awareness (ISSPA) training</a>, along with any&nbsp;<a href="https://security.cms.gov/learn/role-based-training-rbt">role-based training</a> required for their level of access to CMS information and systems. These trainings must be completed within 60 days of hire (and annually thereafter).</p><p dir="ltr">For additional processes that need to be followed by all CMS employees and contractors with potential access to CMS data and/or sensitive information, please see the&nbsp;<a href="https://security.cms.gov/policy-guidance/cms-access-control-handbook">CMS Access Control (AC) Handbook</a> and&nbsp;<a href="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-13-personnel-security-ps">Personnel Security (PS) Handbook</a>.</p><h2 dir="ltr">Media Marking&nbsp;</h2><p dir="ltr">Media Marking is a process that identifies the security markings, distribution limitations, and handling caveats for information system media. NIST and the National Archives and Records Administration (NARA) both provide guidance on security marking and labeling as required by the Executive Order (E.O.) 13526 and its implementing directive, 32 CFR Part 2001, to prescribe a uniform security classification system.&nbsp;</p><p dir="ltr"><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf">Within NIST SP 800-53</a>, the guidance on Media Marking includes:</p><ul><li dir="ltr"><strong>Security marking</strong>: This is the application or use of human-readable attributes to enable organizational process-based enforcement of information security policies. Security marking is typically&nbsp;<em>written upon the media</em>.</li><li dir="ltr"><strong>Security labeling</strong>: This is the explicit or implicit marking of a data structure or output media associated with an information system representing the&nbsp;<a href="https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization">FIPS 199 security category</a>. It could also indicate distribution limits or handling caveats of the information contained within the media. Security labeling is typically&nbsp;<em>internal to the media</em>.</li></ul><h3 dir="ltr">What media must be marked?</h3><p dir="ltr">Security marking is typically&nbsp;<strong>required</strong> for any media that contains information with distribution limits or handling caveats. This includes sensitive, controlled, classified, or confidential information.</p><p dir="ltr">Security marking is generally&nbsp;<strong>not required</strong> for media containing information determined to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information&nbsp;<strong>is</strong> publicly releasable.&nbsp;</p><h3 dir="ltr">Media Marking process at CMS</h3><p dir="ltr">At CMS, everyone should mark and label system media appropriately to ensure it is protected according to its sensitivity. All CMS information system media, both digital and non-digital, must be marked in accordance with the relevant CMS policies and procedures for Media Protection that can be found in the&nbsp;<a href="https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2">CMS IS2P2</a> and&nbsp;<a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">ARS</a>.</p><p dir="ltr">The CMS process for Media Marking includes the following:</p><p dir="ltr"><strong>Media Marking for digital media</strong></p><ul><li dir="ltr">For external media types such as CDs and USB Drives, the Business or System Owner (BO/SO) is responsible for ensuring the appropriate media marking/labeling (including the CUI Control Marking and the designating organization).&nbsp;<ul><li dir="ltr">The BO should follow the&nbsp;<a href="https://share.cms.gov/office/OSORA/SitePages/CUI.aspx">CMS CUI Program Guide</a>, which includes guidelines for marking/labeling media as CUI, Sensitive, Confidential, etc. More information on CMS Controlled Unclassified Information (CUI)&nbsp;<a href="https://share.cms.gov/office/OSORA/SitePages/CUI.aspx">can be found here</a> (internal link; CMS login required).</li><li dir="ltr">For questions about marking and managing of CUI at CMS, contact the&nbsp;<a href="https://www.cms.gov/about-cms/leadership/office-strategic-operations-regulatory-affairs">CMS Office of Strategic Operations and Regulatory Affairs (OSORA)</a>.</li><li dir="ltr">For overall guidance about CUI marking, see the&nbsp;<a href="https://www.archives.gov/files/cui/20161206-cui-marking-handbook-v1-1.pdf">CUI Marking Handbook from NARA</a>.</li></ul></li><li dir="ltr">Volume serial number (VOLSER) scans are performed on Unix and Mainframe media prior to shipment to the secure, off-site storage facility.</li><li dir="ltr">Media are classified and labeled as Confidential.</li></ul><p dir="ltr"><strong>Media Marking for non-digital media</strong></p><p dir="ltr">Non-digital media, such as paper and microfilm, should also be marked appropriately to indicate the sensitivity classification of the information they contain (based on applicable record retention regulations).&nbsp;</p><p dir="ltr"><strong>Report mishandling of protected information</strong></p><p dir="ltr">Advise CMS management immediately if any CMS sensitive information is disclosed, mishandled, or used in an inconsistent manner (whether intentionally or unintentionally). The&nbsp;<a href="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir">CMS Incident Response Handbook</a> outlines the procedures for reporting all suspected security incidents.</p><h2 dir="ltr">Media Storage</h2><p dir="ltr">Media Storage is the process that ensures the security of media containing sensitive information when its not actively in use or in transit. CMS physically controls and securely stores digital and non-digital media in accordance with:</p><ul><li dir="ltr"><a href="https://csrc.nist.gov/pubs/sp/800/88/r1/final">NIST SP 800-88 (Guidelines for Media Sanitization)</a></li><li dir="ltr"><a href="https://intranet.hhs.gov/policy/hhs-policy-information-security-and-privacy-protection-is2p">HHS Policy for Information Security and Privacy Protection (IS2P)</a></li><li dir="ltr"><a href="https://security.cms.gov/policy-guidance/hhs-policy-rules-behavior-use-information-it-resources">HHS Policy for Rules of Behavior for Use of Information and IT Resources (ROB)</a></li></ul><p dir="ltr">By aligning CMS Media Storage processes with these authorities, we ensure sufficient physical and procedural safeguards to meet the federal requirements established for protecting information and information systems.&nbsp;</p><h3 dir="ltr">How does Media Storage affect me?</h3><p dir="ltr"><strong>Everyone at CMS</strong> is expected to follow proper media storage requirements for any media they create, store, or manage that contains CMS sensitive information. This applies to both digital and non-digital media. It applies to CMS employees, staff, contractors, interns, and personnel — whether they are working onsite at CMS, or working from a telework or alternate duty station (ADS) location.</p><p dir="ltr"><strong>Business and System Owners</strong> are responsible for documenting the entire media protection process, including handling, storage, and sanitization.&nbsp;&nbsp;</p><h3 dir="ltr">Securing media storage areas</h3><p dir="ltr">CMS media storage areas are secured using authorized CMS badge-controlled entry systems. The Physical Access Control System Central (PACS Central) is the system used by CMS for this purpose.&nbsp;</p><p dir="ltr">If you have a CMS Personal Identity Verification (PIV) card, you can use it to request access to secure areas. You can also use it to get remote access to PACS via CMS Virtual Private Network (VPN). Upon approval, access to the requested area will be added to your PIV card.</p><p dir="ltr">CMS is responsible for granting and monitoring access to media storage areas. Contact the Security Control Center (24 hours a day) by calling 410-786-2929 or by emailing&nbsp;<a href="mailto:security@cms.hhs.gov">security@cms.hhs.gov</a>.&nbsp;&nbsp;</p><h3 dir="ltr">Physical control of media storage</h3><p dir="ltr">These are the guidelines for the physical control of media storage at CMS:</p><ul><li dir="ltr">Storage for&nbsp;<strong>digital media</strong> originating from or related to an information system must adhere to the&nbsp;<a href="https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf">HHS STANDARD § 164.310(d)(1) for Device and Media Control</a>. Following these guidelines, the media must be securely stored in secure off-site storage, or using the safeguards prescribed for the highest security level.</li><li dir="ltr"><strong>Non-digital media</strong> relating to an information system are stored in access-controlled spaces. However, MP processes must be adopted to cover all CMS locations, including but not limited to IaaS Cloud, PaaS Cloud, and Virtual Data Centers (VDCs). These methods protect media until they are destroyed or sanitized using CMS-approved equipment, techniques, and procedures that comply with&nbsp;<a href="https://csrc.nist.gov/pubs/sp/800/88/r1/final">NIST SP 800-88, Guidelines for Media Sanitization</a>.</li><li dir="ltr">All information — both digital and non-digital — must adhere to the&nbsp;<a href="https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf">HHS STANDARD § 164.310(d)(1) for Device and Media Control</a>. The information must be treated and labeled appropriately to identify that it may contain sensitive information when stored at the off-site storage facility. All information, including encrypted media, must be secured and locked.</li></ul><h3 dir="ltr">CMS policy on using external storage devices</h3><p dir="ltr">Due to security concerns, the use of external storage devices is highly restricted. CMS doesn't want anyone to use external storage devices (CMS or personal) for any reason.&nbsp;<strong>All CMS staff should use Box or SharePoint to transfer business or personal files</strong>. All standard file types are supported with Box and SharePoint.&nbsp;</p><h2 dir="ltr">Media Transport&nbsp;</h2><p dir="ltr">Media Transport activities include the actual transporting of media from one location to another, in addition to security-related activities such as:</p><ul><li dir="ltr">Releasing media for transport in a manner consistent with regulations</li><li dir="ltr">Ensuring that media goes through transport processes that are appropriate to the sensitivity level of the data thats on the media</li><li dir="ltr">Ensuring the “chain of custody” is established so that an authorized person is always in control of media containing any sensitive information</li></ul><h3 dir="ltr">Who is authorized to transport media?</h3><p dir="ltr">Media can be transported by approved individuals outside the organization when appropriate. Authorized transport and courier personnel may include employees from the U.S. Postal Service or a commercial delivery service such as UPS, FedEX, or DHL. for example. CMS personnel responsible for the media must ensure they can:</p><ul><li dir="ltr">Track the media in transit</li><li dir="ltr">Determine a delivery confirmation (at minimum)</li><li dir="ltr">Ensure a signature confirmation if required (based on the sensitivity or classification of the data contained on the media)</li></ul><h3 dir="ltr">Controlled areas</h3><p dir="ltr">Controlled areas are an important part of secure media transport. Controlled areas are spaces where physical or procedural controls are provided by organizations in order to meet requirements established for protecting information and systems. These controls ensure accountability in the proper handling of media that is in transport. This reduces the risk of media becoming vulnerable to unauthorized use and disclosure through loss, theft, or other mishandling.</p><h3 dir="ltr">Protecting media in transport</h3><p dir="ltr">When media containing sensitive information is being transported outside of controlled areas, it must be protected using physical and technical safeguards. This applies to both digital and non-digital media. Whatever safeguards are implemented should&nbsp;<strong>align with the security category or classification of the information residing on the media</strong>.</p><p dir="ltr">Examples of safeguards to protect media during transport include:</p><ul><li dir="ltr">Using a FIPS 140-2 validated encryption module or mechanism where applicable on soft copy or digital media</li><li dir="ltr">Using a locked and secure container for hard copy media</li><li dir="ltr">Ensuring media is handled by authorized personnel to maintain the “chain of custody” during transport and delivery</li><li dir="ltr">Using cryptographic mechanisms for digital assets, which can provide confidentiality and integrity protections depending upon the mechanisms used</li></ul><h3 dir="ltr">Establishing Media Transport requirements</h3><p dir="ltr">Business Owners are required to establish security requirements for activities associated with the transport of media related to their information systems. These requirements should:&nbsp;</p><ul><li dir="ltr">Align with CMS assessments of risk based on Information Type from the&nbsp;<a href="https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization">FIPS 199 Security Category</a></li><li dir="ltr">Maintain accountability by restricting transport activities to authorized personnel and keeping explicit records of transport activities as the media moves through the transportation system</li><li dir="ltr">Implement safeguards to prevent and detect media loss, destruction, or tampering</li><li dir="ltr">Maintain the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records</li></ul><p dir="ltr">Business Owners should refer to the&nbsp;<a href="https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#media-protection-mp">Media Protection (MP) section of the IS2P2</a> when developing Media Transport requirements for their information systems. In general, the guidance is to protect and control digital and non-digital media containing sensitive information during transport outside of controlled areas using cryptography and tamper-evident packaging.&nbsp;</p><p dir="ltr">Additionally, the following safeguards should be implemented as necessary (depending on the sensitivity level of the data contained on the media).</p><p dir="ltr"><strong>Hand-carried media</strong></p><p dir="ltr">If hand carried, use a securable container, such as a locked briefcase. Ensure the secured container is handled&nbsp;<strong>only</strong> by authorized personnel at every step of the media transport. CMS restricts the transport of sensitive media to authorized personnel commensurate with the sensitivity level of the data.</p><p dir="ltr"><strong>Shipped media</strong></p><p dir="ltr">If shipped via USPS (preferred) or a commercial carrier, use tamper-evident or tamper resistant packaging. This tamper-resistant packaging should be contained within the shipping box. Utilize package tracking, with receipt of delivery confirmation as a minimum (and signature confirmation if the sensitivity of the data on the media requires it).&nbsp;</p><h3 dir="ltr">Foreign travel</h3><p dir="ltr">Unless on official government travel, CMS prohibits international transportation of all devices capable of connecting to the CMS network, without explicit approval from the agency head.&nbsp;</p><p dir="ltr">All CMS employees and contractors, traveling on&nbsp;<strong>official CMS business</strong> outside the United States and its territories, with devices that can connect to the CMS network, are required to complete all foreign travel security awareness requirements prior to traveling.</p><p dir="ltr">For detailed foreign travel requirements please refer to the<a href="https://share.cms.gov/Office/OIT/ISPG/DSI/ISPG%20DSI%20Foreign%20Travel%20Library/CMS%20Foreign%20Travel%20Security%20SOP.pdf#search=foriegn%20travel">&nbsp;CMS Foreign Travel Security SOP</a>.</p><h3 dir="ltr">Transporting backup media</h3><p dir="ltr">Backup media are storage devices that people use to save electronic file backups. These devices can be physical, such as a hard drive, or network-based, such as cloud storage. Backup media can be used to protect personal data or critical business data.&nbsp;</p><p dir="ltr">To transport CMS backup media, it must be inserted into padded, lockable, static-resistant containers and hand-carried, by authorized personnel, to a vehicle owned by a storage facility. Then it is transported to the secure off-site storage facility, remaining under the protection of authorized personnel.</p><h3 dir="ltr">Protected Health Information (PHI)</h3><p dir="ltr">CMS provides guidance for systems processing, storing, or transmitting Protected Health Information (PHI):</p><p dir="ltr">Under the HIPAA Security Rule, this is an addressable implementation specification. Using cryptographic protection allows the organization to utilize the “Safe Harbor” provision under the Breach Notification Rule. If PHI is encrypted pursuant to the Guidance Specifying the Technologies and Methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals, then no breach notification is required.</p><h3 dir="ltr">Data encryption</h3><p dir="ltr">CMS users are required to follow the data encryption standards, in accordance with the&nbsp;<a href="https://intranet.hhs.gov/policy/hhs-policy-encryption-computing-devices-and-information">HHS Standard for Encryption of Computing Devices</a> to ensure information is protected from unauthorized disclosure. CMS also uses data encryption software that automatically encrypts data on Government Furnished Equipment (GFE).</p><h2 dir="ltr">Media Sanitization</h2><p dir="ltr">Media sanitization is the process of removing data from storage media in a way that makes it difficult for third parties to retrieve. The goal is to ensure that sensitive data is not accidentally released, and that even advanced forensic tools can't recover it. Media sanitization is an important aspect of protecting sensitive information throughout its life cycle.</p><p dir="ltr">At CMS, we follow guidance from NIST to properly sanitize media that contains sensitive information before the media is reused or disposed of. This ensures that we protect CMS sensitive information from unauthorized use or disclosure.&nbsp;</p><p dir="ltr">Once media has been sanitized, if it is not being reused, it can be destroyed or disposed of. CMS applies media destruction and disposal procedures that are approved by the federal government to ensure that information does not become available to unauthorized personnel.</p><p dir="ltr">Before sanitizing or disposing of media, CMS Business and System Owners should consider any regulations or requirements that may affect the disposal process.</p><p dir="ltr">For&nbsp;<strong>privacy considerations</strong>, contact designated officials with privacy responsibilities (for example, Privacy Officer).</p><p dir="ltr">For&nbsp;<strong>records retention considerations</strong>, contact&nbsp;<a href="mailto:Records_Retention@cms.hhs.gov">Records_Retention@cms.hhs.gov</a>.</p><h3 dir="ltr">Media Sanitization methods</h3><p dir="ltr">According to NIST, media sanitization applies to all information system media. NIST recommendations for sanitizing media include the clearing, purging, cryptographic erasing, or destruction of sensitive information that is stored on any media — before that media is released for reuse or disposal. This includes both digital and non-digital media.&nbsp;</p><p dir="ltr">Sanitization of&nbsp;<strong>digital media</strong> could include removing sensitive information from scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices.&nbsp;</p><p dir="ltr">Sanitization of&nbsp;<strong>non-digital</strong> media could include removing a classified appendix from an otherwise unclassified document, or redacting selected sections from a document.&nbsp;&nbsp;</p><p dir="ltr">Before utilizing any sanitization techniques, the following steps should be taken in preparation:</p><ul><li dir="ltr">Categorize the information within the media according to its sensitivity</li><li dir="ltr">Assess the nature of the medium on which the information is recorded</li><li dir="ltr">Assess the risk to confidentiality if the information were to be exposed</li><li dir="ltr">Determine plans for reuse or disposal of the media (being mindful of cost and environmental impact)</li></ul><p dir="ltr">Acceptable minimum sanitization recommendations for media can be found in Appendix A of the&nbsp;<a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf">NIST SP 800-88: Guidelines for Media Sanitization</a>.</p><h3 dir="ltr">Media Sanitization requirements at CMS</h3><p dir="ltr">The following media sanitization and disposal standards apply to everyone at CMS. This includes external contractors working outside of the CMS Central Offices and Regional Offices locations whose contract produces media on behalf of CMS. At the end of the media lifecycle, the media MUST be sanitized according to CMS policy.&nbsp;&nbsp;</p><p dir="ltr"><strong>Digital media</strong></p><p dir="ltr">With oversight of operations of all CMS data centers (physical, virtual, and cloud), CMS personnel who are responsible for media must ensure that all confidential or classified information is sanitized and disposed of properly.&nbsp;</p><p dir="ltr">This must be done in accordance with the policies, procedures, and standards established by these federal agencies:</p><ul><li dir="ltr"><a href="https://www.nsa.gov/portals/75/documents/resources/everyone/media-destruction/storage-device-declassification-manual.pdf">NSA/CSS Storage Device Sanitization Manual</a> (National Security Agency)</li><li dir="ltr"><a href="https://www.dami.army.pentagon.mil/site/IndustSec/docs/DoD%20522022-m.pdf">DoD 5220.22-M, National Industrial Security Program Operating Manual</a> (Department of Defense)</li></ul><p dir="ltr">A key decision on sanitization is whether the media are planned for reuse. All media returned to the CMS Data Center (located in N1-23-00/User Lobby Window) are sanitized and excessed — they are not made available for reuse.</p><p dir="ltr">Obsolete magnetic media (such as hard drives) and optical media (such as CDs/DVDs) are sanitized in the CMS Data Center using an approved degausser for magnetic media and an approved optical media shredder for optical media.</p><p dir="ltr"><strong>Non-digital media</strong></p><p dir="ltr">Paper documents are a common type of non-digital media. For proper disposal of paper documents, the CMS Central Office in Baltimore, Washington DC (and the local surrounding buildings) provides paper-shredding options. This mitigates the risk of any breach of CMS sensitive information through materials and documents that may contain PII or PHI.</p><p dir="ltr">Additionally, CMS has a document shredding program that performs scheduled onsite shredding services for all Sensitive/PII/PHI paper items using designated locked shredding bins (consoles). These locked bins are located throughout CMS buildings in copier rooms and frequently used areas. This program is accomplished through a collaboration with the National Association for Information Destruction (NAID) AAA Certified contractor.&nbsp;</p><p dir="ltr"><strong>Additional guidance</strong></p><p dir="ltr">For additional guidance on media sanitation and disposal at CMS, please see:&nbsp;</p><ul><li dir="ltr"><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf">NIST SP 800-88: Guidelines for Media Sanitization</a> (NIST)</li><li dir="ltr"><a href="https://www.nsa.gov/portals/75/documents/resources/everyone/media-destruction/storage-device-declassification-manual.pdf">NSA/CSS Storage Device Sanitization Manual</a> (National Security Agency)</li><li dir="ltr"><a href="https://csrc.nist.gov/files/pubs/sp/800/88/r1/final/docs/sample-certificate-of-sanitization.docx">NIST Sample Certificate of Sanitization</a> (.docx file will automatically download)</li></ul><h3 dir="ltr">Verification of sanitization</h3><p dir="ltr">For&nbsp;<a href="https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization">FIPS 199 HIGH systems</a>, CMS must&nbsp;<strong>review, approve, track, document, and verify</strong> the sanitization and disposal procedures for media that is produced by or stored in the system.</p><p dir="ltr">The documentation must ensure that the procedures:&nbsp;</p><ul><li dir="ltr">Comply with defined NARA records retention policies</li><li dir="ltr">Establish accountability of personnel who reviewed and approved sanitization and disposal actions. The accountability is verified by logging the actions of the identified authorized personnel to include but not limited to:<ul><li dir="ltr">Identification of the types of media sanitized, specific files stored on the media, and the sanitization methods used</li><li dir="ltr">Documentation of date/time of the sanitization</li><li dir="ltr">Identification of personnel who performed the sanitization</li><li dir="ltr">Verification that the sanitization of the media was effective prior to disposal</li></ul></li></ul><p dir="ltr">The CMS Data Center custodian and all other personnel involved in media sanitization, including those outside of CMS CO/RO, must follow MP-06(01) control guidelines (from the&nbsp;<a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS ARS</a>). For media that have been added to the CMS property management hand receipt inventory (asset has been issued a CMS Asset Tag number/Barcode/Decal Number) when performing these actions, it is required to complete&nbsp;<a href="https://intranet.hhs.gov/form/hhs-22">Form HHS-22</a>. This form includes information to support the defined sanitization and disposal actions.&nbsp;</p><h3 dir="ltr">Equipment testing</h3><p dir="ltr">All CMS sanitization equipment and procedures are tested at least annually to verify they are working as expected. Testing of sanitization equipment and procedures must be conducted by qualified and authorized external entities (e.g., other federal agencies or approved external service providers).</p><p dir="ltr">For CMS, an approved degausser manufacturer conducts an annual certification following guidelines approved by the National Security Agency.&nbsp;</p><h3 dir="ltr">Nondestructive techniques&nbsp;</h3><p dir="ltr">When a portable storage device is initially purchased from a manufacturer or vendor — or when a positive chain of custody for such devices is not available — NIST recommends applying nondestructive sanitization techniques prior to connecting such devices to the system.&nbsp;<strong>This is particularly applicable for&nbsp;</strong><a href="https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization"><strong>FIPS 199 HIGH systems</strong></a>.&nbsp;</p><p dir="ltr">Portable storage may contain malicious code that can be transferred to information systems through USB ports or other entry portals. While scanning portable storage devices for malicious code is recommended, sanitization provides additional assurance that the devices are free of malicious code.</p><p dir="ltr">CMS considers the use of nondestructive sanitation techniques:</p><ul><li dir="ltr">Prior to initial use after purchase</li><li dir="ltr">When obtained from an unknown (potentially untrustworthy) source&nbsp;</li><li dir="ltr">When the organization loses a positive chain of custody</li><li dir="ltr">When the device was connected to a lower assurance network/system based on&nbsp;<a href="https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization">FIPS 199 security categorization</a></li></ul><h3>Remote sanitization&nbsp;</h3><p dir="ltr">CMS is required to remotely purge or wipe information on CMS High Value Asset (HVA) systems and components if the HVA or its components are obtained by unauthorized individuals.&nbsp;</p><p dir="ltr">NIST recommends several methods for remote purging or wiping of information:</p><ul><li dir="ltr">Overwriting data or information multiple times</li><li dir="ltr">Destroying the key necessary to decrypt encrypted data</li></ul><p dir="ltr">For any remote sanitization method, a strong authentication system should be in place to prevent unauthorized individuals from accidentally purging or wiping information from a HVA system or component.</p><h2 dir="ltr">Media Use&nbsp;</h2><p dir="ltr">Guidelines around Media Use are set up to ensure appropriate use of information system media. Safeguards around Media Use can be technical or nontechnical, and they can include policies, procedures, and rules of behavior.&nbsp;</p><p dir="ltr">NIST recommends that organizations employ safeguards such as:&nbsp;</p><ul><li dir="ltr">Restricting the use of portable storage devices by using physical cages on workstations to prohibit access to certain external ports</li><li dir="ltr">Removing the ability to insert, read, or write to such devices</li><li dir="ltr">Restricting the use of portable storage devices based on the type of device (for example, prohibiting those that are writable)</li><li dir="ltr">Limiting the use of portable storage devices to those that are provided by the organization (or by other approved organizations)</li><li dir="ltr">Prohibiting the use of portable storage devices that are personally owned</li></ul><p dir="ltr">At CMS, Media Use safeguards include:</p><ul><li dir="ltr">Restricting the use of certain types of media (such as flash drives or external hard disk drives) on CMS systems</li><li dir="ltr">Prohibiting the use of portable storage devices in CMS information systems when such devices have no identifiable owner</li><li dir="ltr">Requiring identifiable owners of removable media that stores sensitive information (such as PII) — so there is accountability for managing the media and responding in the event of a privacy breach</li></ul><h3 dir="ltr">How does Media Use affect me?</h3><p dir="ltr">Everyone at CMS should be aware that:</p><ul><li dir="ltr">CMS prohibits the use of&nbsp;<strong>personally owned media</strong> (such as flash drives, hard disk drives, and other portable storage devices) on CMS defined systems or system components.&nbsp;</li><li dir="ltr">CMS prohibits the use of<strong> portable storage devices</strong> in CMS systems when such devices have no identifiable owner (including “unauthorized” devices to the GFE or VDI session).</li><li dir="ltr"><strong>Wireless devices</strong> (such as Bluetooth) are not permitted to be used&nbsp;<em>unless you have explicit approval</em> from the Authorizing Official (A0).</li></ul><h3 dir="ltr">Policies for Media Use</h3><p dir="ltr">The safeguards on Media Use at CMS (described above) are aligned with guidance from the following policies:</p><ul><li dir="ltr"><a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS ARS</a></li><li dir="ltr"><a href="https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2">CMS IS2P2</a></li><li dir="ltr"><a href="https://intranet.hhs.gov/policy/hhs-policy-information-security-and-privacy-protection-is2p">HHS IS2P</a></li><li dir="ltr"><a href="https://intranet.hhs.gov/policy/hhs-policy-mobile-devices-and-removable-media">HHS Policy for Mobile Devices and Removable Media</a></li><li dir="ltr"><a href="https://security.cms.gov/policy-guidance/hhs-policy-rules-behavior-use-information-it-resources">HHS Policy for Rules of Behavior for Use of Information and IT Resources</a> (This document establishes the acceptable and unacceptable use of desktop/laptop and other information technology resources that are owned, leased, or controlled by CMS.)</li></ul><p><a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Downloads/POLICY_DL_WirelessClientAccess.pdf">CMS Policy for Wireless Client Access</a> (This document establishes parameters for the security of wireless access based on acceptable government and private industry standards.)</p></div></section></div></div></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"cms-media-protection-mp-handbook\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"policy-guidance\",\"cms-media-protection-mp-handbook\"],\"initialTree\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"cms-media-protection-mp-handbook\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"cms-media-protection-mp-handbook\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[3055,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"907\",\"static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js\"],\"default\"]\n18:T96af,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eWhat is Media Protection (MP)?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eMedia Protection (MP) is the safeguarding of media within an organization. The term “media” broadly refers to physical devices or writing surfaces. This includes all channels of communication with storage capabilities — everything from printed paper to digital data onto which information is recorded, stored, or printed within an information system.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eTracking the creation, distribution, storage and use of any form of media can be challenging, so its important for government agencies to have clear policies and guidance around media protections for their information systems. Organizations must clearly define:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eWho has the authority to access, transport, and share media\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhich devices can be used to store and transport media\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHow to properly destroy expired media\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eHaving clear policies around these practices allows government agencies to protect the data that is critical to their missions. CMS provides this handbook as a guide for implementing the Media Protection (MP) family of controls at the organization, process, and/or system level for all CMS information assets and data.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eMedia Protection at CMS\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe MP security requirements addressed in this handbook are taken from the\u0026nbsp;\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf\"\u003eNational Institute of Standards and Technology (NIST) Special Publication 800-53, Rev 5\u003c/a\u003e and tailored to the Centers for Medicare and Medicaid Services (CMS) environment in the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe ARS MP minimum standard controls are designed to protect CMS media and files from unauthorized access, use, or disclosure to ensure the safe handling of media and files in their life cycle, and to ensure the safe destruction of media and files when they are no longer needed.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eBy following the processes outlined below, CMS can:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePromote accountability for handling media responsibly\u003c/li\u003e\u003cli dir=\"ltr\"\u003eReduce risk by limiting events that could expose media to unauthorized use or disclosure loss, theft, or other mishandling\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEnsure CMS compliance with federal laws and regulations such as\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma\"\u003eFISMA\u003c/a\u003e and\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/health-insurance-portability-and-accountability-act-1996-hipaa\"\u003eHIPAA\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eGetting help\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFor policy and guidance questions regarding Media Protection at CMS, contact the\u0026nbsp;\u003cstrong\u003eISPG Policy and Privacy team\u003c/strong\u003e via email at:\u003cstrong\u003e \u003c/strong\u003e\u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov\u003c/a\u003e. Or find us in CMS Slack: \u003cem\u003e#ispg-sec_privacy-policy.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf you have questions or need assistance regarding various aspects of Media Protection at CMS, you can reach out to the following groups:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eCMS Office of Strategic Operations and Regulatory Affairs (OSORA)\u003c/strong\u003e |\u0026nbsp;\u003ca href=\"mailto:OSORA_Regs_Scheduling@cms.hhs.gov\"\u003eOSORA_Regs_Scheduling@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eCMS Records Retention\u003c/strong\u003e |\u0026nbsp;\u003ca href=\"mailto:Records_Retention@cms.hhs.gov%C2%A0\"\u003eRecords_Retention@cms.hhs.gov\u0026nbsp;\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eMedia Access\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAs part of CMS media protection, there are rules about who can access CMS system media that contains sensitive information. This is known as Media Access control. It applies to both digital media and hard copy media (such as paper, microfilm, or microfiche). It applies to mobile devices with storage capabilities, and to systems that process, store, or transmit Personally Identifiable Information (PII) or Protected Health Information (PHI). Media Access guidelines are described below.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eLimit access to people who need it\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe Media Access rules that identify who can access sensitive media are defined in the\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan\u003c/a\u003e for any CMS system. Access is restricted to defined personnel or roles with a valid need to know based on the functions required to perform their job duties. Activities that limit access can include:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eDisabling Compact Disk (CD)/Digital Versatile Disk (DVD) writers\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAllowing access to CD/DVD viewing and downloading capabilities only to authorized persons or roles (defined in the applicable\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan\u003c/a\u003e)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eDisabling access to Universal Serial Bus (USB) ports and allowing access to using USB device capabilities only to authorized persons or in defined roles (defined in the applicable\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan\u003c/a\u003e)\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eRequire training before giving access\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eBefore accessing any CMS systems or data, all CMS employees and contractors with potential access to sensitive information, such as PII or PHI, must complete yearly\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-cybersecurity-and-privacy-handbook#take-required-isspa-training\"\u003eInformation System Security and Privacy Awareness (ISSPA) training\u003c/a\u003e, along with any\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/role-based-training-rbt\"\u003erole-based training\u003c/a\u003e required for their level of access to CMS information and systems. These trainings must be completed within 60 days of hire (and annually thereafter).\u003c/p\u003e\u003cp dir=\"ltr\"\u003eFor additional processes that need to be followed by all CMS employees and contractors with potential access to CMS data and/or sensitive information, please see the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-access-control-handbook\"\u003eCMS Access Control (AC) Handbook\u003c/a\u003e and\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-13-personnel-security-ps\"\u003ePersonnel Security (PS) Handbook\u003c/a\u003e.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eMedia Marking\u0026nbsp;\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eMedia Marking is a process that identifies the security markings, distribution limitations, and handling caveats for information system media. NIST and the National Archives and Records Administration (NARA) both provide guidance on security marking and labeling as required by the Executive Order (E.O.) 13526 and its implementing directive, 32 CFR Part 2001, to prescribe a uniform security classification system.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf\"\u003eWithin NIST SP 800-53\u003c/a\u003e, the guidance on Media Marking includes:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eSecurity marking\u003c/strong\u003e: This is the application or use of human-readable attributes to enable organizational process-based enforcement of information security policies. Security marking is typically\u0026nbsp;\u003cem\u003ewritten upon the media\u003c/em\u003e.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eSecurity labeling\u003c/strong\u003e: This is the explicit or implicit marking of a data structure or output media associated with an information system representing the\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\"\u003eFIPS 199 security category\u003c/a\u003e. It could also indicate distribution limits or handling caveats of the information contained within the media. Security labeling is typically\u0026nbsp;\u003cem\u003einternal to the media\u003c/em\u003e.\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eWhat media must be marked?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eSecurity marking is typically\u0026nbsp;\u003cstrong\u003erequired\u003c/strong\u003e for any media that contains information with distribution limits or handling caveats. This includes sensitive, controlled, classified, or confidential information.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eSecurity marking is generally\u0026nbsp;\u003cstrong\u003enot required\u003c/strong\u003e for media containing information determined to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information\u0026nbsp;\u003cstrong\u003eis\u003c/strong\u003e publicly releasable.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eMedia Marking process at CMS\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAt CMS, everyone should mark and label system media appropriately to ensure it is protected according to its sensitivity. All CMS information system media, both digital and non-digital, must be marked in accordance with the relevant CMS policies and procedures for Media Protection that can be found in the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"\u003eCMS IS2P2\u003c/a\u003e and\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eARS\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe CMS process for Media Marking includes the following:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eMedia Marking for digital media\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eFor external media types such as CDs and USB Drives, the Business or System Owner (BO/SO) is responsible for ensuring the appropriate media marking/labeling (including the CUI Control Marking and the designating organization).\u0026nbsp;\u003cul\u003e\u003cli dir=\"ltr\"\u003eThe BO should follow the\u0026nbsp;\u003ca href=\"https://share.cms.gov/office/OSORA/SitePages/CUI.aspx\"\u003eCMS CUI Program Guide\u003c/a\u003e, which includes guidelines for marking/labeling media as CUI, Sensitive, Confidential, etc. More information on CMS Controlled Unclassified Information (CUI)\u0026nbsp;\u003ca href=\"https://share.cms.gov/office/OSORA/SitePages/CUI.aspx\"\u003ecan be found here\u003c/a\u003e (internal link; CMS login required).\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor questions about marking and managing of CUI at CMS, contact the\u0026nbsp;\u003ca href=\"https://www.cms.gov/about-cms/leadership/office-strategic-operations-regulatory-affairs\"\u003eCMS Office of Strategic Operations and Regulatory Affairs (OSORA)\u003c/a\u003e.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor overall guidance about CUI marking, see the\u0026nbsp;\u003ca href=\"https://www.archives.gov/files/cui/20161206-cui-marking-handbook-v1-1.pdf\"\u003eCUI Marking Handbook from NARA\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eVolume serial number (VOLSER) scans are performed on Unix and Mainframe media prior to shipment to the secure, off-site storage facility.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eMedia are classified and labeled as Confidential.\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eMedia Marking for non-digital media\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eNon-digital media, such as paper and microfilm, should also be marked appropriately to indicate the sensitivity classification of the information they contain (based on applicable record retention regulations).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eReport mishandling of protected information\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAdvise CMS management immediately if any CMS sensitive information is disclosed, mishandled, or used in an inconsistent manner (whether intentionally or unintentionally). The\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\"\u003eCMS Incident Response Handbook\u003c/a\u003e outlines the procedures for reporting all suspected security incidents.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eMedia Storage\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eMedia Storage is the process that ensures the security of media containing sensitive information when its not actively in use or in transit. CMS physically controls and securely stores digital and non-digital media in accordance with:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://csrc.nist.gov/pubs/sp/800/88/r1/final\"\u003eNIST SP 800-88 (Guidelines for Media Sanitization)\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-information-security-and-privacy-protection-is2p\"\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/hhs-policy-rules-behavior-use-information-it-resources\"\u003eHHS Policy for Rules of Behavior for Use of Information and IT Resources (ROB)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eBy aligning CMS Media Storage processes with these authorities, we ensure sufficient physical and procedural safeguards to meet the federal requirements established for protecting information and information systems.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHow does Media Storage affect me?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eEveryone at CMS\u003c/strong\u003e is expected to follow proper media storage requirements for any media they create, store, or manage that contains CMS sensitive information. This applies to both digital and non-digital media. It applies to CMS employees, staff, contractors, interns, and personnel — whether they are working onsite at CMS, or working from a telework or alternate duty station (ADS) location.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eBusiness and System Owners\u003c/strong\u003e are responsible for documenting the entire media protection process, including handling, storage, and sanitization.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eSecuring media storage areas\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eCMS media storage areas are secured using authorized CMS badge-controlled entry systems. The Physical Access Control System Central (PACS Central) is the system used by CMS for this purpose.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf you have a CMS Personal Identity Verification (PIV) card, you can use it to request access to secure areas. You can also use it to get remote access to PACS via CMS Virtual Private Network (VPN). Upon approval, access to the requested area will be added to your PIV card.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCMS is responsible for granting and monitoring access to media storage areas. Contact the Security Control Center (24 hours a day) by calling 410-786-2929 or by emailing\u0026nbsp;\u003ca href=\"mailto:security@cms.hhs.gov\"\u003esecurity@cms.hhs.gov\u003c/a\u003e.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003ePhysical control of media storage\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThese are the guidelines for the physical control of media storage at CMS:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eStorage for\u0026nbsp;\u003cstrong\u003edigital media\u003c/strong\u003e originating from or related to an information system must adhere to the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf\"\u003eHHS STANDARD § 164.310(d)(1) for Device and Media Control\u003c/a\u003e. Following these guidelines, the media must be securely stored in secure off-site storage, or using the safeguards prescribed for the highest security level.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eNon-digital media\u003c/strong\u003e relating to an information system are stored in access-controlled spaces. However, MP processes must be adopted to cover all CMS locations, including but not limited to IaaS Cloud, PaaS Cloud, and Virtual Data Centers (VDCs). These methods protect media until they are destroyed or sanitized using CMS-approved equipment, techniques, and procedures that comply with\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/pubs/sp/800/88/r1/final\"\u003eNIST SP 800-88, Guidelines for Media Sanitization\u003c/a\u003e.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAll information — both digital and non-digital — must adhere to the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf\"\u003eHHS STANDARD § 164.310(d)(1) for Device and Media Control\u003c/a\u003e. The information must be treated and labeled appropriately to identify that it may contain sensitive information when stored at the off-site storage facility. All information, including encrypted media, must be secured and locked.\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eCMS policy on using external storage devices\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eDue to security concerns, the use of external storage devices is highly restricted. CMS doesn't want anyone to use external storage devices (CMS or personal) for any reason.\u0026nbsp;\u003cstrong\u003eAll CMS staff should use Box or SharePoint to transfer business or personal files\u003c/strong\u003e. All standard file types are supported with Box and SharePoint.\u0026nbsp;\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eMedia Transport\u0026nbsp;\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eMedia Transport activities include the actual transporting of media from one location to another, in addition to security-related activities such as:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eReleasing media for transport in a manner consistent with regulations\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEnsuring that media goes through transport processes that are appropriate to the sensitivity level of the data thats on the media\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEnsuring the “chain of custody” is established so that an authorized person is always in control of media containing any sensitive information\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eWho is authorized to transport media?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eMedia can be transported by approved individuals outside the organization when appropriate. Authorized transport and courier personnel may include employees from the U.S. Postal Service or a commercial delivery service such as UPS, FedEX, or DHL. for example. CMS personnel responsible for the media must ensure they can:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eTrack the media in transit\u003c/li\u003e\u003cli dir=\"ltr\"\u003eDetermine a delivery confirmation (at minimum)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEnsure a signature confirmation if required (based on the sensitivity or classification of the data contained on the media)\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eControlled areas\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eControlled areas are an important part of secure media transport. Controlled areas are spaces where physical or procedural controls are provided by organizations in order to meet requirements established for protecting information and systems. These controls ensure accountability in the proper handling of media that is in transport. This reduces the risk of media becoming vulnerable to unauthorized use and disclosure through loss, theft, or other mishandling.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eProtecting media in transport\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eWhen media containing sensitive information is being transported outside of controlled areas, it must be protected using physical and technical safeguards. This applies to both digital and non-digital media. Whatever safeguards are implemented should\u0026nbsp;\u003cstrong\u003ealign with the security category or classification of the information residing on the media\u003c/strong\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eExamples of safeguards to protect media during transport include:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eUsing a FIPS 140-2 validated encryption module or mechanism where applicable on soft copy or digital media\u003c/li\u003e\u003cli dir=\"ltr\"\u003eUsing a locked and secure container for hard copy media\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEnsuring media is handled by authorized personnel to maintain the “chain of custody” during transport and delivery\u003c/li\u003e\u003cli dir=\"ltr\"\u003eUsing cryptographic mechanisms for digital assets, which can provide confidentiality and integrity protections depending upon the mechanisms used\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eEstablishing Media Transport requirements\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eBusiness Owners are required to establish security requirements for activities associated with the transport of media related to their information systems. These requirements should:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eAlign with CMS assessments of risk based on Information Type from the\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\"\u003eFIPS 199 Security Category\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eMaintain accountability by restricting transport activities to authorized personnel and keeping explicit records of transport activities as the media moves through the transportation system\u003c/li\u003e\u003cli dir=\"ltr\"\u003eImplement safeguards to prevent and detect media loss, destruction, or tampering\u003c/li\u003e\u003cli dir=\"ltr\"\u003eMaintain the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eBusiness Owners should refer to the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#media-protection-mp\"\u003eMedia Protection (MP) section of the IS2P2\u003c/a\u003e when developing Media Transport requirements for their information systems. In general, the guidance is to protect and control digital and non-digital media containing sensitive information during transport outside of controlled areas using cryptography and tamper-evident packaging.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAdditionally, the following safeguards should be implemented as necessary (depending on the sensitivity level of the data contained on the media).\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eHand-carried media\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf hand carried, use a securable container, such as a locked briefcase. Ensure the secured container is handled\u0026nbsp;\u003cstrong\u003eonly\u003c/strong\u003e by authorized personnel at every step of the media transport. CMS restricts the transport of sensitive media to authorized personnel commensurate with the sensitivity level of the data.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eShipped media\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf shipped via USPS (preferred) or a commercial carrier, use tamper-evident or tamper resistant packaging. This tamper-resistant packaging should be contained within the shipping box. Utilize package tracking, with receipt of delivery confirmation as a minimum (and signature confirmation if the sensitivity of the data on the media requires it).\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eForeign travel\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eUnless on official government travel, CMS prohibits international transportation of all devices capable of connecting to the CMS network, without explicit approval from the agency head.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAll CMS employees and contractors, traveling on\u0026nbsp;\u003cstrong\u003eofficial CMS business\u003c/strong\u003e outside the United States and its territories, with devices that can connect to the CMS network, are required to complete all foreign travel security awareness requirements prior to traveling.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eFor detailed foreign travel requirements please refer to the\u003ca href=\"https://share.cms.gov/Office/OIT/ISPG/DSI/ISPG%20DSI%20Foreign%20Travel%20Library/CMS%20Foreign%20Travel%20Security%20SOP.pdf#search=foriegn%20travel\"\u003e\u0026nbsp;CMS Foreign Travel Security SOP\u003c/a\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eTransporting backup media\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eBackup media are storage devices that people use to save electronic file backups. These devices can be physical, such as a hard drive, or network-based, such as cloud storage. Backup media can be used to protect personal data or critical business data.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eTo transport CMS backup media, it must be inserted into padded, lockable, static-resistant containers and hand-carried, by authorized personnel, to a vehicle owned by a storage facility. Then it is transported to the secure off-site storage facility, remaining under the protection of authorized personnel.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eProtected Health Information (PHI)\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eCMS provides guidance for systems processing, storing, or transmitting Protected Health Information (PHI):\u003c/p\u003e\u003cp dir=\"ltr\"\u003eUnder the HIPAA Security Rule, this is an addressable implementation specification. Using cryptographic protection allows the organization to utilize the “Safe Harbor” provision under the Breach Notification Rule. If PHI is encrypted pursuant to the Guidance Specifying the Technologies and Methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals, then no breach notification is required.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eData encryption\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eCMS users are required to follow the data encryption standards, in accordance with the\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-encryption-computing-devices-and-information\"\u003eHHS Standard for Encryption of Computing Devices\u003c/a\u003e to ensure information is protected from unauthorized disclosure. CMS also uses data encryption software that automatically encrypts data on Government Furnished Equipment (GFE).\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eMedia Sanitization\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eMedia sanitization is the process of removing data from storage media in a way that makes it difficult for third parties to retrieve. The goal is to ensure that sensitive data is not accidentally released, and that even advanced forensic tools can't recover it. Media sanitization is an important aspect of protecting sensitive information throughout its life cycle.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAt CMS, we follow guidance from NIST to properly sanitize media that contains sensitive information before the media is reused or disposed of. This ensures that we protect CMS sensitive information from unauthorized use or disclosure.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eOnce media has been sanitized, if it is not being reused, it can be destroyed or disposed of. CMS applies media destruction and disposal procedures that are approved by the federal government to ensure that information does not become available to unauthorized personnel.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eBefore sanitizing or disposing of media, CMS Business and System Owners should consider any regulations or requirements that may affect the disposal process.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eFor\u0026nbsp;\u003cstrong\u003eprivacy considerations\u003c/strong\u003e, contact designated officials with privacy responsibilities (for example, Privacy Officer).\u003c/p\u003e\u003cp dir=\"ltr\"\u003eFor\u0026nbsp;\u003cstrong\u003erecords retention considerations\u003c/strong\u003e, contact\u0026nbsp;\u003ca href=\"mailto:Records_Retention@cms.hhs.gov\"\u003eRecords_Retention@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eMedia Sanitization methods\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAccording to NIST, media sanitization applies to all information system media. NIST recommendations for sanitizing media include the clearing, purging, cryptographic erasing, or destruction of sensitive information that is stored on any media — before that media is released for reuse or disposal. This includes both digital and non-digital media.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eSanitization of\u0026nbsp;\u003cstrong\u003edigital media\u003c/strong\u003e could include removing sensitive information from scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eSanitization of\u0026nbsp;\u003cstrong\u003enon-digital\u003c/strong\u003e media could include removing a classified appendix from an otherwise unclassified document, or redacting selected sections from a document.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eBefore utilizing any sanitization techniques, the following steps should be taken in preparation:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eCategorize the information within the media according to its sensitivity\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAssess the nature of the medium on which the information is recorded\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAssess the risk to confidentiality if the information were to be exposed\u003c/li\u003e\u003cli dir=\"ltr\"\u003eDetermine plans for reuse or disposal of the media (being mindful of cost and environmental impact)\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eAcceptable minimum sanitization recommendations for media can be found in Appendix A of the\u0026nbsp;\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf\"\u003eNIST SP 800-88: Guidelines for Media Sanitization\u003c/a\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eMedia Sanitization requirements at CMS\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe following media sanitization and disposal standards apply to everyone at CMS. This includes external contractors working outside of the CMS Central Offices and Regional Offices locations whose contract produces media on behalf of CMS. At the end of the media lifecycle, the media MUST be sanitized according to CMS policy.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eDigital media\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eWith oversight of operations of all CMS data centers (physical, virtual, and cloud), CMS personnel who are responsible for media must ensure that all confidential or classified information is sanitized and disposed of properly.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThis must be done in accordance with the policies, procedures, and standards established by these federal agencies:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.nsa.gov/portals/75/documents/resources/everyone/media-destruction/storage-device-declassification-manual.pdf\"\u003eNSA/CSS Storage Device Sanitization Manual\u003c/a\u003e (National Security Agency)\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.dami.army.pentagon.mil/site/IndustSec/docs/DoD%20522022-m.pdf\"\u003eDoD 5220.22-M, National Industrial Security Program Operating Manual\u003c/a\u003e (Department of Defense)\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eA key decision on sanitization is whether the media are planned for reuse. All media returned to the CMS Data Center (located in N1-23-00/User Lobby Window) are sanitized and excessed — they are not made available for reuse.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eObsolete magnetic media (such as hard drives) and optical media (such as CDs/DVDs) are sanitized in the CMS Data Center using an approved degausser for magnetic media and an approved optical media shredder for optical media.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eNon-digital media\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePaper documents are a common type of non-digital media. For proper disposal of paper documents, the CMS Central Office in Baltimore, Washington DC (and the local surrounding buildings) provides paper-shredding options. This mitigates the risk of any breach of CMS sensitive information through materials and documents that may contain PII or PHI.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAdditionally, CMS has a document shredding program that performs scheduled onsite shredding services for all Sensitive/PII/PHI paper items using designated locked shredding bins (consoles). These locked bins are located throughout CMS buildings in copier rooms and frequently used areas. This program is accomplished through a collaboration with the National Association for Information Destruction (NAID) AAA Certified contractor.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eAdditional guidance\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eFor additional guidance on media sanitation and disposal at CMS, please see:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf\"\u003eNIST SP 800-88: Guidelines for Media Sanitization\u003c/a\u003e (NIST)\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.nsa.gov/portals/75/documents/resources/everyone/media-destruction/storage-device-declassification-manual.pdf\"\u003eNSA/CSS Storage Device Sanitization Manual\u003c/a\u003e (National Security Agency)\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://csrc.nist.gov/files/pubs/sp/800/88/r1/final/docs/sample-certificate-of-sanitization.docx\"\u003eNIST Sample Certificate of Sanitization\u003c/a\u003e (.docx file will automatically download)\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eVerification of sanitization\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFor\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\"\u003eFIPS 199 HIGH systems\u003c/a\u003e, CMS must\u0026nbsp;\u003cstrong\u003ereview, approve, track, document, and verify\u003c/strong\u003e the sanitization and disposal procedures for media that is produced by or stored in the system.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe documentation must ensure that the procedures:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eComply with defined NARA records retention policies\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEstablish accountability of personnel who reviewed and approved sanitization and disposal actions. The accountability is verified by logging the actions of the identified authorized personnel to include but not limited to:\u003cul\u003e\u003cli dir=\"ltr\"\u003eIdentification of the types of media sanitized, specific files stored on the media, and the sanitization methods used\u003c/li\u003e\u003cli dir=\"ltr\"\u003eDocumentation of date/time of the sanitization\u003c/li\u003e\u003cli dir=\"ltr\"\u003eIdentification of personnel who performed the sanitization\u003c/li\u003e\u003cli dir=\"ltr\"\u003eVerification that the sanitization of the media was effective prior to disposal\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CMS Data Center custodian and all other personnel involved in media sanitization, including those outside of CMS CO/RO, must follow MP-06(01) control guidelines (from the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS ARS\u003c/a\u003e). For media that have been added to the CMS property management hand receipt inventory (asset has been issued a CMS Asset Tag number/Barcode/Decal Number) when performing these actions, it is required to complete\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/form/hhs-22\"\u003eForm HHS-22\u003c/a\u003e. This form includes information to support the defined sanitization and disposal actions.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eEquipment testing\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAll CMS sanitization equipment and procedures are tested at least annually to verify they are working as expected. Testing of sanitization equipment and procedures must be conducted by qualified and authorized external entities (e.g., other federal agencies or approved external service providers).\u003c/p\u003e\u003cp dir=\"ltr\"\u003eFor CMS, an approved degausser manufacturer conducts an annual certification following guidelines approved by the National Security Agency.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eNondestructive techniques\u0026nbsp;\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eWhen a portable storage device is initially purchased from a manufacturer or vendor — or when a positive chain of custody for such devices is not available — NIST recommends applying nondestructive sanitization techniques prior to connecting such devices to the system.\u0026nbsp;\u003cstrong\u003eThis is particularly applicable for\u0026nbsp;\u003c/strong\u003e\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\"\u003e\u003cstrong\u003eFIPS 199 HIGH systems\u003c/strong\u003e\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePortable storage may contain malicious code that can be transferred to information systems through USB ports or other entry portals. While scanning portable storage devices for malicious code is recommended, sanitization provides additional assurance that the devices are free of malicious code.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCMS considers the use of nondestructive sanitation techniques:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrior to initial use after purchase\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhen obtained from an unknown (potentially untrustworthy) source\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhen the organization loses a positive chain of custody\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhen the device was connected to a lower assurance network/system based on\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\"\u003eFIPS 199 security categorization\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eRemote sanitization\u0026nbsp;\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eCMS is required to remotely purge or wipe information on CMS High Value Asset (HVA) systems and components if the HVA or its components are obtained by unauthorized individuals.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eNIST recommends several methods for remote purging or wiping of information:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eOverwriting data or information multiple times\u003c/li\u003e\u003cli dir=\"ltr\"\u003eDestroying the key necessary to decrypt encrypted data\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eFor any remote sanitization method, a strong authentication system should be in place to prevent unauthorized individuals from accidentally purging or wiping information from a HVA system or component.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eMedia Use\u0026nbsp;\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eGuidelines around Media Use are set up to ensure appropriate use of information system media. Safeguards around Media Use can be technical or nontechnical, and they can include policies, procedures, and rules of behavior.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eNIST recommends that organizations employ safeguards such as:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRestricting the use of portable storage devices by using physical cages on workstations to prohibit access to certain external ports\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRemoving the ability to insert, read, or write to such devices\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRestricting the use of portable storage devices based on the type of device (for example, prohibiting those that are writable)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eLimiting the use of portable storage devices to those that are provided by the organization (or by other approved organizations)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eProhibiting the use of portable storage devices that are personally owned\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eAt CMS, Media Use safeguards include:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRestricting the use of certain types of media (such as flash drives or external hard disk drives) on CMS systems\u003c/li\u003e\u003cli dir=\"ltr\"\u003eProhibiting the use of portable storage devices in CMS information systems when such devices have no identifiable owner\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRequiring identifiable owners of removable media that stores sensitive information (such as PII) — so there is accountability for managing the media and responding in the event of a privacy breach\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eHow does Media Use affect me?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eEveryone at CMS should be aware that:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eCMS prohibits the use of\u0026nbsp;\u003cstrong\u003epersonally owned media\u003c/strong\u003e (such as flash drives, hard disk drives, and other portable storage devices) on CMS defined systems or system components.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMS prohibits the use of\u003cstrong\u003e portable storage devices\u003c/strong\u003e in CMS systems when such devices have no identifiable owner (including “unauthorized” devices to the GFE or VDI session).\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eWireless devices\u003c/strong\u003e (such as Bluetooth) are not permitted to be used\u0026nbsp;\u003cem\u003eunless you have explicit approval\u003c/em\u003e from the Authorizing Official (A0).\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003ePolicies for Media Use\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe safeguards on Media Use at CMS (described above) are aligned with guidance from the following policies:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS ARS\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"\u003eCMS IS2P2\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-information-security-and-privacy-protection-is2p\"\u003eHHS IS2P\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-mobile-devices-and-removable-media\"\u003eHHS Policy for Mobile Devices and Removable Media\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/hhs-policy-rules-behavior-use-information-it-resources\"\u003eHHS Policy for Rules of Behavior for Use of Information and IT Resources\u003c/a\u003e (This document establishes the acceptable and unacceptable use of desktop/laptop and other information technology resources that are owned, leased, or controlled by CMS.)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Downloads/POLICY_DL_WirelessClientAccess.pdf\"\u003eCMS Policy for Wireless Client Access\u003c/a\u003e (This document establishes parameters for the security of wireless access based on acceptable government and private industry standards.)\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:T96af,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eWhat is Media Protection (MP)?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eMedia Protection (MP) is the safeguarding of media within an organization. The term “media” broadly refers to physical devices or writing surfaces. This includes all channels of communication with storage capabilities — everything from printed paper to digital data onto which information is recorded, stored, or printed within an information system.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eTracking the creation, distribution, storage and use of any form of media can be challenging, so its important for government agencies to have clear policies and guidance around media protections for their information systems. Organizations must clearly define:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eWho has the authority to access, transport, and share media\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhich devices can be used to store and transport media\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHow to properly destroy expired media\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eHaving clear policies around these practices allows government agencies to protect the data that is critical to their missions. CMS provides this handbook as a guide for implementing the Media Protection (MP) family of controls at the organization, process, and/or system level for all CMS information assets and data.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eMedia Protection at CMS\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe MP security requirements addressed in this handbook are taken from the\u0026nbsp;\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf\"\u003eNational Institute of Standards and Technology (NIST) Special Publication 800-53, Rev 5\u003c/a\u003e and tailored to the Centers for Medicare and Medicaid Services (CMS) environment in the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe ARS MP minimum standard controls are designed to protect CMS media and files from unauthorized access, use, or disclosure to ensure the safe handling of media and files in their life cycle, and to ensure the safe destruction of media and files when they are no longer needed.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eBy following the processes outlined below, CMS can:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePromote accountability for handling media responsibly\u003c/li\u003e\u003cli dir=\"ltr\"\u003eReduce risk by limiting events that could expose media to unauthorized use or disclosure loss, theft, or other mishandling\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEnsure CMS compliance with federal laws and regulations such as\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma\"\u003eFISMA\u003c/a\u003e and\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/health-insurance-portability-and-accountability-act-1996-hipaa\"\u003eHIPAA\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eGetting help\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFor policy and guidance questions regarding Media Protection at CMS, contact the\u0026nbsp;\u003cstrong\u003eISPG Policy and Privacy team\u003c/strong\u003e via email at:\u003cstrong\u003e \u003c/strong\u003e\u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov\u003c/a\u003e. Or find us in CMS Slack: \u003cem\u003e#ispg-sec_privacy-policy.\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf you have questions or need assistance regarding various aspects of Media Protection at CMS, you can reach out to the following groups:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eCMS Office of Strategic Operations and Regulatory Affairs (OSORA)\u003c/strong\u003e |\u0026nbsp;\u003ca href=\"mailto:OSORA_Regs_Scheduling@cms.hhs.gov\"\u003eOSORA_Regs_Scheduling@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eCMS Records Retention\u003c/strong\u003e |\u0026nbsp;\u003ca href=\"mailto:Records_Retention@cms.hhs.gov%C2%A0\"\u003eRecords_Retention@cms.hhs.gov\u0026nbsp;\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eMedia Access\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAs part of CMS media protection, there are rules about who can access CMS system media that contains sensitive information. This is known as Media Access control. It applies to both digital media and hard copy media (such as paper, microfilm, or microfiche). It applies to mobile devices with storage capabilities, and to systems that process, store, or transmit Personally Identifiable Information (PII) or Protected Health Information (PHI). Media Access guidelines are described below.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eLimit access to people who need it\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe Media Access rules that identify who can access sensitive media are defined in the\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan\u003c/a\u003e for any CMS system. Access is restricted to defined personnel or roles with a valid need to know based on the functions required to perform their job duties. Activities that limit access can include:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eDisabling Compact Disk (CD)/Digital Versatile Disk (DVD) writers\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAllowing access to CD/DVD viewing and downloading capabilities only to authorized persons or roles (defined in the applicable\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan\u003c/a\u003e)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eDisabling access to Universal Serial Bus (USB) ports and allowing access to using USB device capabilities only to authorized persons or in defined roles (defined in the applicable\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan\u003c/a\u003e)\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eRequire training before giving access\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eBefore accessing any CMS systems or data, all CMS employees and contractors with potential access to sensitive information, such as PII or PHI, must complete yearly\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-cybersecurity-and-privacy-handbook#take-required-isspa-training\"\u003eInformation System Security and Privacy Awareness (ISSPA) training\u003c/a\u003e, along with any\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/role-based-training-rbt\"\u003erole-based training\u003c/a\u003e required for their level of access to CMS information and systems. These trainings must be completed within 60 days of hire (and annually thereafter).\u003c/p\u003e\u003cp dir=\"ltr\"\u003eFor additional processes that need to be followed by all CMS employees and contractors with potential access to CMS data and/or sensitive information, please see the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-access-control-handbook\"\u003eCMS Access Control (AC) Handbook\u003c/a\u003e and\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-13-personnel-security-ps\"\u003ePersonnel Security (PS) Handbook\u003c/a\u003e.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eMedia Marking\u0026nbsp;\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eMedia Marking is a process that identifies the security markings, distribution limitations, and handling caveats for information system media. NIST and the National Archives and Records Administration (NARA) both provide guidance on security marking and labeling as required by the Executive Order (E.O.) 13526 and its implementing directive, 32 CFR Part 2001, to prescribe a uniform security classification system.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf\"\u003eWithin NIST SP 800-53\u003c/a\u003e, the guidance on Media Marking includes:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eSecurity marking\u003c/strong\u003e: This is the application or use of human-readable attributes to enable organizational process-based enforcement of information security policies. Security marking is typically\u0026nbsp;\u003cem\u003ewritten upon the media\u003c/em\u003e.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eSecurity labeling\u003c/strong\u003e: This is the explicit or implicit marking of a data structure or output media associated with an information system representing the\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\"\u003eFIPS 199 security category\u003c/a\u003e. It could also indicate distribution limits or handling caveats of the information contained within the media. Security labeling is typically\u0026nbsp;\u003cem\u003einternal to the media\u003c/em\u003e.\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eWhat media must be marked?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eSecurity marking is typically\u0026nbsp;\u003cstrong\u003erequired\u003c/strong\u003e for any media that contains information with distribution limits or handling caveats. This includes sensitive, controlled, classified, or confidential information.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eSecurity marking is generally\u0026nbsp;\u003cstrong\u003enot required\u003c/strong\u003e for media containing information determined to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information\u0026nbsp;\u003cstrong\u003eis\u003c/strong\u003e publicly releasable.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eMedia Marking process at CMS\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAt CMS, everyone should mark and label system media appropriately to ensure it is protected according to its sensitivity. All CMS information system media, both digital and non-digital, must be marked in accordance with the relevant CMS policies and procedures for Media Protection that can be found in the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"\u003eCMS IS2P2\u003c/a\u003e and\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eARS\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe CMS process for Media Marking includes the following:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eMedia Marking for digital media\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eFor external media types such as CDs and USB Drives, the Business or System Owner (BO/SO) is responsible for ensuring the appropriate media marking/labeling (including the CUI Control Marking and the designating organization).\u0026nbsp;\u003cul\u003e\u003cli dir=\"ltr\"\u003eThe BO should follow the\u0026nbsp;\u003ca href=\"https://share.cms.gov/office/OSORA/SitePages/CUI.aspx\"\u003eCMS CUI Program Guide\u003c/a\u003e, which includes guidelines for marking/labeling media as CUI, Sensitive, Confidential, etc. More information on CMS Controlled Unclassified Information (CUI)\u0026nbsp;\u003ca href=\"https://share.cms.gov/office/OSORA/SitePages/CUI.aspx\"\u003ecan be found here\u003c/a\u003e (internal link; CMS login required).\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor questions about marking and managing of CUI at CMS, contact the\u0026nbsp;\u003ca href=\"https://www.cms.gov/about-cms/leadership/office-strategic-operations-regulatory-affairs\"\u003eCMS Office of Strategic Operations and Regulatory Affairs (OSORA)\u003c/a\u003e.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor overall guidance about CUI marking, see the\u0026nbsp;\u003ca href=\"https://www.archives.gov/files/cui/20161206-cui-marking-handbook-v1-1.pdf\"\u003eCUI Marking Handbook from NARA\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eVolume serial number (VOLSER) scans are performed on Unix and Mainframe media prior to shipment to the secure, off-site storage facility.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eMedia are classified and labeled as Confidential.\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eMedia Marking for non-digital media\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eNon-digital media, such as paper and microfilm, should also be marked appropriately to indicate the sensitivity classification of the information they contain (based on applicable record retention regulations).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eReport mishandling of protected information\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAdvise CMS management immediately if any CMS sensitive information is disclosed, mishandled, or used in an inconsistent manner (whether intentionally or unintentionally). The\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\"\u003eCMS Incident Response Handbook\u003c/a\u003e outlines the procedures for reporting all suspected security incidents.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eMedia Storage\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eMedia Storage is the process that ensures the security of media containing sensitive information when its not actively in use or in transit. CMS physically controls and securely stores digital and non-digital media in accordance with:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://csrc.nist.gov/pubs/sp/800/88/r1/final\"\u003eNIST SP 800-88 (Guidelines for Media Sanitization)\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-information-security-and-privacy-protection-is2p\"\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/hhs-policy-rules-behavior-use-information-it-resources\"\u003eHHS Policy for Rules of Behavior for Use of Information and IT Resources (ROB)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eBy aligning CMS Media Storage processes with these authorities, we ensure sufficient physical and procedural safeguards to meet the federal requirements established for protecting information and information systems.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHow does Media Storage affect me?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eEveryone at CMS\u003c/strong\u003e is expected to follow proper media storage requirements for any media they create, store, or manage that contains CMS sensitive information. This applies to both digital and non-digital media. It applies to CMS employees, staff, contractors, interns, and personnel — whether they are working onsite at CMS, or working from a telework or alternate duty station (ADS) location.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eBusiness and System Owners\u003c/strong\u003e are responsible for documenting the entire media protection process, including handling, storage, and sanitization.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eSecuring media storage areas\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eCMS media storage areas are secured using authorized CMS badge-controlled entry systems. The Physical Access Control System Central (PACS Central) is the system used by CMS for this purpose.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf you have a CMS Personal Identity Verification (PIV) card, you can use it to request access to secure areas. You can also use it to get remote access to PACS via CMS Virtual Private Network (VPN). Upon approval, access to the requested area will be added to your PIV card.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCMS is responsible for granting and monitoring access to media storage areas. Contact the Security Control Center (24 hours a day) by calling 410-786-2929 or by emailing\u0026nbsp;\u003ca href=\"mailto:security@cms.hhs.gov\"\u003esecurity@cms.hhs.gov\u003c/a\u003e.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003ePhysical control of media storage\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThese are the guidelines for the physical control of media storage at CMS:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eStorage for\u0026nbsp;\u003cstrong\u003edigital media\u003c/strong\u003e originating from or related to an information system must adhere to the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf\"\u003eHHS STANDARD § 164.310(d)(1) for Device and Media Control\u003c/a\u003e. Following these guidelines, the media must be securely stored in secure off-site storage, or using the safeguards prescribed for the highest security level.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eNon-digital media\u003c/strong\u003e relating to an information system are stored in access-controlled spaces. However, MP processes must be adopted to cover all CMS locations, including but not limited to IaaS Cloud, PaaS Cloud, and Virtual Data Centers (VDCs). These methods protect media until they are destroyed or sanitized using CMS-approved equipment, techniques, and procedures that comply with\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/pubs/sp/800/88/r1/final\"\u003eNIST SP 800-88, Guidelines for Media Sanitization\u003c/a\u003e.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAll information — both digital and non-digital — must adhere to the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf\"\u003eHHS STANDARD § 164.310(d)(1) for Device and Media Control\u003c/a\u003e. The information must be treated and labeled appropriately to identify that it may contain sensitive information when stored at the off-site storage facility. All information, including encrypted media, must be secured and locked.\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eCMS policy on using external storage devices\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eDue to security concerns, the use of external storage devices is highly restricted. CMS doesn't want anyone to use external storage devices (CMS or personal) for any reason.\u0026nbsp;\u003cstrong\u003eAll CMS staff should use Box or SharePoint to transfer business or personal files\u003c/strong\u003e. All standard file types are supported with Box and SharePoint.\u0026nbsp;\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eMedia Transport\u0026nbsp;\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eMedia Transport activities include the actual transporting of media from one location to another, in addition to security-related activities such as:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eReleasing media for transport in a manner consistent with regulations\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEnsuring that media goes through transport processes that are appropriate to the sensitivity level of the data thats on the media\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEnsuring the “chain of custody” is established so that an authorized person is always in control of media containing any sensitive information\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eWho is authorized to transport media?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eMedia can be transported by approved individuals outside the organization when appropriate. Authorized transport and courier personnel may include employees from the U.S. Postal Service or a commercial delivery service such as UPS, FedEX, or DHL. for example. CMS personnel responsible for the media must ensure they can:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eTrack the media in transit\u003c/li\u003e\u003cli dir=\"ltr\"\u003eDetermine a delivery confirmation (at minimum)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEnsure a signature confirmation if required (based on the sensitivity or classification of the data contained on the media)\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eControlled areas\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eControlled areas are an important part of secure media transport. Controlled areas are spaces where physical or procedural controls are provided by organizations in order to meet requirements established for protecting information and systems. These controls ensure accountability in the proper handling of media that is in transport. This reduces the risk of media becoming vulnerable to unauthorized use and disclosure through loss, theft, or other mishandling.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eProtecting media in transport\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eWhen media containing sensitive information is being transported outside of controlled areas, it must be protected using physical and technical safeguards. This applies to both digital and non-digital media. Whatever safeguards are implemented should\u0026nbsp;\u003cstrong\u003ealign with the security category or classification of the information residing on the media\u003c/strong\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eExamples of safeguards to protect media during transport include:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eUsing a FIPS 140-2 validated encryption module or mechanism where applicable on soft copy or digital media\u003c/li\u003e\u003cli dir=\"ltr\"\u003eUsing a locked and secure container for hard copy media\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEnsuring media is handled by authorized personnel to maintain the “chain of custody” during transport and delivery\u003c/li\u003e\u003cli dir=\"ltr\"\u003eUsing cryptographic mechanisms for digital assets, which can provide confidentiality and integrity protections depending upon the mechanisms used\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eEstablishing Media Transport requirements\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eBusiness Owners are required to establish security requirements for activities associated with the transport of media related to their information systems. These requirements should:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eAlign with CMS assessments of risk based on Information Type from the\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\"\u003eFIPS 199 Security Category\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eMaintain accountability by restricting transport activities to authorized personnel and keeping explicit records of transport activities as the media moves through the transportation system\u003c/li\u003e\u003cli dir=\"ltr\"\u003eImplement safeguards to prevent and detect media loss, destruction, or tampering\u003c/li\u003e\u003cli dir=\"ltr\"\u003eMaintain the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eBusiness Owners should refer to the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#media-protection-mp\"\u003eMedia Protection (MP) section of the IS2P2\u003c/a\u003e when developing Media Transport requirements for their information systems. In general, the guidance is to protect and control digital and non-digital media containing sensitive information during transport outside of controlled areas using cryptography and tamper-evident packaging.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAdditionally, the following safeguards should be implemented as necessary (depending on the sensitivity level of the data contained on the media).\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eHand-carried media\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf hand carried, use a securable container, such as a locked briefcase. Ensure the secured container is handled\u0026nbsp;\u003cstrong\u003eonly\u003c/strong\u003e by authorized personnel at every step of the media transport. CMS restricts the transport of sensitive media to authorized personnel commensurate with the sensitivity level of the data.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eShipped media\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf shipped via USPS (preferred) or a commercial carrier, use tamper-evident or tamper resistant packaging. This tamper-resistant packaging should be contained within the shipping box. Utilize package tracking, with receipt of delivery confirmation as a minimum (and signature confirmation if the sensitivity of the data on the media requires it).\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eForeign travel\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eUnless on official government travel, CMS prohibits international transportation of all devices capable of connecting to the CMS network, without explicit approval from the agency head.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAll CMS employees and contractors, traveling on\u0026nbsp;\u003cstrong\u003eofficial CMS business\u003c/strong\u003e outside the United States and its territories, with devices that can connect to the CMS network, are required to complete all foreign travel security awareness requirements prior to traveling.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eFor detailed foreign travel requirements please refer to the\u003ca href=\"https://share.cms.gov/Office/OIT/ISPG/DSI/ISPG%20DSI%20Foreign%20Travel%20Library/CMS%20Foreign%20Travel%20Security%20SOP.pdf#search=foriegn%20travel\"\u003e\u0026nbsp;CMS Foreign Travel Security SOP\u003c/a\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eTransporting backup media\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eBackup media are storage devices that people use to save electronic file backups. These devices can be physical, such as a hard drive, or network-based, such as cloud storage. Backup media can be used to protect personal data or critical business data.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eTo transport CMS backup media, it must be inserted into padded, lockable, static-resistant containers and hand-carried, by authorized personnel, to a vehicle owned by a storage facility. Then it is transported to the secure off-site storage facility, remaining under the protection of authorized personnel.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eProtected Health Information (PHI)\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eCMS provides guidance for systems processing, storing, or transmitting Protected Health Information (PHI):\u003c/p\u003e\u003cp dir=\"ltr\"\u003eUnder the HIPAA Security Rule, this is an addressable implementation specification. Using cryptographic protection allows the organization to utilize the “Safe Harbor” provision under the Breach Notification Rule. If PHI is encrypted pursuant to the Guidance Specifying the Technologies and Methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals, then no breach notification is required.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eData encryption\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eCMS users are required to follow the data encryption standards, in accordance with the\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-encryption-computing-devices-and-information\"\u003eHHS Standard for Encryption of Computing Devices\u003c/a\u003e to ensure information is protected from unauthorized disclosure. CMS also uses data encryption software that automatically encrypts data on Government Furnished Equipment (GFE).\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eMedia Sanitization\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eMedia sanitization is the process of removing data from storage media in a way that makes it difficult for third parties to retrieve. The goal is to ensure that sensitive data is not accidentally released, and that even advanced forensic tools can't recover it. Media sanitization is an important aspect of protecting sensitive information throughout its life cycle.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAt CMS, we follow guidance from NIST to properly sanitize media that contains sensitive information before the media is reused or disposed of. This ensures that we protect CMS sensitive information from unauthorized use or disclosure.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eOnce media has been sanitized, if it is not being reused, it can be destroyed or disposed of. CMS applies media destruction and disposal procedures that are approved by the federal government to ensure that information does not become available to unauthorized personnel.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eBefore sanitizing or disposing of media, CMS Business and System Owners should consider any regulations or requirements that may affect the disposal process.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eFor\u0026nbsp;\u003cstrong\u003eprivacy considerations\u003c/strong\u003e, contact designated officials with privacy responsibilities (for example, Privacy Officer).\u003c/p\u003e\u003cp dir=\"ltr\"\u003eFor\u0026nbsp;\u003cstrong\u003erecords retention considerations\u003c/strong\u003e, contact\u0026nbsp;\u003ca href=\"mailto:Records_Retention@cms.hhs.gov\"\u003eRecords_Retention@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eMedia Sanitization methods\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAccording to NIST, media sanitization applies to all information system media. NIST recommendations for sanitizing media include the clearing, purging, cryptographic erasing, or destruction of sensitive information that is stored on any media — before that media is released for reuse or disposal. This includes both digital and non-digital media.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eSanitization of\u0026nbsp;\u003cstrong\u003edigital media\u003c/strong\u003e could include removing sensitive information from scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eSanitization of\u0026nbsp;\u003cstrong\u003enon-digital\u003c/strong\u003e media could include removing a classified appendix from an otherwise unclassified document, or redacting selected sections from a document.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eBefore utilizing any sanitization techniques, the following steps should be taken in preparation:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eCategorize the information within the media according to its sensitivity\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAssess the nature of the medium on which the information is recorded\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAssess the risk to confidentiality if the information were to be exposed\u003c/li\u003e\u003cli dir=\"ltr\"\u003eDetermine plans for reuse or disposal of the media (being mindful of cost and environmental impact)\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eAcceptable minimum sanitization recommendations for media can be found in Appendix A of the\u0026nbsp;\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf\"\u003eNIST SP 800-88: Guidelines for Media Sanitization\u003c/a\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eMedia Sanitization requirements at CMS\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe following media sanitization and disposal standards apply to everyone at CMS. This includes external contractors working outside of the CMS Central Offices and Regional Offices locations whose contract produces media on behalf of CMS. At the end of the media lifecycle, the media MUST be sanitized according to CMS policy.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eDigital media\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eWith oversight of operations of all CMS data centers (physical, virtual, and cloud), CMS personnel who are responsible for media must ensure that all confidential or classified information is sanitized and disposed of properly.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThis must be done in accordance with the policies, procedures, and standards established by these federal agencies:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.nsa.gov/portals/75/documents/resources/everyone/media-destruction/storage-device-declassification-manual.pdf\"\u003eNSA/CSS Storage Device Sanitization Manual\u003c/a\u003e (National Security Agency)\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.dami.army.pentagon.mil/site/IndustSec/docs/DoD%20522022-m.pdf\"\u003eDoD 5220.22-M, National Industrial Security Program Operating Manual\u003c/a\u003e (Department of Defense)\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eA key decision on sanitization is whether the media are planned for reuse. All media returned to the CMS Data Center (located in N1-23-00/User Lobby Window) are sanitized and excessed — they are not made available for reuse.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eObsolete magnetic media (such as hard drives) and optical media (such as CDs/DVDs) are sanitized in the CMS Data Center using an approved degausser for magnetic media and an approved optical media shredder for optical media.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eNon-digital media\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePaper documents are a common type of non-digital media. For proper disposal of paper documents, the CMS Central Office in Baltimore, Washington DC (and the local surrounding buildings) provides paper-shredding options. This mitigates the risk of any breach of CMS sensitive information through materials and documents that may contain PII or PHI.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAdditionally, CMS has a document shredding program that performs scheduled onsite shredding services for all Sensitive/PII/PHI paper items using designated locked shredding bins (consoles). These locked bins are located throughout CMS buildings in copier rooms and frequently used areas. This program is accomplished through a collaboration with the National Association for Information Destruction (NAID) AAA Certified contractor.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eAdditional guidance\u003c/strong\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eFor additional guidance on media sanitation and disposal at CMS, please see:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf\"\u003eNIST SP 800-88: Guidelines for Media Sanitization\u003c/a\u003e (NIST)\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.nsa.gov/portals/75/documents/resources/everyone/media-destruction/storage-device-declassification-manual.pdf\"\u003eNSA/CSS Storage Device Sanitization Manual\u003c/a\u003e (National Security Agency)\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://csrc.nist.gov/files/pubs/sp/800/88/r1/final/docs/sample-certificate-of-sanitization.docx\"\u003eNIST Sample Certificate of Sanitization\u003c/a\u003e (.docx file will automatically download)\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eVerification of sanitization\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFor\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\"\u003eFIPS 199 HIGH systems\u003c/a\u003e, CMS must\u0026nbsp;\u003cstrong\u003ereview, approve, track, document, and verify\u003c/strong\u003e the sanitization and disposal procedures for media that is produced by or stored in the system.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe documentation must ensure that the procedures:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eComply with defined NARA records retention policies\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEstablish accountability of personnel who reviewed and approved sanitization and disposal actions. The accountability is verified by logging the actions of the identified authorized personnel to include but not limited to:\u003cul\u003e\u003cli dir=\"ltr\"\u003eIdentification of the types of media sanitized, specific files stored on the media, and the sanitization methods used\u003c/li\u003e\u003cli dir=\"ltr\"\u003eDocumentation of date/time of the sanitization\u003c/li\u003e\u003cli dir=\"ltr\"\u003eIdentification of personnel who performed the sanitization\u003c/li\u003e\u003cli dir=\"ltr\"\u003eVerification that the sanitization of the media was effective prior to disposal\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CMS Data Center custodian and all other personnel involved in media sanitization, including those outside of CMS CO/RO, must follow MP-06(01) control guidelines (from the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS ARS\u003c/a\u003e). For media that have been added to the CMS property management hand receipt inventory (asset has been issued a CMS Asset Tag number/Barcode/Decal Number) when performing these actions, it is required to complete\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/form/hhs-22\"\u003eForm HHS-22\u003c/a\u003e. This form includes information to support the defined sanitization and disposal actions.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eEquipment testing\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAll CMS sanitization equipment and procedures are tested at least annually to verify they are working as expected. Testing of sanitization equipment and procedures must be conducted by qualified and authorized external entities (e.g., other federal agencies or approved external service providers).\u003c/p\u003e\u003cp dir=\"ltr\"\u003eFor CMS, an approved degausser manufacturer conducts an annual certification following guidelines approved by the National Security Agency.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eNondestructive techniques\u0026nbsp;\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eWhen a portable storage device is initially purchased from a manufacturer or vendor — or when a positive chain of custody for such devices is not available — NIST recommends applying nondestructive sanitization techniques prior to connecting such devices to the system.\u0026nbsp;\u003cstrong\u003eThis is particularly applicable for\u0026nbsp;\u003c/strong\u003e\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\"\u003e\u003cstrong\u003eFIPS 199 HIGH systems\u003c/strong\u003e\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003ePortable storage may contain malicious code that can be transferred to information systems through USB ports or other entry portals. While scanning portable storage devices for malicious code is recommended, sanitization provides additional assurance that the devices are free of malicious code.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCMS considers the use of nondestructive sanitation techniques:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrior to initial use after purchase\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhen obtained from an unknown (potentially untrustworthy) source\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhen the organization loses a positive chain of custody\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhen the device was connected to a lower assurance network/system based on\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\"\u003eFIPS 199 security categorization\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eRemote sanitization\u0026nbsp;\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eCMS is required to remotely purge or wipe information on CMS High Value Asset (HVA) systems and components if the HVA or its components are obtained by unauthorized individuals.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eNIST recommends several methods for remote purging or wiping of information:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eOverwriting data or information multiple times\u003c/li\u003e\u003cli dir=\"ltr\"\u003eDestroying the key necessary to decrypt encrypted data\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eFor any remote sanitization method, a strong authentication system should be in place to prevent unauthorized individuals from accidentally purging or wiping information from a HVA system or component.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eMedia Use\u0026nbsp;\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eGuidelines around Media Use are set up to ensure appropriate use of information system media. Safeguards around Media Use can be technical or nontechnical, and they can include policies, procedures, and rules of behavior.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eNIST recommends that organizations employ safeguards such as:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRestricting the use of portable storage devices by using physical cages on workstations to prohibit access to certain external ports\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRemoving the ability to insert, read, or write to such devices\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRestricting the use of portable storage devices based on the type of device (for example, prohibiting those that are writable)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eLimiting the use of portable storage devices to those that are provided by the organization (or by other approved organizations)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eProhibiting the use of portable storage devices that are personally owned\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eAt CMS, Media Use safeguards include:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRestricting the use of certain types of media (such as flash drives or external hard disk drives) on CMS systems\u003c/li\u003e\u003cli dir=\"ltr\"\u003eProhibiting the use of portable storage devices in CMS information systems when such devices have no identifiable owner\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRequiring identifiable owners of removable media that stores sensitive information (such as PII) — so there is accountability for managing the media and responding in the event of a privacy breach\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eHow does Media Use affect me?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eEveryone at CMS should be aware that:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eCMS prohibits the use of\u0026nbsp;\u003cstrong\u003epersonally owned media\u003c/strong\u003e (such as flash drives, hard disk drives, and other portable storage devices) on CMS defined systems or system components.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMS prohibits the use of\u003cstrong\u003e portable storage devices\u003c/strong\u003e in CMS systems when such devices have no identifiable owner (including “unauthorized” devices to the GFE or VDI session).\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eWireless devices\u003c/strong\u003e (such as Bluetooth) are not permitted to be used\u0026nbsp;\u003cem\u003eunless you have explicit approval\u003c/em\u003e from the Authorizing Official (A0).\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003ePolicies for Media Use\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe safeguards on Media Use at CMS (described above) are aligned with guidance from the following policies:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS ARS\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"\u003eCMS IS2P2\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-information-security-and-privacy-protection-is2p\"\u003eHHS IS2P\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-mobile-devices-and-removable-media\"\u003eHHS Policy for Mobile Devices and Removable Media\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/hhs-policy-rules-behavior-use-information-it-resources\"\u003eHHS Policy for Rules of Behavior for Use of Information and IT Resources\u003c/a\u003e (This document establishes the acceptable and unacceptable use of desktop/laptop and other information technology resources that are owned, leased, or controlled by CMS.)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Downloads/POLICY_DL_WirelessClientAccess.pdf\"\u003eCMS Policy for Wireless Client Access\u003c/a\u003e (This document establishes parameters for the security of wireless access based on acceptable government and private industry standards.)\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}\n1b:{\"self\":\"$1c\"}\n1f:[\"menu_ui\",\"scheduler\"]\n1e:{\"module\":\"$1f\"}\n22:[]\n21:{\"available_menus\":\"$22\",\"parent\":\"\"}\n23:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n20:{\"menu_ui\":\"$21\",\"scheduler\":\"$23\"}\n1d:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$1e\",\"third_party_settings\":\"$20\",\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1a:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":\"$1b\",\"attributes\":\"$1d\"}\n26:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}\n25:{\"self\":\"$26\"}\n27:{\"display_name\":\"mburgess\"}\n24:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":\"$25\",\"attributes\":\"$27\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}\n29:{\"self\":\"$2a\"}\n2c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n2b:{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$2c\"}\n30:{\"drupal_internal__target_id\":\"resource_type\"}\n2f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$30\"}\n32:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_typ"])</script><script>self.__next_f.push([1,"e/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"}\n33:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}\n31:{\"related\":\"$32\",\"self\":\"$33\"}\n2e:{\"data\":\"$2f\",\"links\":\"$31\"}\n36:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"}\n37:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}\n35:{\"related\":\"$36\",\"self\":\"$37\"}\n34:{\"data\":null,\"links\":\"$35\"}\n3e:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n3d:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$3e\"}\n3c:{\"help\":\"$3d\"}\n3b:{\"links\":\"$3c\"}\n3a:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$3b\"}\n39:[\"$3a\"]\n40:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"}\n41:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}\n3f:{\"related\":\"$40\",\"self\":\"$41\"}\n38:{\"data\":\"$39\",\"links\":\"$3f\"}\n2d:{\"vid\":\"$2e\",\"revision_user\":\"$34\",\"parent\":\"$38\"}\n28:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":\"$29\",\"attributes\":\"$2b\",\"relationships\":\"$2d\"}\n44:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n43:{\"self\":\"$44\"}\n46:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n45:{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$46\"}\n4a:{\"drupal_inter"])</script><script>self.__next_f.push([1,"nal__target_id\":\"roles\"}\n49:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$4a\"}\n4c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n4d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n4b:{\"related\":\"$4c\",\"self\":\"$4d\"}\n48:{\"data\":\"$49\",\"links\":\"$4b\"}\n50:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n51:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n4f:{\"related\":\"$50\",\"self\":\"$51\"}\n4e:{\"data\":null,\"links\":\"$4f\"}\n58:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n57:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$58\"}\n56:{\"help\":\"$57\"}\n55:{\"links\":\"$56\"}\n54:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$55\"}\n53:[\"$54\"]\n5a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n5b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n59:{\"related\":\"$5a\",\"self\":\"$5b\"}\n52:{\"data\":\"$53\",\"links\":\"$59\"}\n47:{\"vid\":\"$48\",\"revision_user\":\"$4e\",\"parent\":\"$52\"}\n42:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$43\",\"attributes\":\"$45\",\"relationships\":\"$47\"}\n5e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26?resourceVersion=id%3A81\"}\n5d:{\"self\":\"$5e\"}\n60:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n5f:{\"drupal_internal__tid\":81,\"drupal_internal__revision_id\":81,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:09:11+00:00\",\"status\":true,\"name\":\"Data Guardian\",\"description\":null,\"weight"])</script><script>self.__next_f.push([1,"\":0,\"changed\":\"2022-08-02T23:09:11+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$60\"}\n64:{\"drupal_internal__target_id\":\"roles\"}\n63:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$64\"}\n66:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/vid?resourceVersion=id%3A81\"}\n67:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/vid?resourceVersion=id%3A81\"}\n65:{\"related\":\"$66\",\"self\":\"$67\"}\n62:{\"data\":\"$63\",\"links\":\"$65\"}\n6a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/revision_user?resourceVersion=id%3A81\"}\n6b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/revision_user?resourceVersion=id%3A81\"}\n69:{\"related\":\"$6a\",\"self\":\"$6b\"}\n68:{\"data\":null,\"links\":\"$69\"}\n72:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n71:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$72\"}\n70:{\"help\":\"$71\"}\n6f:{\"links\":\"$70\"}\n6e:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$6f\"}\n6d:[\"$6e\"]\n74:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/parent?resourceVersion=id%3A81\"}\n75:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/parent?resourceVersion=id%3A81\"}\n73:{\"related\":\"$74\",\"self\":\"$75\"}\n6c:{\"data\":\"$6d\",\"links\":\"$73\"}\n61:{\"vid\":\"$62\",\"revision_user\":\"$68\",\"parent\":\"$6c\"}\n5c:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"links\":\"$5d\",\"attributes\":\"$5f\",\"relationships\":\"$61\"}\n78:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n77:{\"self\":\"$78\"}\n7a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n79:{\"drupal_internal__tid\":61,\"drupal_internal__revision"])</script><script>self.__next_f.push([1,"_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$7a\"}\n7e:{\"drupal_internal__target_id\":\"roles\"}\n7d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$7e\"}\n80:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n81:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n7f:{\"related\":\"$80\",\"self\":\"$81\"}\n7c:{\"data\":\"$7d\",\"links\":\"$7f\"}\n84:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n85:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n83:{\"related\":\"$84\",\"self\":\"$85\"}\n82:{\"data\":null,\"links\":\"$83\"}\n8c:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n8b:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$8c\"}\n8a:{\"help\":\"$8b\"}\n89:{\"links\":\"$8a\"}\n88:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$89\"}\n87:[\"$88\"]\n8e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n8f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n8d:{\"related\":\"$8e\",\"self\":\"$8f\"}\n86:{\"data\":\"$87\",\"links\":\"$8d\"}\n7b:{\"vid\":\"$7c\",\"revision_user\":\"$82\",\"parent\":\"$86\"}\n76:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$77\",\"attributes\":\"$79\",\"relationships\":\"$7b\"}\n92:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-"])</script><script>self.__next_f.push([1,"af66-7998a3329f34?resourceVersion=id%3A76\"}\n91:{\"self\":\"$92\"}\n94:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n93:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$94\"}\n98:{\"drupal_internal__target_id\":\"roles\"}\n97:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$98\"}\n9a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n9b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n99:{\"related\":\"$9a\",\"self\":\"$9b\"}\n96:{\"data\":\"$97\",\"links\":\"$99\"}\n9e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n9f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n9d:{\"related\":\"$9e\",\"self\":\"$9f\"}\n9c:{\"data\":null,\"links\":\"$9d\"}\na6:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\na5:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$a6\"}\na4:{\"help\":\"$a5\"}\na3:{\"links\":\"$a4\"}\na2:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$a3\"}\na1:[\"$a2\"]\na8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\na9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\na7:{\"related\":\"$a8\",\"self\":\"$a9\"}\na0:{\"data\":\"$a1\",\"links\":\"$a7\"}\n95:{\"vid\":\"$96\",\"revision_user\":\"$9c\",\"parent\":\"$a0\"}\n90:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f3"])</script><script>self.__next_f.push([1,"4\",\"links\":\"$91\",\"attributes\":\"$93\",\"relationships\":\"$95\"}\nac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\nab:{\"self\":\"$ac\"}\nae:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nad:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$ae\"}\nb2:{\"drupal_internal__target_id\":\"roles\"}\nb1:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$b2\"}\nb4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\nb5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\nb3:{\"related\":\"$b4\",\"self\":\"$b5\"}\nb0:{\"data\":\"$b1\",\"links\":\"$b3\"}\nb8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\nb9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\nb7:{\"related\":\"$b8\",\"self\":\"$b9\"}\nb6:{\"data\":null,\"links\":\"$b7\"}\nc0:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nbf:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c0\"}\nbe:{\"help\":\"$bf\"}\nbd:{\"links\":\"$be\"}\nbc:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$bd\"}\nbb:[\"$bc\"]\nc2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\nc3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\nc1:{\"related\":\"$c2\",\"self\":\"$c3\"}\nba:{\"data\":\"$bb\",\"links\":\"$c"])</script><script>self.__next_f.push([1,"1\"}\naf:{\"vid\":\"$b0\",\"revision_user\":\"$b6\",\"parent\":\"$ba\"}\naa:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$ab\",\"attributes\":\"$ad\",\"relationships\":\"$af\"}\nc6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}\nc5:{\"self\":\"$c6\"}\nc8:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nc7:{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$c8\"}\ncc:{\"drupal_internal__target_id\":\"topics\"}\ncb:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$cc\"}\nce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"}\ncf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}\ncd:{\"related\":\"$ce\",\"self\":\"$cf\"}\nca:{\"data\":\"$cb\",\"links\":\"$cd\"}\nd2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"}\nd3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}\nd1:{\"related\":\"$d2\",\"self\":\"$d3\"}\nd0:{\"data\":null,\"links\":\"$d1\"}\nda:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nd9:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$da\"}\nd8:{\"help\":\"$d9\"}\nd7:{\"links\":\"$d8\"}\nd6:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$d7\"}\nd5:[\"$d6\"]\ndc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"}\ndd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/to"])</script><script>self.__next_f.push([1,"pics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}\ndb:{\"related\":\"$dc\",\"self\":\"$dd\"}\nd4:{\"data\":\"$d5\",\"links\":\"$db\"}\nc9:{\"vid\":\"$ca\",\"revision_user\":\"$d0\",\"parent\":\"$d4\"}\nc4:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":\"$c5\",\"attributes\":\"$c7\",\"relationships\":\"$c9\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--library\",\"id\":\"2789f059-0412-4ea1-9578-0f244aaff387\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/2789f059-0412-4ea1-9578-0f244aaff387?resourceVersion=id%3A5939\"}},\"attributes\":{\"drupal_internal__nid\":1211,\"drupal_internal__vid\":5939,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-14T17:52:56+00:00\",\"status\":true,\"title\":\"CMS Media Protection (MP) Handbook\",\"created\":\"2024-09-04T17:06:23+00:00\",\"changed\":\"2024-10-14T17:52:56+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-media-protection-mp-handbook\",\"pid\":1268,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2024-09-04\",\"field_related_resources\":[{\"uri\":\"entity:node/631\",\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"options\":[],\"url\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"},{\"uri\":\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#media-protection-mp\",\"title\":\"Media Protection (MP) in the CMS IS2P2\",\"options\":[],\"url\":\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#media-protection-mp\"},{\"uri\":\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf\",\"title\":\"NIST SP 800-53\",\"options\":[],\"url\":\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf\"}],\"field_short_description\":{\"value\":\"Guidance for protecting physical and digital media at CMS in accordance with requirements from NIST and the CMS Acceptable Risk Safeguards (ARS)\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eGuidance for protecting physical and digital media at CMS in accordance with requirements from NIST and the CMS Acceptable Risk Safeguards (ARS)\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/2789f059-0412-4ea1-9578-0f244aaff387/node_type?resourceVersion=id%3A5939\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/2789f059-0412-4ea1-9578-0f244aaff387/relationships/node_type?resourceVersion=id%3A5939\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/2789f059-0412-4ea1-9578-0f244aaff387/revision_uid?resourceVersion=id%3A5939\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/2789f059-0412-4ea1-9578-0f244aaff387/relationships/revision_uid?resourceVersion=id%3A5939\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/2789f059-0412-4ea1-9578-0f244aaff387/uid?resourceVersion=id%3A5939\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/2789f059-0412-4ea1-9578-0f244aaff387/relationships/uid?resourceVersion=id%3A5939\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/2789f059-0412-4ea1-9578-0f244aaff387/field_resource_type?resourceVersion=id%3A5939\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/2789f059-0412-4ea1-9578-0f244aaff387/relationships/field_resource_type?resourceVersion=id%3A5939\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/2789f059-0412-4ea1-9578-0f244aaff387/field_roles?resourceVersion=id%3A5939\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/2789f059-0412-4ea1-9578-0f244aaff387/relationships/field_roles?resourceVersion=id%3A5939\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/2789f059-0412-4ea1-9578-0f244aaff387/field_topics?resourceVersion=id%3A5939\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/2789f059-0412-4ea1-9578-0f244aaff387/relationships/field_topics?resourceVersion=id%3A5939\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}},\"attributes\":{\"display_name\":\"mburgess\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}},\"attributes\":{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26?resourceVersion=id%3A81\"}},\"attributes\":{\"drupal_internal__tid\":81,\"drupal_internal__revision_id\":81,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:09:11+00:00\",\"status\":true,\"name\":\"Data Guardian\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:09:11+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/vid?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/vid?resourceVersion=id%3A81\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/revision_user?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/revision_user?resourceVersion=id%3A81\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/parent?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/parent?resourceVersion=id%3A81\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}},\"attributes\":{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}}}}}],\"includedMap\":{\"ab4b0312-f678-40b9-ae06-79025f52ff43\":\"$1a\",\"e352e203-fe9c-47ba-af75-2c7f8302fca8\":\"$24\",\"e3394b9a-cbff-4bad-b68e-c6fad326132e\":\"$28\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$42\",\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\":\"$5c\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$76\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$90\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$aa\",\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\":\"$c4\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"CMS Media Protection (MP) Handbook | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Guidance for protecting physical and digital media at CMS in accordance with requirements from NIST and the CMS Acceptable Risk Safeguards (ARS)\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/policy-guidance/cms-media-protection-mp-handbook\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"CMS Media Protection (MP) Handbook | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Guidance for protecting physical and digital media at CMS in accordance with requirements from NIST and the CMS Acceptable Risk Safeguards (ARS)\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/policy-guidance/cms-media-protection-mp-handbook\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/policy-guidance/cms-media-protection-mp-handbook/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"CMS Media Protection (MP) Handbook | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Guidance for protecting physical and digital media at CMS in accordance with requirements from NIST and the CMS Acceptable Risk Safeguards (ARS)\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/policy-guidance/cms-media-protection-mp-handbook/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink