publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
241 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>CMS Risk Management Framework (RMF): Monitor Step | CMS Information Security &amp; Privacy Group</title><meta name="description" content="Maintain an ongoing situational awareness about the security and privacy posture of a FISMA system"/><link rel="canonical" href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="CMS Risk Management Framework (RMF): Monitor Step | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="Maintain an ongoing situational awareness about the security and privacy posture of a FISMA system"/><meta property="og:url" content="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step/opengraph-image.jpg?a856d5522b751df7"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="CMS Risk Management Framework (RMF): Monitor Step | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="Maintain an ongoing situational awareness about the security and privacy posture of a FISMA system"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step/opengraph-image.jpg?a856d5522b751df7"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-library undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">CMS Risk Management Framework (RMF): Monitor Step</h1><p class="hero__description">Maintain an ongoing situational awareness about the security and privacy posture of a FISMA system</p><p class="font-sans-2xs line-height-sans-5 margin-bottom-0">Last reviewed<!-- -->: <!-- -->12/5/2024</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8"><section class="resource-collection radius-md padding-y-2 padding-x-3 bg-base-lightest"><h1 class="resource-collection__header h3 margin-top-0 margin-bottom-2">Related Resources</h1><div class="grid-row grid-gap-4"><div class="tablet:grid-col-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/learn/cms-risk-management-framework-rmf">CMS Risk Management Framework (RMF)</a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/learn/national-institute-standards-and-technology-nist">National Institute of Standards and Technology (NIST)</a></div></div></section><section><div class="text-block text-block--theme-library"><h2>What is the Risk Management Framework (RMF)?</h2><p><a href="https://security.cms.gov/learn/national-institute-standards-and-technology-nist">The National Institute of Standards and Technology (NIST)</a> created the RMF to provide a structured, flexible process to manage risk throughout a systems life cycle. Using the RMF process helps CMS authorize and monitor our information systems and keep them safe.</p><p>The RMF is made up of 7 steps:</p><ul><li><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step">Prepare</a></li><li><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-categorize-step">Categorize</a></li><li><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-select-step">Select</a></li><li><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-implement-step">Implement</a></li><li><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-assess-step">Assess</a></li><li><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-authorize-step">Authorize</a></li><li><strong>Monitor</strong> (this step)</li></ul><h2>What is the Monitor Step?</h2><p>The purpose of the Monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.</p><h2>Organizational and System Level Monitor Tasks</h2><p>Organizational level tasks are completed as part of the Information Security and Privacy Program managed by the Office of Information Technology. System level monitor tasks also take into consideration mission/business process concerns.</p><h3>Task M-1 System and environment changes</h3><p>Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. Also, ensure the continuous monitoring process aligns with CMS continuous monitoring strategies.</p><p><strong>Potential Inputs:</strong></p><ul><li>Organizational continuous monitoring strategies for its systems at various levels (organization-wide, mission/business process, and system level)</li><li>Organizational configuration management policy and procedures</li><li>Guidance on how changes to system configurations are managed and controlled</li><li>Organizational policy and procedures for handling unauthorized system changes</li><li>Security and privacy plans</li><li>Configuration change requests and approvals</li><li>System design documentation</li><li>Security and privacy assessment reports</li><li>Plans of action and milestones (POA&amp;Ms)</li><li>Information from automated and manual monitoring tools from across CMS</li></ul><p><strong>Expected Outputs:</strong></p><ul><li>Updated security and privacy plans to reflect any changes in the system or environment that affect security and privacy controls</li><li>Updated POA&amp;Ms indicating the actions required to address security and privacy risks introduced by changes to the system</li><li>Updated security and privacy assessment reports that provide current information on the effectiveness of security and privacy controls after changes</li></ul><p><strong>Discussion:</strong></p><p>CMS has established a <a href="https://security.cms.gov/learn/system-security-and-privacy-plan-sspp">system security and privacy plan (SSPP)</a> program that is a living collection of information that must be updated with any changes to the system, especially when a significant change occurs in the life cycle of the FISMA system.</p><p>To effectively address/track all identified risks/weaknesses the <a href="https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook">CMS Plan of Action and Milestone (POA&amp;M)</a> provides a complete guide to creating, managing, and closing a systems POA&amp;M.</p><p>CMS leverages the <a href="https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Mitigation (CDM)</a> program to aid in strengthening the cybersecurity of government networks and systems by providing automated scanning and analysis of risk. The CDM sensors automate identification of known cyber vulnerabilities, and then send that information to analytics tools to create dashboards that alert system managers about risks for remediation, report security/privacy posture to CMS and share aggregated information at the federal level.</p><p>The <a href="https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic">CMS Cybersecurity Integration Center (CCIC)</a> uses data to address incidents through risk management and monitoring activities across CMS. <a href="https://security.cms.gov/learn/cyber-risk-reports">Cyber Risk Reporting</a> provides reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats. Ad hoc risk reviews are programs and tools used to monitor the system.</p><p>Finally, the CMS <a href="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap">Cybersecurity and Risk Assessment Program (CSRAP)</a> provides current information on the effectiveness of security and privacy controls after changes.</p><p>Some of the roles with responsibilities tied to Task M-1 include the System Owner (SO), Common Control Provider, Senior Agency Information Security Officer, Senior Agency Official for Privacy, and Security Control Assessors (SCA).</p><p>For additional information on the roles and responsibilities visit the <a href="https://csrc.nist.gov/csrc/media/Projects/risk-management/documents/Additional%20Resources/NIST%20RMF%20Roles%20and%20Responsibilities%20Crosswalk.pdf">NIST RMF roles and responsibilities crosswalk</a>.</p><p><strong>Cybersecurity Framework:</strong> DE.CM; ID.GV</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task M-2: Ongoing assessments</h3><p>Assess the controls implemented within and inherited by the system in accordance with the continuous monitoring strategy. To ensure the controls remain effective over time against evolving threats and changes within the system and its environment.</p><p><strong>Potential Inputs:</strong></p><ul><li>Organizational continuous monitoring strategy</li><li>System level continuous monitoring strategy (if applicable)</li><li>Security and privacy plans</li><li>Security and privacy assessment reports</li><li>POA&amp;Ms</li><li>Information from automated and manual monitoring tools</li><li>Organization- and system-level risk assessment results</li><li>External assessment or audit results (if applicable)</li></ul><p><strong>Expected Outputs:</strong></p><ul><li>Updated security and privacy assessment reports to reflect the findings of the ongoing assessments, including any changes in control effectiveness and recommendations for improvement</li><li>List of updated POA&amp;Ms to document the action plans for addressing identified control weaknesses, including timelines and responsibilities</li></ul><p><strong>Discussion:</strong></p><p>The <a href="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap">Cybersecurity and Risk Assessment Program (CSRAP)</a> is available for System/Business Owners to meet the current requirements of the <a href="https://security.cms.gov/learn/authorization-operate-ato">ATO process</a> and the testing control requirements described in the <a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS)</a>.</p><p dir="ltr">CSRAP is a security and risk assessment framework that facilitates and encourages risk-based decision-making for FISMA systems at CMS. It supersedes the Adaptive Capabilities Testing (ACT) Program as the primary input to the Authority to Operate (ATO) process.&nbsp;</p><p>The <a href="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap#risk-assessment">Risk Assessment</a> component of the CSRAP pulls relevant data from previous and ongoing audits and assessments, as well as data available from the Continuous Diagnostics and Mitigation (CDM) program of the <a href="https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic">CMS Cybersecurity Integration Center (CCIC)</a>. CSRAP is data-driven and focuses on how to manage risk effectively and gives system teams a clearer picture of their overall risk.</p><p>To schedule an assessment, contact the CSRAP team at <a href="mailto:CSRAP@cms.hhs.gov">CSRAP@cms.hhs.gov</a></p><p>Some of the roles with responsibilities tied to Task M-2 include the Security Control Accessor (SCA), System Owner/Common Control Provider, Authorizing Official (AO), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).</p><p><strong>Cybersecurity Framework:</strong> ID.SC-4</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task M-3: Ongoing risk response</h3><p>Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in the POA&amp;Ms. To ensure timely and effective risk response actions and to manage risks dynamically, such that it reflects changes in the threat landscape, system vulnerabilities, and organizational risk tolerance.</p><p><strong>Potential Inputs:</strong></p><ul><li>Security and privacy assessment reports, with detailed findings on the effectiveness of implemented controls and any identified vulnerabilities</li><li>Organization- and system-level risk assessment results</li><li>Security and privacy plans documenting existing security and privacy controls and the rationale for their selection</li><li>POA&amp;Ms</li></ul><p><strong>Expected Outputs:</strong></p><ul><li>Mitigation actions or risk acceptance decisions documenting the chosen risk response for each identified risk, including detailed plans for mitigation actions or formal acceptance of the risk</li><li>Updated security and privacy assessment reports reflecting the reassessment of risks following the implementation of mitigation actions or changes in the risk environment</li><li>Updated POA&amp;M reflecting progress on mitigation actions, including any completed tasks and adjustments to remaining actions based on ongoing risk analysis</li></ul><p><strong>Discussion:</strong></p><p>The CMS <a href="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap">CSRAP</a> and <a href="https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic">CCIC</a> teams maintain an adaptive security and privacy posture that responds effectively to new and evolving risks. They ensure that CMS's operations and assets, as well as individual privacy, are adequately protected. This provides system teams with an updated security and privacy assessment posture.</p><p>CMS recommends that system teams not use the security assessment report template, and instead encourages them to work with their assessment teams like CSRAP to manage the security assessments and reports required for their systems.</p><p>The CSRAP validates PO&amp;AMs that were closed since the last assessment including any previous risk/security assessment as part of its assessment process.</p><p>A CSRAP risk assessment report divides risks into three categories:</p><ul><li><strong>Inherent risks</strong> (risks arise directly from unmitigated findings, including open POA&amp;Ms)</li><li><strong>Residual risks</strong> (risks arise indirectly from already mitigated findings or from some source other than technical findings)</li><li><strong>Inherited risks</strong> (risks exist because security controls are inherited from another system)</li></ul><p>Some of the roles with responsibilities tied to Task M-3 include the Authorizing Official (AO), System Owner (SO), Common Control Provider, Security Control Accessor (SCA), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).</p><p><strong>Cybersecurity Framework:</strong> RS.AN</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task M-4: Authorization package updates</h3><p>Update key artifacts such as security and privacy plans, assessment reports, and POA&amp;Ms based on the results of the continuous monitoring process to ensure that the authorization package remains current and accurately reflects the security and privacy posture of the information system throughout its lifecycle. To enable decision-makers to have the necessary information to make informed risk management decisions.</p><p><strong>Potential Inputs:</strong></p><ul><li>Security and privacy assessment reports</li><li>Organization- and system-level risk assessment results</li><li>Security and privacy plans</li><li>POA&amp;Ms with documented planned remediation activities</li><li>Configuration change requests or approvals</li><li>System design documentation with a record of approved changes to the system and its environment</li></ul><p><strong>Expected Outputs:</strong></p><ul><li>Updated security and privacy assessment reports incorporating the results of continuous monitoring and any reassessments of control effectiveness, to provide a current view of the system's security and privacy posture</li><li>Updated POA&amp;Ms documenting the progress on remediation efforts and any changes to planned actions based on ongoing risk assessments and monitoring activities</li><li>Updated risk assessment results reflecting the current risk posture of the system and any changes in risk levels due to the implementation of mitigation strategies, changes in the threat landscape, or other factors</li><li>Updated security and privacy plans reflecting any modifications/changes to the security and privacy controls, the threat environment, or other factors affecting the security and privacy posture of the system</li></ul><p><strong>Discussion:</strong></p><p>An Authorization Package is the collection of documentation put together by the Business Owner (BO) and their team as evidence that the system has been designed, built, tested, assessed, and categorized appropriately to meet <a href="https://security.cms.gov/learn/authorization-operate-ato">CMS ATO requirements</a>.</p><p>The CMS CSRAP team provides a plain-language security and privacy assessment report from multiple data sources that quickly informs the system team about the system's overall health. The report focuses on high-level system security capabilities providing the most information possible about overall system risk. This allows the system team to make future decisions based on risk, instead of performing compliance tasks only at set intervals.</p><p><a href="https://security.cms.gov/learn/plan-action-and-milestones-poam">CMS POA&amp;M standards</a> align with the HHS POA&amp;M standards to ensure effective and timely remediation of critical and high vulnerabilities. After positive identification, all findings and weaknesses must be documented in a POA&amp;M, reported to HHS, and remediated within specific timelines.</p><p>CMS has added the <a href="https://security.cms.gov/posts/cfacts-update-new-features-generating-caat-files-cfacts">CMS Assessment and Audit Tracking (CAAT)</a> and POA&amp;M supporting guidance matrices in the CAAT supporting guidance section in the POA&amp;M within CFACTS to make the process more efficient.</p><p>CMS considers the SSPP as a living collection of information that must be updated with any changes to the system, especially when a significant change occurs in the life cycle of the FISMA system.</p><p>CMS ensures that information needed for oversight, management, and auditing purposes is not modified or destroyed when updating security and privacy plans, assessment reports, and POA&amp;Ms.</p><p>Please see the <a href="https://security.cms.gov/learn/authorization-operate-ato">ATO page</a> for the ATO process (including stakeholders and their responsibilities) and see the <a href="https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-activities">CMS Information System Security Officer (ISSO) Handbook</a> for the full list of NIST approved Authorization package documents.</p><p>For additional information please contact the <a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov.</a></p><p>Some of the roles with responsibilities tied to Task M-4 include the System Owner (SO), Common Control Provider, Security Control Assessor (SCA), Authorizing Official (AO) or Authorizing Official Designated Representative (AODR), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).</p><p><strong>Cybersecurity Framework:</strong> RS.IM</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task M-5: Security and privacy reporting</h3><p>Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy. To ensure that these key figures have ongoing visibility into the systems security and privacy status, enabling them to make informed decisions about risk management, resource allocation, and strategic planning.</p><p><strong>Potential Inputs:</strong></p><ul><li>Security and privacy assessment reports</li><li>List of POA&amp;M actions planned or in progress to address identified security and privacy weaknesses</li><li>Organization- and system-level risk assessment results</li><li>Organization- and system-level continuous monitoring strategies</li><li>Security and privacy plans</li><li>Cybersecurity Framework Profile outlining CMSs cybersecurity goals and the standards, guidelines, and practices they have chosen to achieve those goals.</li></ul><p><strong>Expected Outputs:</strong></p><ul><li>Security and privacy posture reports that summarize the system's security and privacy status, including the effectiveness of controls, any identified vulnerabilities, and the progress of remediation efforts. The reports should highlight changes in the security and privacy posture since the last reporting period, providing a clear and up-to-date picture of the system's risk profile.</li><li>List of updated POA&amp;Ms reflecting the latest progress on remediation efforts, including any newly completed actions and adjustments to ongoing or planned activities based on recent findings or changes in the risk landscape</li></ul><p><strong>Discussion:</strong></p><p><a href="https://security.cms.gov/learn/cyber-risk-reports">Cyber Risk Reports</a> are provided monthly by Information Security and Privacy Group (ISPG) to communicate cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) systems. These reports help Business and System Owners make risk-based decisions and prioritize risk remediation activities at the system level. The Cyber Risk Reports are sent to all component leadership, including Business Owners (such as ISSOs and CRAs) and to CMS Senior Leadership (such as the COO, CISO, and CIO).</p><p>CMS also provides ISSO Reports, a specific kind of Cyber Risk Report that helps ISSOs identify security and privacy risks (along with ways to mitigate them) for their systems. These reports make it easier to spot things like overdue POA&amp;Ms, expiring Contingency Plans, and other areas where ISSOs need to take action.</p><p>CMS has established the <a href="https://security.cms.gov/learn/isso-service">ISSO As A Service</a> program that provides skilled ISSOs to CMS components who can help ensure adequate information security across all CMS components and systems. Including, communicating with CMS Business Owners (BO) and senior leadership on insights about potential security risks and mitigation strategies.</p><p>Some of the roles with responsibilities tied to Task M-5 include the System Owner (SO), Common Control Provider, Senior Agency Information Security Officer (SAISO), Senior Agency Official for Privacy (SAOP), and Authorizing Official (AO).</p><p><strong>Cybersecurity Framework:</strong> N/A</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task M-6: Ongoing authorization</h3><p>Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable as defined by organizational policies and thresholds.</p><p><strong>Potential Inputs:</strong></p><ul><li>Risk tolerance defining CMSs acceptable level of risk</li><li>Security and privacy posture reports</li><li>POA&amp;Ms</li><li>Organization- and system-level risk assessment results</li><li>Security and privacy plans</li></ul><p><strong>Expected Outputs:</strong></p><ul><li>Determination of risk: a formal decision document that articulates whether the system's risk posture is within the organization's risk tolerance</li><li>Ongoing authorization to operate a formal declaration that the system continues to operate within acceptable risk levels, including any conditions or restrictions</li><li>Ongoing authorization to use</li><li>Ongoing common control authorization</li><li>Denial of ongoing authorization to operate if applicable<ul><li>Formal notification that the system's authorization to operate is denied due to unacceptable risk levels, including recommendations for risk mitigation or system decommissioning; denial of ongoing authorization to use, denial of ongoing common control authorization</li></ul></li></ul><p><strong>Discussion:</strong></p><p>CMS implements an <a href="https://security.cms.gov/learn/ongoing-authorization-oa">Ongoing Authorization (OA) program</a> that defines the scope of a particular system that can be continuously managed and monitored. With ongoing authorization, system controls are constantly evaluated and tested to spot vulnerabilities.</p><p>This allows System and Business owners to make risk-based decisions quickly and confidently and engage in remediation efforts to minimize ongoing exposures.</p><p>To be eligible for OA, systems must leverage the latest control automation tools.</p><p>Additionally, all Continuous Diagnostics and Mitigation (CDM) tools must be implemented and tracking the system's hardware (HWAM), software (SWAM), and vulnerability (VUL).</p><p>Some of the roles with responsibilities tied to Task M-6 include the Authorizing Official (AO), System Owner (SO), Security Control Assessor (SCA), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).</p><p><strong>Cybersecurity Framework: N/A</strong></p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task M-7: System disposal</h3><p>Implement a system disposal strategy and execute required actions when a system is removed from operation. The goal is to mitigate any potential security and privacy risks associated with the disposal process, such as unauthorized access to sensitive data or the reuse of compromised components.</p><p><strong>Potential Inputs:</strong></p><ul><li>Security and privacy plans important for identifying specific disposal requirements or considerations related to the controls that were in place</li><li>Organization- and system-level risk assessment results to highlight any potential risks that could be exacerbated by the disposal process</li><li>System component inventory: a detailed inventory of all system components, including hardware and software<ul><li>System component inventory is essential for ensuring that all components are accounted for during the disposal process and that secure disposal methods are applied appropriately</li></ul></li></ul><p><strong>Expected Outputs:</strong></p><ul><li>Disposal strategy: a document or set of documents outlining the planned approach for securely disposing of the system and its components</li><li>Updated system component inventory, reflecting the removal of disposed components from the organization's asset inventory</li><li>Updated security and privacy plans that indicate that the system has been decommissioned and is no longer in operation</li><li>Disposal records providing detailed records of the disposal process for each component of the system, including methods of data sanitization and the final disposition of hardware</li></ul><p><strong>Discussion:</strong></p><p>At CMS, system disposal is managed by the Records and Information Management (RIM) Program within the Office of Strategic Operations and Regulatory Affairs (OSORA).</p><p>RIM leverages the Cross-Reference Tool (CRT). CRT documents CMS IT Systems Record schedules and retention periods and tracks those IT Systems statuses and records/data dispositions.</p><p>Business Owners of active CMS IT systems receive an email from the CRT Tool with the Annual Notification of Eligibility for Disposal.</p><p>Please contact the RIM Team in OSORA for further guidance at <a href="mailto:Records_Retention@cms.hhs.gov">Records_Retention@cms.hhs.gov</a> and see the <a href="https://cmsintranet.share.cms.gov/JT/Documents/CMS%20RM%20Policy20210103Final.pdf#search=rim">CMS RIM Policy.</a></p><p>Some of the roles with responsibilities tied to Task M-7 include the System Owner (SO), Information Owner or Steward, System Security Officer, System Privacy Officer, Senior Accountable Official for Risk Management or Risk Executive (Function), Senior Agency Information Security Officer and Senior Agency Official for Privacy (SAOP).</p><p><strong>Cybersecurity Framework: N/A</strong></p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><p>&nbsp;</p></div></section></div></div></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"cms-risk-management-framework-rmf-monitor-step\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"policy-guidance\",\"cms-risk-management-framework-rmf-monitor-step\"],\"initialTree\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"cms-risk-management-framework-rmf-monitor-step\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"cms-risk-management-framework-rmf-monitor-step\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[3055,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"907\",\"static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js\"],\"default\"]\n18:T6abe,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the Risk Management Framework (RMF)?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist\"\u003eThe National Institute of Standards and Technology (NIST)\u003c/a\u003e created the RMF to provide a structured, flexible process to manage risk throughout a systems life cycle. Using the RMF process helps CMS authorize and monitor our information systems and keep them safe.\u003c/p\u003e\u003cp\u003eThe RMF is made up of 7 steps:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step\"\u003ePrepare\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-categorize-step\"\u003eCategorize\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-select-step\"\u003eSelect\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-implement-step\"\u003eImplement\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-assess-step\"\u003eAssess\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-authorize-step\"\u003eAuthorize\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMonitor\u003c/strong\u003e (this step)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWhat is the Monitor Step?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of the Monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eOrganizational and System Level Monitor Tasks\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eOrganizational level tasks are completed as part of the Information Security and Privacy Program managed by the Office of Information Technology. System level monitor tasks also take into consideration mission/business process concerns.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask M-1 System and environment changes\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eMonitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. Also, ensure the continuous monitoring process aligns with CMS continuous monitoring strategies.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential Inputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOrganizational continuous monitoring strategies for its systems at various levels (organization-wide, mission/business process, and system level)\u003c/li\u003e\u003cli\u003eOrganizational configuration management policy and procedures\u003c/li\u003e\u003cli\u003eGuidance on how changes to system configurations are managed and controlled\u003c/li\u003e\u003cli\u003eOrganizational policy and procedures for handling unauthorized system changes\u003c/li\u003e\u003cli\u003eSecurity and privacy plans\u003c/li\u003e\u003cli\u003eConfiguration change requests and approvals\u003c/li\u003e\u003cli\u003eSystem design documentation\u003c/li\u003e\u003cli\u003eSecurity and privacy assessment reports\u003c/li\u003e\u003cli\u003ePlans of action and milestones (POA\u0026amp;Ms)\u003c/li\u003e\u003cli\u003eInformation from automated and manual monitoring tools from across CMS\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected Outputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdated security and privacy plans to reflect any changes in the system or environment that affect security and privacy controls\u003c/li\u003e\u003cli\u003eUpdated POA\u0026amp;Ms indicating the actions required to address security and privacy risks introduced by changes to the system\u003c/li\u003e\u003cli\u003eUpdated security and privacy assessment reports that provide current information on the effectiveness of security and privacy controls after changes\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCMS has established a \u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003esystem security and privacy plan (SSPP)\u003c/a\u003e program that is a living collection of information that must be updated with any changes to the system, especially when a significant change occurs in the life cycle of the FISMA system.\u003c/p\u003e\u003cp\u003eTo effectively address/track all identified risks/weaknesses the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"\u003eCMS Plan of Action and Milestone (POA\u0026amp;M)\u003c/a\u003e provides a complete guide to creating, managing, and closing a systems POA\u0026amp;M.\u003c/p\u003e\u003cp\u003eCMS leverages the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e program to aid in strengthening the cybersecurity of government networks and systems by providing automated scanning and analysis of risk. The CDM sensors automate identification of known cyber vulnerabilities, and then send that information to analytics tools to create dashboards that alert system managers about risks for remediation, report security/privacy posture to CMS and share aggregated information at the federal level.\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Integration Center (CCIC)\u003c/a\u003e uses data to address incidents through risk management and monitoring activities across CMS. \u003ca href=\"https://security.cms.gov/learn/cyber-risk-reports\"\u003eCyber Risk Reporting\u003c/a\u003e provides reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats. Ad hoc risk reviews are programs and tools used to monitor the system.\u003c/p\u003e\u003cp\u003eFinally, the CMS \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e provides current information on the effectiveness of security and privacy controls after changes.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task M-1 include the System Owner (SO), Common Control Provider, Senior Agency Information Security Officer, Senior Agency Official for Privacy, and Security Control Assessors (SCA).\u003c/p\u003e\u003cp\u003eFor additional information on the roles and responsibilities visit the \u003ca href=\"https://csrc.nist.gov/csrc/media/Projects/risk-management/documents/Additional%20Resources/NIST%20RMF%20Roles%20and%20Responsibilities%20Crosswalk.pdf\"\u003eNIST RMF roles and responsibilities crosswalk\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e DE.CM; ID.GV\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask M-2: Ongoing assessments\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAssess the controls implemented within and inherited by the system in accordance with the continuous monitoring strategy. To ensure the controls remain effective over time against evolving threats and changes within the system and its environment.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential Inputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOrganizational continuous monitoring strategy\u003c/li\u003e\u003cli\u003eSystem level continuous monitoring strategy (if applicable)\u003c/li\u003e\u003cli\u003eSecurity and privacy plans\u003c/li\u003e\u003cli\u003eSecurity and privacy assessment reports\u003c/li\u003e\u003cli\u003ePOA\u0026amp;Ms\u003c/li\u003e\u003cli\u003eInformation from automated and manual monitoring tools\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eExternal assessment or audit results (if applicable)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected Outputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdated security and privacy assessment reports to reflect the findings of the ongoing assessments, including any changes in control effectiveness and recommendations for improvement\u003c/li\u003e\u003cli\u003eList of updated POA\u0026amp;Ms to document the action plans for addressing identified control weaknesses, including timelines and responsibilities\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e is available for System/Business Owners to meet the current requirements of the \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eATO process\u003c/a\u003e and the testing control requirements described in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCSRAP is a security and risk assessment framework that facilitates and encourages risk-based decision-making for FISMA systems at CMS. It supersedes the Adaptive Capabilities Testing (ACT) Program as the primary input to the Authority to Operate (ATO) process.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap#risk-assessment\"\u003eRisk Assessment\u003c/a\u003e component of the CSRAP pulls relevant data from previous and ongoing audits and assessments, as well as data available from the Continuous Diagnostics and Mitigation (CDM) program of the \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Integration Center (CCIC)\u003c/a\u003e. CSRAP is data-driven and focuses on how to manage risk effectively and gives system teams a clearer picture of their overall risk.\u003c/p\u003e\u003cp\u003eTo schedule an assessment, contact the CSRAP team at \u003ca href=\"mailto:CSRAP@cms.hhs.gov\"\u003eCSRAP@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task M-2 include the Security Control Accessor (SCA), System Owner/Common Control Provider, Authorizing Official (AO), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.SC-4\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask M-3: Ongoing risk response\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eRespond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in the POA\u0026amp;Ms. To ensure timely and effective risk response actions and to manage risks dynamically, such that it reflects changes in the threat landscape, system vulnerabilities, and organizational risk tolerance.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential Inputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity and privacy assessment reports, with detailed findings on the effectiveness of implemented controls and any identified vulnerabilities\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eSecurity and privacy plans documenting existing security and privacy controls and the rationale for their selection\u003c/li\u003e\u003cli\u003ePOA\u0026amp;Ms\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected Outputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eMitigation actions or risk acceptance decisions documenting the chosen risk response for each identified risk, including detailed plans for mitigation actions or formal acceptance of the risk\u003c/li\u003e\u003cli\u003eUpdated security and privacy assessment reports reflecting the reassessment of risks following the implementation of mitigation actions or changes in the risk environment\u003c/li\u003e\u003cli\u003eUpdated POA\u0026amp;M reflecting progress on mitigation actions, including any completed tasks and adjustments to remaining actions based on ongoing risk analysis\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CMS \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCSRAP\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCCIC\u003c/a\u003e teams maintain an adaptive security and privacy posture that responds effectively to new and evolving risks. They ensure that CMS's operations and assets, as well as individual privacy, are adequately protected. This provides system teams with an updated security and privacy assessment posture.\u003c/p\u003e\u003cp\u003eCMS recommends that system teams not use the security assessment report template, and instead encourages them to work with their assessment teams like CSRAP to manage the security assessments and reports required for their systems.\u003c/p\u003e\u003cp\u003eThe CSRAP validates PO\u0026amp;AMs that were closed since the last assessment including any previous risk/security assessment as part of its assessment process.\u003c/p\u003e\u003cp\u003eA CSRAP risk assessment report divides risks into three categories:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eInherent risks\u003c/strong\u003e (risks arise directly from unmitigated findings, including open POA\u0026amp;Ms)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eResidual risks\u003c/strong\u003e (risks arise indirectly from already mitigated findings or from some source other than technical findings)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eInherited risks\u003c/strong\u003e (risks exist because security controls are inherited from another system)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task M-3 include the Authorizing Official (AO), System Owner (SO), Common Control Provider, Security Control Accessor (SCA), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e RS.AN\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask M-4: Authorization package updates\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eUpdate key artifacts such as security and privacy plans, assessment reports, and POA\u0026amp;Ms based on the results of the continuous monitoring process to ensure that the authorization package remains current and accurately reflects the security and privacy posture of the information system throughout its lifecycle. To enable decision-makers to have the necessary information to make informed risk management decisions.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential Inputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity and privacy assessment reports\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eSecurity and privacy plans\u003c/li\u003e\u003cli\u003ePOA\u0026amp;Ms with documented planned remediation activities\u003c/li\u003e\u003cli\u003eConfiguration change requests or approvals\u003c/li\u003e\u003cli\u003eSystem design documentation with a record of approved changes to the system and its environment\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected Outputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdated security and privacy assessment reports incorporating the results of continuous monitoring and any reassessments of control effectiveness, to provide a current view of the system's security and privacy posture\u003c/li\u003e\u003cli\u003eUpdated POA\u0026amp;Ms documenting the progress on remediation efforts and any changes to planned actions based on ongoing risk assessments and monitoring activities\u003c/li\u003e\u003cli\u003eUpdated risk assessment results reflecting the current risk posture of the system and any changes in risk levels due to the implementation of mitigation strategies, changes in the threat landscape, or other factors\u003c/li\u003e\u003cli\u003eUpdated security and privacy plans reflecting any modifications/changes to the security and privacy controls, the threat environment, or other factors affecting the security and privacy posture of the system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAn Authorization Package is the collection of documentation put together by the Business Owner (BO) and their team as evidence that the system has been designed, built, tested, assessed, and categorized appropriately to meet \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eCMS ATO requirements\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe CMS CSRAP team provides a plain-language security and privacy assessment report from multiple data sources that quickly informs the system team about the system's overall health. The report focuses on high-level system security capabilities providing the most information possible about overall system risk. This allows the system team to make future decisions based on risk, instead of performing compliance tasks only at set intervals.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003eCMS POA\u0026amp;M standards\u003c/a\u003e align with the HHS POA\u0026amp;M standards to ensure effective and timely remediation of critical and high vulnerabilities. After positive identification, all findings and weaknesses must be documented in a POA\u0026amp;M, reported to HHS, and remediated within specific timelines.\u003c/p\u003e\u003cp\u003eCMS has added the \u003ca href=\"https://security.cms.gov/posts/cfacts-update-new-features-generating-caat-files-cfacts\"\u003eCMS Assessment and Audit Tracking (CAAT)\u003c/a\u003e and POA\u0026amp;M supporting guidance matrices in the CAAT supporting guidance section in the POA\u0026amp;M within CFACTS to make the process more efficient.\u003c/p\u003e\u003cp\u003eCMS considers the SSPP as a living collection of information that must be updated with any changes to the system, especially when a significant change occurs in the life cycle of the FISMA system.\u003c/p\u003e\u003cp\u003eCMS ensures that information needed for oversight, management, and auditing purposes is not modified or destroyed when updating security and privacy plans, assessment reports, and POA\u0026amp;Ms.\u003c/p\u003e\u003cp\u003ePlease see the \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eATO page\u003c/a\u003e for the ATO process (including stakeholders and their responsibilities) and see the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-activities\"\u003eCMS Information System Security Officer (ISSO) Handbook\u003c/a\u003e for the full list of NIST approved Authorization package documents.\u003c/p\u003e\u003cp\u003eFor additional information please contact the \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task M-4 include the System Owner (SO), Common Control Provider, Security Control Assessor (SCA), Authorizing Official (AO) or Authorizing Official Designated Representative (AODR), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e RS.IM\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask M-5: Security and privacy reporting\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eReport the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy. To ensure that these key figures have ongoing visibility into the systems security and privacy status, enabling them to make informed decisions about risk management, resource allocation, and strategic planning.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential Inputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity and privacy assessment reports\u003c/li\u003e\u003cli\u003eList of POA\u0026amp;M actions planned or in progress to address identified security and privacy weaknesses\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eOrganization- and system-level continuous monitoring strategies\u003c/li\u003e\u003cli\u003eSecurity and privacy plans\u003c/li\u003e\u003cli\u003eCybersecurity Framework Profile outlining CMSs cybersecurity goals and the standards, guidelines, and practices they have chosen to achieve those goals.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected Outputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity and privacy posture reports that summarize the system's security and privacy status, including the effectiveness of controls, any identified vulnerabilities, and the progress of remediation efforts. The reports should highlight changes in the security and privacy posture since the last reporting period, providing a clear and up-to-date picture of the system's risk profile.\u003c/li\u003e\u003cli\u003eList of updated POA\u0026amp;Ms reflecting the latest progress on remediation efforts, including any newly completed actions and adjustments to ongoing or planned activities based on recent findings or changes in the risk landscape\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/cyber-risk-reports\"\u003eCyber Risk Reports\u003c/a\u003e are provided monthly by Information Security and Privacy Group (ISPG) to communicate cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) systems. These reports help Business and System Owners make risk-based decisions and prioritize risk remediation activities at the system level. The Cyber Risk Reports are sent to all component leadership, including Business Owners (such as ISSOs and CRAs) and to CMS Senior Leadership (such as the COO, CISO, and CIO).\u003c/p\u003e\u003cp\u003eCMS also provides ISSO Reports, a specific kind of Cyber Risk Report that helps ISSOs identify security and privacy risks (along with ways to mitigate them) for their systems. These reports make it easier to spot things like overdue POA\u0026amp;Ms, expiring Contingency Plans, and other areas where ISSOs need to take action.\u003c/p\u003e\u003cp\u003eCMS has established the \u003ca href=\"https://security.cms.gov/learn/isso-service\"\u003eISSO As A Service\u003c/a\u003e program that provides skilled ISSOs to CMS components who can help ensure adequate information security across all CMS components and systems. Including, communicating with CMS Business Owners (BO) and senior leadership on insights about potential security risks and mitigation strategies.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task M-5 include the System Owner (SO), Common Control Provider, Senior Agency Information Security Officer (SAISO), Senior Agency Official for Privacy (SAOP), and Authorizing Official (AO).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e N/A\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask M-6: Ongoing authorization\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eReview the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable as defined by organizational policies and thresholds.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential Inputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eRisk tolerance defining CMSs acceptable level of risk\u003c/li\u003e\u003cli\u003eSecurity and privacy posture reports\u003c/li\u003e\u003cli\u003ePOA\u0026amp;Ms\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eSecurity and privacy plans\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected Outputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDetermination of risk: a formal decision document that articulates whether the system's risk posture is within the organization's risk tolerance\u003c/li\u003e\u003cli\u003eOngoing authorization to operate a formal declaration that the system continues to operate within acceptable risk levels, including any conditions or restrictions\u003c/li\u003e\u003cli\u003eOngoing authorization to use\u003c/li\u003e\u003cli\u003eOngoing common control authorization\u003c/li\u003e\u003cli\u003eDenial of ongoing authorization to operate if applicable\u003cul\u003e\u003cli\u003eFormal notification that the system's authorization to operate is denied due to unacceptable risk levels, including recommendations for risk mitigation or system decommissioning; denial of ongoing authorization to use, denial of ongoing common control authorization\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCMS implements an \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA) program\u003c/a\u003e that defines the scope of a particular system that can be continuously managed and monitored. With ongoing authorization, system controls are constantly evaluated and tested to spot vulnerabilities.\u003c/p\u003e\u003cp\u003eThis allows System and Business owners to make risk-based decisions quickly and confidently and engage in remediation efforts to minimize ongoing exposures.\u003c/p\u003e\u003cp\u003eTo be eligible for OA, systems must leverage the latest control automation tools.\u003c/p\u003e\u003cp\u003eAdditionally, all Continuous Diagnostics and Mitigation (CDM) tools must be implemented and tracking the system's hardware (HWAM), software (SWAM), and vulnerability (VUL).\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task M-6 include the Authorizing Official (AO), System Owner (SO), Security Control Assessor (SCA), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework: N/A\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask M-7: System disposal\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eImplement a system disposal strategy and execute required actions when a system is removed from operation. The goal is to mitigate any potential security and privacy risks associated with the disposal process, such as unauthorized access to sensitive data or the reuse of compromised components.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential Inputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity and privacy plans important for identifying specific disposal requirements or considerations related to the controls that were in place\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results to highlight any potential risks that could be exacerbated by the disposal process\u003c/li\u003e\u003cli\u003eSystem component inventory: a detailed inventory of all system components, including hardware and software\u003cul\u003e\u003cli\u003eSystem component inventory is essential for ensuring that all components are accounted for during the disposal process and that secure disposal methods are applied appropriately\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected Outputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDisposal strategy: a document or set of documents outlining the planned approach for securely disposing of the system and its components\u003c/li\u003e\u003cli\u003eUpdated system component inventory, reflecting the removal of disposed components from the organization's asset inventory\u003c/li\u003e\u003cli\u003eUpdated security and privacy plans that indicate that the system has been decommissioned and is no longer in operation\u003c/li\u003e\u003cli\u003eDisposal records providing detailed records of the disposal process for each component of the system, including methods of data sanitization and the final disposition of hardware\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAt CMS, system disposal is managed by the Records and Information Management (RIM) Program within the Office of Strategic Operations and Regulatory Affairs (OSORA).\u003c/p\u003e\u003cp\u003eRIM leverages the Cross-Reference Tool (CRT). CRT documents CMS IT Systems Record schedules and retention periods and tracks those IT Systems statuses and records/data dispositions.\u003c/p\u003e\u003cp\u003eBusiness Owners of active CMS IT systems receive an email from the CRT Tool with the Annual Notification of Eligibility for Disposal.\u003c/p\u003e\u003cp\u003ePlease contact the RIM Team in OSORA for further guidance at \u003ca href=\"mailto:Records_Retention@cms.hhs.gov\"\u003eRecords_Retention@cms.hhs.gov\u003c/a\u003e and see the \u003ca href=\"https://cmsintranet.share.cms.gov/JT/Documents/CMS%20RM%20Policy20210103Final.pdf#search=rim\"\u003eCMS RIM Policy.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task M-7 include the System Owner (SO), Information Owner or Steward, System Security Officer, System Privacy Officer, Senior Accountable Official for Risk Management or Risk Executive (Function), Senior Agency Information Security Officer and Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework: N/A\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:T6abe,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the Risk Management Framework (RMF)?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist\"\u003eThe National Institute of Standards and Technology (NIST)\u003c/a\u003e created the RMF to provide a structured, flexible process to manage risk throughout a systems life cycle. Using the RMF process helps CMS authorize and monitor our information systems and keep them safe.\u003c/p\u003e\u003cp\u003eThe RMF is made up of 7 steps:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step\"\u003ePrepare\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-categorize-step\"\u003eCategorize\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-select-step\"\u003eSelect\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-implement-step\"\u003eImplement\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-assess-step\"\u003eAssess\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-authorize-step\"\u003eAuthorize\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMonitor\u003c/strong\u003e (this step)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWhat is the Monitor Step?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of the Monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eOrganizational and System Level Monitor Tasks\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eOrganizational level tasks are completed as part of the Information Security and Privacy Program managed by the Office of Information Technology. System level monitor tasks also take into consideration mission/business process concerns.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask M-1 System and environment changes\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eMonitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. Also, ensure the continuous monitoring process aligns with CMS continuous monitoring strategies.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential Inputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOrganizational continuous monitoring strategies for its systems at various levels (organization-wide, mission/business process, and system level)\u003c/li\u003e\u003cli\u003eOrganizational configuration management policy and procedures\u003c/li\u003e\u003cli\u003eGuidance on how changes to system configurations are managed and controlled\u003c/li\u003e\u003cli\u003eOrganizational policy and procedures for handling unauthorized system changes\u003c/li\u003e\u003cli\u003eSecurity and privacy plans\u003c/li\u003e\u003cli\u003eConfiguration change requests and approvals\u003c/li\u003e\u003cli\u003eSystem design documentation\u003c/li\u003e\u003cli\u003eSecurity and privacy assessment reports\u003c/li\u003e\u003cli\u003ePlans of action and milestones (POA\u0026amp;Ms)\u003c/li\u003e\u003cli\u003eInformation from automated and manual monitoring tools from across CMS\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected Outputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdated security and privacy plans to reflect any changes in the system or environment that affect security and privacy controls\u003c/li\u003e\u003cli\u003eUpdated POA\u0026amp;Ms indicating the actions required to address security and privacy risks introduced by changes to the system\u003c/li\u003e\u003cli\u003eUpdated security and privacy assessment reports that provide current information on the effectiveness of security and privacy controls after changes\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCMS has established a \u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003esystem security and privacy plan (SSPP)\u003c/a\u003e program that is a living collection of information that must be updated with any changes to the system, especially when a significant change occurs in the life cycle of the FISMA system.\u003c/p\u003e\u003cp\u003eTo effectively address/track all identified risks/weaknesses the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"\u003eCMS Plan of Action and Milestone (POA\u0026amp;M)\u003c/a\u003e provides a complete guide to creating, managing, and closing a systems POA\u0026amp;M.\u003c/p\u003e\u003cp\u003eCMS leverages the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e program to aid in strengthening the cybersecurity of government networks and systems by providing automated scanning and analysis of risk. The CDM sensors automate identification of known cyber vulnerabilities, and then send that information to analytics tools to create dashboards that alert system managers about risks for remediation, report security/privacy posture to CMS and share aggregated information at the federal level.\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Integration Center (CCIC)\u003c/a\u003e uses data to address incidents through risk management and monitoring activities across CMS. \u003ca href=\"https://security.cms.gov/learn/cyber-risk-reports\"\u003eCyber Risk Reporting\u003c/a\u003e provides reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats. Ad hoc risk reviews are programs and tools used to monitor the system.\u003c/p\u003e\u003cp\u003eFinally, the CMS \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e provides current information on the effectiveness of security and privacy controls after changes.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task M-1 include the System Owner (SO), Common Control Provider, Senior Agency Information Security Officer, Senior Agency Official for Privacy, and Security Control Assessors (SCA).\u003c/p\u003e\u003cp\u003eFor additional information on the roles and responsibilities visit the \u003ca href=\"https://csrc.nist.gov/csrc/media/Projects/risk-management/documents/Additional%20Resources/NIST%20RMF%20Roles%20and%20Responsibilities%20Crosswalk.pdf\"\u003eNIST RMF roles and responsibilities crosswalk\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e DE.CM; ID.GV\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask M-2: Ongoing assessments\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAssess the controls implemented within and inherited by the system in accordance with the continuous monitoring strategy. To ensure the controls remain effective over time against evolving threats and changes within the system and its environment.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential Inputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOrganizational continuous monitoring strategy\u003c/li\u003e\u003cli\u003eSystem level continuous monitoring strategy (if applicable)\u003c/li\u003e\u003cli\u003eSecurity and privacy plans\u003c/li\u003e\u003cli\u003eSecurity and privacy assessment reports\u003c/li\u003e\u003cli\u003ePOA\u0026amp;Ms\u003c/li\u003e\u003cli\u003eInformation from automated and manual monitoring tools\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eExternal assessment or audit results (if applicable)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected Outputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdated security and privacy assessment reports to reflect the findings of the ongoing assessments, including any changes in control effectiveness and recommendations for improvement\u003c/li\u003e\u003cli\u003eList of updated POA\u0026amp;Ms to document the action plans for addressing identified control weaknesses, including timelines and responsibilities\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e is available for System/Business Owners to meet the current requirements of the \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eATO process\u003c/a\u003e and the testing control requirements described in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCSRAP is a security and risk assessment framework that facilitates and encourages risk-based decision-making for FISMA systems at CMS. It supersedes the Adaptive Capabilities Testing (ACT) Program as the primary input to the Authority to Operate (ATO) process.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap#risk-assessment\"\u003eRisk Assessment\u003c/a\u003e component of the CSRAP pulls relevant data from previous and ongoing audits and assessments, as well as data available from the Continuous Diagnostics and Mitigation (CDM) program of the \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Integration Center (CCIC)\u003c/a\u003e. CSRAP is data-driven and focuses on how to manage risk effectively and gives system teams a clearer picture of their overall risk.\u003c/p\u003e\u003cp\u003eTo schedule an assessment, contact the CSRAP team at \u003ca href=\"mailto:CSRAP@cms.hhs.gov\"\u003eCSRAP@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task M-2 include the Security Control Accessor (SCA), System Owner/Common Control Provider, Authorizing Official (AO), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.SC-4\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask M-3: Ongoing risk response\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eRespond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in the POA\u0026amp;Ms. To ensure timely and effective risk response actions and to manage risks dynamically, such that it reflects changes in the threat landscape, system vulnerabilities, and organizational risk tolerance.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential Inputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity and privacy assessment reports, with detailed findings on the effectiveness of implemented controls and any identified vulnerabilities\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eSecurity and privacy plans documenting existing security and privacy controls and the rationale for their selection\u003c/li\u003e\u003cli\u003ePOA\u0026amp;Ms\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected Outputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eMitigation actions or risk acceptance decisions documenting the chosen risk response for each identified risk, including detailed plans for mitigation actions or formal acceptance of the risk\u003c/li\u003e\u003cli\u003eUpdated security and privacy assessment reports reflecting the reassessment of risks following the implementation of mitigation actions or changes in the risk environment\u003c/li\u003e\u003cli\u003eUpdated POA\u0026amp;M reflecting progress on mitigation actions, including any completed tasks and adjustments to remaining actions based on ongoing risk analysis\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CMS \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCSRAP\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCCIC\u003c/a\u003e teams maintain an adaptive security and privacy posture that responds effectively to new and evolving risks. They ensure that CMS's operations and assets, as well as individual privacy, are adequately protected. This provides system teams with an updated security and privacy assessment posture.\u003c/p\u003e\u003cp\u003eCMS recommends that system teams not use the security assessment report template, and instead encourages them to work with their assessment teams like CSRAP to manage the security assessments and reports required for their systems.\u003c/p\u003e\u003cp\u003eThe CSRAP validates PO\u0026amp;AMs that were closed since the last assessment including any previous risk/security assessment as part of its assessment process.\u003c/p\u003e\u003cp\u003eA CSRAP risk assessment report divides risks into three categories:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eInherent risks\u003c/strong\u003e (risks arise directly from unmitigated findings, including open POA\u0026amp;Ms)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eResidual risks\u003c/strong\u003e (risks arise indirectly from already mitigated findings or from some source other than technical findings)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eInherited risks\u003c/strong\u003e (risks exist because security controls are inherited from another system)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task M-3 include the Authorizing Official (AO), System Owner (SO), Common Control Provider, Security Control Accessor (SCA), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e RS.AN\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask M-4: Authorization package updates\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eUpdate key artifacts such as security and privacy plans, assessment reports, and POA\u0026amp;Ms based on the results of the continuous monitoring process to ensure that the authorization package remains current and accurately reflects the security and privacy posture of the information system throughout its lifecycle. To enable decision-makers to have the necessary information to make informed risk management decisions.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential Inputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity and privacy assessment reports\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eSecurity and privacy plans\u003c/li\u003e\u003cli\u003ePOA\u0026amp;Ms with documented planned remediation activities\u003c/li\u003e\u003cli\u003eConfiguration change requests or approvals\u003c/li\u003e\u003cli\u003eSystem design documentation with a record of approved changes to the system and its environment\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected Outputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdated security and privacy assessment reports incorporating the results of continuous monitoring and any reassessments of control effectiveness, to provide a current view of the system's security and privacy posture\u003c/li\u003e\u003cli\u003eUpdated POA\u0026amp;Ms documenting the progress on remediation efforts and any changes to planned actions based on ongoing risk assessments and monitoring activities\u003c/li\u003e\u003cli\u003eUpdated risk assessment results reflecting the current risk posture of the system and any changes in risk levels due to the implementation of mitigation strategies, changes in the threat landscape, or other factors\u003c/li\u003e\u003cli\u003eUpdated security and privacy plans reflecting any modifications/changes to the security and privacy controls, the threat environment, or other factors affecting the security and privacy posture of the system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAn Authorization Package is the collection of documentation put together by the Business Owner (BO) and their team as evidence that the system has been designed, built, tested, assessed, and categorized appropriately to meet \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eCMS ATO requirements\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe CMS CSRAP team provides a plain-language security and privacy assessment report from multiple data sources that quickly informs the system team about the system's overall health. The report focuses on high-level system security capabilities providing the most information possible about overall system risk. This allows the system team to make future decisions based on risk, instead of performing compliance tasks only at set intervals.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003eCMS POA\u0026amp;M standards\u003c/a\u003e align with the HHS POA\u0026amp;M standards to ensure effective and timely remediation of critical and high vulnerabilities. After positive identification, all findings and weaknesses must be documented in a POA\u0026amp;M, reported to HHS, and remediated within specific timelines.\u003c/p\u003e\u003cp\u003eCMS has added the \u003ca href=\"https://security.cms.gov/posts/cfacts-update-new-features-generating-caat-files-cfacts\"\u003eCMS Assessment and Audit Tracking (CAAT)\u003c/a\u003e and POA\u0026amp;M supporting guidance matrices in the CAAT supporting guidance section in the POA\u0026amp;M within CFACTS to make the process more efficient.\u003c/p\u003e\u003cp\u003eCMS considers the SSPP as a living collection of information that must be updated with any changes to the system, especially when a significant change occurs in the life cycle of the FISMA system.\u003c/p\u003e\u003cp\u003eCMS ensures that information needed for oversight, management, and auditing purposes is not modified or destroyed when updating security and privacy plans, assessment reports, and POA\u0026amp;Ms.\u003c/p\u003e\u003cp\u003ePlease see the \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eATO page\u003c/a\u003e for the ATO process (including stakeholders and their responsibilities) and see the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-activities\"\u003eCMS Information System Security Officer (ISSO) Handbook\u003c/a\u003e for the full list of NIST approved Authorization package documents.\u003c/p\u003e\u003cp\u003eFor additional information please contact the \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task M-4 include the System Owner (SO), Common Control Provider, Security Control Assessor (SCA), Authorizing Official (AO) or Authorizing Official Designated Representative (AODR), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e RS.IM\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask M-5: Security and privacy reporting\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eReport the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy. To ensure that these key figures have ongoing visibility into the systems security and privacy status, enabling them to make informed decisions about risk management, resource allocation, and strategic planning.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential Inputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity and privacy assessment reports\u003c/li\u003e\u003cli\u003eList of POA\u0026amp;M actions planned or in progress to address identified security and privacy weaknesses\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eOrganization- and system-level continuous monitoring strategies\u003c/li\u003e\u003cli\u003eSecurity and privacy plans\u003c/li\u003e\u003cli\u003eCybersecurity Framework Profile outlining CMSs cybersecurity goals and the standards, guidelines, and practices they have chosen to achieve those goals.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected Outputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity and privacy posture reports that summarize the system's security and privacy status, including the effectiveness of controls, any identified vulnerabilities, and the progress of remediation efforts. The reports should highlight changes in the security and privacy posture since the last reporting period, providing a clear and up-to-date picture of the system's risk profile.\u003c/li\u003e\u003cli\u003eList of updated POA\u0026amp;Ms reflecting the latest progress on remediation efforts, including any newly completed actions and adjustments to ongoing or planned activities based on recent findings or changes in the risk landscape\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/cyber-risk-reports\"\u003eCyber Risk Reports\u003c/a\u003e are provided monthly by Information Security and Privacy Group (ISPG) to communicate cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) systems. These reports help Business and System Owners make risk-based decisions and prioritize risk remediation activities at the system level. The Cyber Risk Reports are sent to all component leadership, including Business Owners (such as ISSOs and CRAs) and to CMS Senior Leadership (such as the COO, CISO, and CIO).\u003c/p\u003e\u003cp\u003eCMS also provides ISSO Reports, a specific kind of Cyber Risk Report that helps ISSOs identify security and privacy risks (along with ways to mitigate them) for their systems. These reports make it easier to spot things like overdue POA\u0026amp;Ms, expiring Contingency Plans, and other areas where ISSOs need to take action.\u003c/p\u003e\u003cp\u003eCMS has established the \u003ca href=\"https://security.cms.gov/learn/isso-service\"\u003eISSO As A Service\u003c/a\u003e program that provides skilled ISSOs to CMS components who can help ensure adequate information security across all CMS components and systems. Including, communicating with CMS Business Owners (BO) and senior leadership on insights about potential security risks and mitigation strategies.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task M-5 include the System Owner (SO), Common Control Provider, Senior Agency Information Security Officer (SAISO), Senior Agency Official for Privacy (SAOP), and Authorizing Official (AO).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e N/A\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask M-6: Ongoing authorization\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eReview the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable as defined by organizational policies and thresholds.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential Inputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eRisk tolerance defining CMSs acceptable level of risk\u003c/li\u003e\u003cli\u003eSecurity and privacy posture reports\u003c/li\u003e\u003cli\u003ePOA\u0026amp;Ms\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eSecurity and privacy plans\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected Outputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDetermination of risk: a formal decision document that articulates whether the system's risk posture is within the organization's risk tolerance\u003c/li\u003e\u003cli\u003eOngoing authorization to operate a formal declaration that the system continues to operate within acceptable risk levels, including any conditions or restrictions\u003c/li\u003e\u003cli\u003eOngoing authorization to use\u003c/li\u003e\u003cli\u003eOngoing common control authorization\u003c/li\u003e\u003cli\u003eDenial of ongoing authorization to operate if applicable\u003cul\u003e\u003cli\u003eFormal notification that the system's authorization to operate is denied due to unacceptable risk levels, including recommendations for risk mitigation or system decommissioning; denial of ongoing authorization to use, denial of ongoing common control authorization\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCMS implements an \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA) program\u003c/a\u003e that defines the scope of a particular system that can be continuously managed and monitored. With ongoing authorization, system controls are constantly evaluated and tested to spot vulnerabilities.\u003c/p\u003e\u003cp\u003eThis allows System and Business owners to make risk-based decisions quickly and confidently and engage in remediation efforts to minimize ongoing exposures.\u003c/p\u003e\u003cp\u003eTo be eligible for OA, systems must leverage the latest control automation tools.\u003c/p\u003e\u003cp\u003eAdditionally, all Continuous Diagnostics and Mitigation (CDM) tools must be implemented and tracking the system's hardware (HWAM), software (SWAM), and vulnerability (VUL).\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task M-6 include the Authorizing Official (AO), System Owner (SO), Security Control Assessor (SCA), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework: N/A\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask M-7: System disposal\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eImplement a system disposal strategy and execute required actions when a system is removed from operation. The goal is to mitigate any potential security and privacy risks associated with the disposal process, such as unauthorized access to sensitive data or the reuse of compromised components.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential Inputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity and privacy plans important for identifying specific disposal requirements or considerations related to the controls that were in place\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results to highlight any potential risks that could be exacerbated by the disposal process\u003c/li\u003e\u003cli\u003eSystem component inventory: a detailed inventory of all system components, including hardware and software\u003cul\u003e\u003cli\u003eSystem component inventory is essential for ensuring that all components are accounted for during the disposal process and that secure disposal methods are applied appropriately\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected Outputs:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDisposal strategy: a document or set of documents outlining the planned approach for securely disposing of the system and its components\u003c/li\u003e\u003cli\u003eUpdated system component inventory, reflecting the removal of disposed components from the organization's asset inventory\u003c/li\u003e\u003cli\u003eUpdated security and privacy plans that indicate that the system has been decommissioned and is no longer in operation\u003c/li\u003e\u003cli\u003eDisposal records providing detailed records of the disposal process for each component of the system, including methods of data sanitization and the final disposition of hardware\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAt CMS, system disposal is managed by the Records and Information Management (RIM) Program within the Office of Strategic Operations and Regulatory Affairs (OSORA).\u003c/p\u003e\u003cp\u003eRIM leverages the Cross-Reference Tool (CRT). CRT documents CMS IT Systems Record schedules and retention periods and tracks those IT Systems statuses and records/data dispositions.\u003c/p\u003e\u003cp\u003eBusiness Owners of active CMS IT systems receive an email from the CRT Tool with the Annual Notification of Eligibility for Disposal.\u003c/p\u003e\u003cp\u003ePlease contact the RIM Team in OSORA for further guidance at \u003ca href=\"mailto:Records_Retention@cms.hhs.gov\"\u003eRecords_Retention@cms.hhs.gov\u003c/a\u003e and see the \u003ca href=\"https://cmsintranet.share.cms.gov/JT/Documents/CMS%20RM%20Policy20210103Final.pdf#search=rim\"\u003eCMS RIM Policy.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task M-7 include the System Owner (SO), Information Owner or Steward, System Security Officer, System Privacy Officer, Senior Accountable Official for Risk Management or Risk Executive (Function), Senior Agency Information Security Officer and Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework: N/A\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}\n1b:{\"self\":\"$1c\"}\n1f:[\"menu_ui\",\"scheduler\"]\n1e:{\"module\":\"$1f\"}\n22:[]\n21:{\"available_menus\":\"$22\",\"parent\":\"\"}\n23:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n20:{\"menu_ui\":\"$21\",\"scheduler\":\"$23\"}\n1d:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$1e\",\"third_party_settings\":\"$20\",\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1a:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":\"$1b\",\"attributes\":\"$1d\"}\n26:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}\n25:{\"self\":\"$26\"}\n27:{\"display_name\":\"jcallan - retired\"}\n24:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":\"$25\",\"attributes\":\"$27\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}\n29:{\"self\":\"$2a\"}\n2c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n2b:{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$2c\"}\n30:{\"drupal_internal__target_id\":\"resource_type\"}\n2f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$30\"}\n32:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/res"])</script><script>self.__next_f.push([1,"ource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"}\n33:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}\n31:{\"related\":\"$32\",\"self\":\"$33\"}\n2e:{\"data\":\"$2f\",\"links\":\"$31\"}\n36:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"}\n37:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}\n35:{\"related\":\"$36\",\"self\":\"$37\"}\n34:{\"data\":null,\"links\":\"$35\"}\n3e:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n3d:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$3e\"}\n3c:{\"help\":\"$3d\"}\n3b:{\"links\":\"$3c\"}\n3a:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$3b\"}\n39:[\"$3a\"]\n40:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"}\n41:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}\n3f:{\"related\":\"$40\",\"self\":\"$41\"}\n38:{\"data\":\"$39\",\"links\":\"$3f\"}\n2d:{\"vid\":\"$2e\",\"revision_user\":\"$34\",\"parent\":\"$38\"}\n28:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":\"$29\",\"attributes\":\"$2b\",\"relationships\":\"$2d\"}\n44:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n43:{\"self\":\"$44\"}\n46:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n45:{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$46\"}\n4a:{\"dru"])</script><script>self.__next_f.push([1,"pal_internal__target_id\":\"roles\"}\n49:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$4a\"}\n4c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n4d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n4b:{\"related\":\"$4c\",\"self\":\"$4d\"}\n48:{\"data\":\"$49\",\"links\":\"$4b\"}\n50:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n51:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n4f:{\"related\":\"$50\",\"self\":\"$51\"}\n4e:{\"data\":null,\"links\":\"$4f\"}\n58:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n57:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$58\"}\n56:{\"help\":\"$57\"}\n55:{\"links\":\"$56\"}\n54:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$55\"}\n53:[\"$54\"]\n5a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n5b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n59:{\"related\":\"$5a\",\"self\":\"$5b\"}\n52:{\"data\":\"$53\",\"links\":\"$59\"}\n47:{\"vid\":\"$48\",\"revision_user\":\"$4e\",\"parent\":\"$52\"}\n42:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$43\",\"attributes\":\"$45\",\"relationships\":\"$47\"}\n5e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n5d:{\"self\":\"$5e\"}\n60:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n5f:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Offi"])</script><script>self.__next_f.push([1,"cer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$60\"}\n64:{\"drupal_internal__target_id\":\"roles\"}\n63:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$64\"}\n66:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n67:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n65:{\"related\":\"$66\",\"self\":\"$67\"}\n62:{\"data\":\"$63\",\"links\":\"$65\"}\n6a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n6b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n69:{\"related\":\"$6a\",\"self\":\"$6b\"}\n68:{\"data\":null,\"links\":\"$69\"}\n72:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n71:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$72\"}\n70:{\"help\":\"$71\"}\n6f:{\"links\":\"$70\"}\n6e:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$6f\"}\n6d:[\"$6e\"]\n74:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n75:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n73:{\"related\":\"$74\",\"self\":\"$75\"}\n6c:{\"data\":\"$6d\",\"links\":\"$73\"}\n61:{\"vid\":\"$62\",\"revision_user\":\"$68\",\"parent\":\"$6c\"}\n5c:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$5d\",\"attributes\":\"$5f\",\"relationships\":\"$61\"}\n78:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n77:{\"self\":\"$78\"}\n7a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n79:{\"drupal_intern"])</script><script>self.__next_f.push([1,"al__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$7a\"}\n7e:{\"drupal_internal__target_id\":\"roles\"}\n7d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$7e\"}\n80:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n81:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n7f:{\"related\":\"$80\",\"self\":\"$81\"}\n7c:{\"data\":\"$7d\",\"links\":\"$7f\"}\n84:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n85:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n83:{\"related\":\"$84\",\"self\":\"$85\"}\n82:{\"data\":null,\"links\":\"$83\"}\n8c:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n8b:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$8c\"}\n8a:{\"help\":\"$8b\"}\n89:{\"links\":\"$8a\"}\n88:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$89\"}\n87:[\"$88\"]\n8e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n8f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n8d:{\"related\":\"$8e\",\"self\":\"$8f\"}\n86:{\"data\":\"$87\",\"links\":\"$8d\"}\n7b:{\"vid\":\"$7c\",\"revision_user\":\"$82\",\"parent\":\"$86\"}\n76:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$77\",\"attributes\":\"$79\",\"relationships\":\"$7b\"}\n92:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/"])</script><script>self.__next_f.push([1,"feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\n91:{\"self\":\"$92\"}\n94:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n93:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$94\"}\n98:{\"drupal_internal__target_id\":\"roles\"}\n97:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$98\"}\n9a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\n9b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\n99:{\"related\":\"$9a\",\"self\":\"$9b\"}\n96:{\"data\":\"$97\",\"links\":\"$99\"}\n9e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\n9f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\n9d:{\"related\":\"$9e\",\"self\":\"$9f\"}\n9c:{\"data\":null,\"links\":\"$9d\"}\na6:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\na5:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$a6\"}\na4:{\"help\":\"$a5\"}\na3:{\"links\":\"$a4\"}\na2:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$a3\"}\na1:[\"$a2\"]\na8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\na9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\na7:{\"related\":\"$a8\",\"self\":\"$a9\"}\na0:{\"data\":\"$a1\",\"links\":\"$a7\"}\n95:{\"vid\":\"$96\",\"revision_user\":\"$9c\",\"parent\":\"$a0\"}\n90:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2"])</script><script>self.__next_f.push([1,"da2c5056e\",\"links\":\"$91\",\"attributes\":\"$93\",\"relationships\":\"$95\"}\nac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}\nab:{\"self\":\"$ac\"}\nae:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nad:{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$ae\"}\nb2:{\"drupal_internal__target_id\":\"topics\"}\nb1:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$b2\"}\nb4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"}\nb5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}\nb3:{\"related\":\"$b4\",\"self\":\"$b5\"}\nb0:{\"data\":\"$b1\",\"links\":\"$b3\"}\nb8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"}\nb9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}\nb7:{\"related\":\"$b8\",\"self\":\"$b9\"}\nb6:{\"data\":null,\"links\":\"$b7\"}\nc0:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nbf:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c0\"}\nbe:{\"help\":\"$bf\"}\nbd:{\"links\":\"$be\"}\nbc:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$bd\"}\nbb:[\"$bc\"]\nc2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"}\nc3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}\nc1:{\"related\":\"$c2\",\"self\":\"$c3\"}\nba"])</script><script>self.__next_f.push([1,":{\"data\":\"$bb\",\"links\":\"$c1\"}\naf:{\"vid\":\"$b0\",\"revision_user\":\"$b6\",\"parent\":\"$ba\"}\naa:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":\"$ab\",\"attributes\":\"$ad\",\"relationships\":\"$af\"}\nc6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}\nc5:{\"self\":\"$c6\"}\nc8:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nc7:{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$c8\"}\ncc:{\"drupal_internal__target_id\":\"topics\"}\ncb:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$cc\"}\nce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"}\ncf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}\ncd:{\"related\":\"$ce\",\"self\":\"$cf\"}\nca:{\"data\":\"$cb\",\"links\":\"$cd\"}\nd2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"}\nd3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}\nd1:{\"related\":\"$d2\",\"self\":\"$d3\"}\nd0:{\"data\":null,\"links\":\"$d1\"}\nda:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nd9:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$da\"}\nd8:{\"help\":\"$d9\"}\nd7:{\"links\":\"$d8\"}\nd6:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$d7\"}\nd5:[\"$d6\"]\ndc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"}\ndd:{\"href\":\"https://cybergeek"])</script><script>self.__next_f.push([1,".cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}\ndb:{\"related\":\"$dc\",\"self\":\"$dd\"}\nd4:{\"data\":\"$d5\",\"links\":\"$db\"}\nc9:{\"vid\":\"$ca\",\"revision_user\":\"$d0\",\"parent\":\"$d4\"}\nc4:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":\"$c5\",\"attributes\":\"$c7\",\"relationships\":\"$c9\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--library\",\"id\":\"a3362a1e-31c4-452f-8228-b068f0badf38\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/a3362a1e-31c4-452f-8228-b068f0badf38?resourceVersion=id%3A6020\"}},\"attributes\":{\"drupal_internal__nid\":1234,\"drupal_internal__vid\":6020,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-05T21:51:13+00:00\",\"status\":true,\"title\":\"CMS Risk Management Framework (RMF): Monitor Step\",\"created\":\"2024-12-05T20:51:36+00:00\",\"changed\":\"2024-12-05T21:51:13+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-risk-management-framework-rmf-monitor-step\",\"pid\":1297,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2024-12-05\",\"field_related_resources\":[{\"uri\":\"entity:node/1221\",\"title\":\"CMS Risk Management Framework (RMF)\",\"options\":[],\"url\":\"/learn/cms-risk-management-framework-rmf\"},{\"uri\":\"entity:node/381\",\"title\":\"National Institute of Standards and Technology (NIST)\",\"options\":[],\"url\":\"/learn/national-institute-standards-and-technology-nist\"}],\"field_short_description\":{\"value\":\"Maintain an ongoing situational awareness about the security and privacy posture of a FISMA system\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eMaintain an ongoing situational awareness about the security and privacy posture of a FISMA system\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/a3362a1e-31c4-452f-8228-b068f0badf38/node_type?resourceVersion=id%3A6020\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/a3362a1e-31c4-452f-8228-b068f0badf38/relationships/node_type?resourceVersion=id%3A6020\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/a3362a1e-31c4-452f-8228-b068f0badf38/revision_uid?resourceVersion=id%3A6020\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/a3362a1e-31c4-452f-8228-b068f0badf38/relationships/revision_uid?resourceVersion=id%3A6020\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/a3362a1e-31c4-452f-8228-b068f0badf38/uid?resourceVersion=id%3A6020\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/a3362a1e-31c4-452f-8228-b068f0badf38/relationships/uid?resourceVersion=id%3A6020\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/a3362a1e-31c4-452f-8228-b068f0badf38/field_resource_type?resourceVersion=id%3A6020\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/a3362a1e-31c4-452f-8228-b068f0badf38/relationships/field_resource_type?resourceVersion=id%3A6020\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/a3362a1e-31c4-452f-8228-b068f0badf38/field_roles?resourceVersion=id%3A6020\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/a3362a1e-31c4-452f-8228-b068f0badf38/relationships/field_roles?resourceVersion=id%3A6020\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/a3362a1e-31c4-452f-8228-b068f0badf38/field_topics?resourceVersion=id%3A6020\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/a3362a1e-31c4-452f-8228-b068f0badf38/relationships/field_topics?resourceVersion=id%3A6020\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}},\"attributes\":{\"display_name\":\"jcallan - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}},\"attributes\":{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}},\"attributes\":{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}},\"attributes\":{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}}}}}],\"includedMap\":{\"ab4b0312-f678-40b9-ae06-79025f52ff43\":\"$1a\",\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\":\"$24\",\"e3394b9a-cbff-4bad-b68e-c6fad326132e\":\"$28\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$42\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$5c\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$76\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$90\",\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\":\"$aa\",\"65ef6410-4066-4db4-be03-c8eb26b63305\":\"$c4\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"CMS Risk Management Framework (RMF): Monitor Step | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Maintain an ongoing situational awareness about the security and privacy posture of a FISMA system\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"CMS Risk Management Framework (RMF): Monitor Step | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Maintain an ongoing situational awareness about the security and privacy posture of a FISMA system\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"CMS Risk Management Framework (RMF): Monitor Step | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Maintain an ongoing situational awareness about the security and privacy posture of a FISMA system\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink