cms-gov/security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step
2025-02-28 14:41:14 -05:00

1 line
No EOL
312 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>CMS Risk Management Framework (RMF): Prepare Step | CMS Information Security &amp; Privacy Group</title><meta name="description" content="Outline the essential activities needed for CMS to manage its security and privacy risks"/><link rel="canonical" href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="CMS Risk Management Framework (RMF): Prepare Step | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="Outline the essential activities needed for CMS to manage its security and privacy risks"/><meta property="og:url" content="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step/opengraph-image.jpg?a856d5522b751df7"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="CMS Risk Management Framework (RMF): Prepare Step | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="Outline the essential activities needed for CMS to manage its security and privacy risks"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step/opengraph-image.jpg?a856d5522b751df7"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-library undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">CMS Risk Management Framework (RMF): Prepare Step</h1><p class="hero__description">Outline the essential activities needed for CMS to manage its security and privacy risks</p><p class="font-sans-2xs line-height-sans-5 margin-bottom-0">Last reviewed<!-- -->: <!-- -->12/5/2024</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8"><section class="resource-collection radius-md padding-y-2 padding-x-3 bg-base-lightest"><h1 class="resource-collection__header h3 margin-top-0 margin-bottom-2">Related Resources</h1><div class="grid-row grid-gap-4"><div class="tablet:grid-col-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/learn/cms-risk-management-framework-rmf">CMS Risk Management Framework (RMF)</a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/learn/national-institute-standards-and-technology-nist">National Institute of Standards and Technology (NIST)</a></div></div></section><section><div class="text-block text-block--theme-library"><h2>What is the Risk Management Framework (RMF)?</h2><p><a href="https://security.cms.gov/learn/national-institute-standards-and-technology-nist">The National Institute of Standards and Technology (NIST)</a> created the RMF to provide a structured, flexible process to manage risk throughout a systems life cycle. Using the RMF process helps CMS authorize and monitor our information systems and keep them safe.</p><p>The RMF is made up of 7 steps:</p><ul><li><strong>Prepare</strong> (this step)</li><li><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-categorize-step">Categorize</a></li><li><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-select-step">Select</a></li><li><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-implement-step">Implement</a></li><li><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-assess-step">Assess</a></li><li><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-authorize-step">Authorize</a></li><li><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step">Monitor</a></li></ul><h2>What is the Prepare Step?</h2><p>The Prepare step outlines the essential activities that all levels of CMS should carry out in order to manage its security and privacy risks.</p><p>Completing the Prepare step will generate these outcomes for CMS:</p><ul><li>Identify key risk management roles</li><li>Establish risk management strategy</li><li>Determine risk tolerance</li><li>Complete CMS-wide risk assessment</li><li>Develop and implement CMS-wide strategy for continuous monitoring</li><li>Identify common controls</li></ul><h2>Organizational-level Prepare Tasks</h2><p>Organizational-level tasks are completed as part of the Information Security and Privacy Program managed by the Office of Information Technology (OIT).</p><p>Individual systems do not need to complete these organizational-level tasks, but they are listed here for reference.</p><h3>Task P-1: Risk management roles</h3><p>The first Prepare task is to identify and assign individuals to specific roles associated with security and privacy risk management. Clearly defining roles and responsibilities provides a solid foundation for the entire risk management process, ensuring accountability and clear ownership throughout CMS.</p><p><strong>Potential inputs</strong></p><ul><li>Defined organizational security and privacy policies and procedures. Those help prepare CMS to manage its security and privacy risks using the RMF.</li><li>Organizational charts to facilitate better communication between CMS senior leaders and executives, its mission and business process levels.</li></ul><p><strong>Expected outputs</strong></p><ul><li>Documented Risk Management Framework role assignments. Individuals are identified and assigned key roles for executing the RMF.</li></ul><p><strong>Discussion:</strong> Task P-1 highlights the importance of having adequate resources and a defined governance structure in place to make it possible to create cost-effective and consistent risk management processes across CMS.</p><p>CMS has documented roles with risk management responsibilities in the <a href="https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#roles-and-responsibilities">CMS IS2P2 for roles and responsibilities</a>. This information was derived from the HHS IS2P, NIST guidance, and OMB policy requirements, then narrowed down to CMS-specific needs.</p><p>Roles with responsibilities tied to Task P-1 include the Head of the Agency, the Chief Information Officer (CIO), and the Senior Agency Information Security Officer (SAISO).</p><p>For additional information on roles and responsibilities visit the <a href="https://csrc.nist.gov/csrc/media/Projects/risk-management/documents/Additional%20Resources/NIST%20RMF%20Roles%20and%20Responsibilities%20Crosswalk.pdf">NIST RMF roles and responsibilities crosswalk</a>.</p><p>The <a href="https://www.cms.gov/about-cms/agency-information/cmsleadership/downloads/cms_organizational_chart.pdf">CMS Organizational Chart (PDF),</a> provides the CMS organizational structure, current roles and points of contacts.</p><p><strong>Cybersecurity Framework:</strong> ID.AM-6; ID.GV-2</p><h3>Task P-2: Risk management strategy</h3><p>Establish a risk management strategy for CMS that includes the organizational objectives and a determination of risk tolerance.</p><p><strong>Potential inputs</strong></p><ul><li>Organizational mission statement that defines CMS purpose, values and objectives.</li><li>Organizational policies and procedures that align with CMS values and objectives.</li><li>Organizational risk assumptions, constraints, priorities and trade-offs that will inform CMSs risk management strategy, guide its risk assessment, response, and monitoring activities.</li></ul><p><strong>Expected outputs</strong></p><ul><li>A defined risk management strategy of how CMS will assess, respond to, and monitor risk</li><li>Statement of risk tolerance that includes information security and privacy risk (CMS ability to handle different levels of risk), the risk impact, its tolerance level (what CMS is willing to accept) and the risk review schedule</li></ul><p><strong>Discussion:</strong> CMS uses the<a href="https://security.cms.gov/ispg/risk-management-and-reporting">Cyber risk management and reporting strategy</a> to help ISSOs, Business Owners, and other stakeholders identify and mitigate security and privacy risks to their FISMA systems.</p><p>Other supporting documents include:</p><ul><li><a href="https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#risk-management-and-compliance">CMS IS2P2 Risk management and compliance section</a></li><li><a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS) 5.1</a></li><li><a href="https://security.cms.gov/policy-guidance/cms-cyber-risk-management-plan-crmp">CMS Cyber Risk Management Plan (CRMP)</a></li><li><a href="https://security.cms.gov/learn/cms-information-system-risk-assessment-isra">CMS Information System Risk Assessment (ISRA)</a></li><li><a href="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap">CMS Cyber Security and Risk Assessment Program (CSRAP)</a></li></ul><p>CMS has established an <a href="https://security.cms.gov/learn/ongoing-authorization-oa">Ongoing Authorization program</a> that monitors CMS FISMA systems to address real-time threats and allow you to make risk-based decisions.</p><p>The CMS ARS provides <a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars#security-and-privacy-controls">mandatory and supplemental controls</a>, customizable by Business Owners, to meet mission or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance.</p><p>Roles with responsibilities tied to Task P-2 include the Head of the Agency and Risk Executive (Function).</p><p><strong>Cybersecurity Framework:</strong> ID.RM; ID.SC</p><h3>Task P-3: Risk assessment—organization</h3><p>Assess security and privacy risks across CMS, and update the risk assessment results on an ongoing basis.</p><p><strong>Potential inputs</strong></p><ul><li>Risk management strategy</li><li>Mission or business objectives</li><li>Current threat information</li><li>System-level security and privacy risk assessment results</li><li>Supply chain risk assessment results</li><li>Previous organization-level security and privacy risk assessment results</li><li>Information sharing agreements or memoranda of understanding</li><li>Security and privacy information from continuous monitoring</li></ul><p><strong>Expected outputs</strong></p><ul><li>Documented risk assessment results that identify strategies used to identify and prioritize risks that could impact CMS operations, assets and individuals</li></ul><p><strong>Discussion:</strong> CMS carries out security control assessments and vulnerability scanning to identify and report on CMS organizational risks. The <a href="https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic">Cybersecurity Integration Center (CCIC)</a> provides reporting metrics and risk analysis through <a href="https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Mitigation (CDM)</a> by ingesting scan logs and identifying risks using its Security Incident Event Management (SIEM) tool.</p><p>CMS manages its risk assessment process through the <a href="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap">Cybersecurity and Risk Assessment Program (CSRAP)</a>.</p><p>You can schedule assessments through the CMS CSRAP Confluence page. Select dates for the type of CSRAP assessment you require:</p><ul><li><a href="https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813098">Security Assessment slots</a> (login required)</li><li><a href="https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813170">Risk Assessment slots</a> (login required)</li></ul><p>You can schedule <a href="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap">CSRAP</a>/<a href="https://security.cms.gov/learn/security-controls-assessment-sca">SCA</a> and <a href="https://security.cms.gov/learn/penetration-testing-pentesting">Penetration Testing (PenTest)</a> for both security &amp; privacy assessments.</p><p>For more information email the CSRAP team at <a href="mailto:CSRAP@cms.hhs.gov">CSRAP@cms.hhs.gov</a> with your requested dates.</p><p>CMS also communicates in monthly <a href="https://security.cms.gov/learn/cyber-risk-reports">Cyber Risk Reports</a>. We use Tableau dashboards for snapshots of the overall health of CMS systems, including the <a href="https://security.cms.gov/learn/cms-information-system-risk-assessment-isra">CMS Information System Risk Assessment (ISRA)</a>. Those are completed within the security category tab of the <a href="https://security.cms.gov/learn/cms-fisma-continuous-tracking-system-cfacts">CMS FISMA Continuous Tracking System (CFACTS)</a>.</p><p>Some of the roles with responsibilities tied to Task P-3 include: Senior Accountable Official for Risk Management or Risk Executive (Function), and Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).</p><p><strong>Cybersecurity Framework:</strong> ID.RA; ID.SC-2</p><h3>Task P-4: Organizationally tailored control baselines and cybersecurity framework profiles (optional)</h3><p>Establish, document, and publish organizationally-tailored control baselines and cybersecurity framework profiles. This task is optional.</p><p><strong>Potential inputs</strong></p><ul><li>Documented security and privacy requirements directing the use of organizationally tailored control baselines, using federal cybersecurity guidelines and standards</li><li>Mission or business objectives</li><li>Enterprise architecture</li><li>Security architecture</li><li>Privacy architecture</li><li>CMS- and system-level risk assessment results</li><li>List of common control providers and common controls available for inheritance</li><li>NIST Special Publication 800-53B control baselines</li></ul><p><strong>Expected outputs</strong></p><ul><li>List of approved or directed organizationally-tailored control baselines that are specific to CMS's risk profile and operational needs</li><li>Implementation of NIST CSF Profiles that align with CMSs functions, categories, and subcategories of the business requirements, risk tolerance, and resources<ul><li>For CMS-specific cybersecurity activities, these CSF profiles can describe:<ul><li>The <strong>current state</strong>: Profile indicates CMS cybersecurity outcomes that are currently being achieved</li><li>The <strong>desired target state</strong>: Profile indicates the outcomes needed to achieve CMS cybersecurity risk management goals</li></ul></li></ul></li></ul><p><strong>Discussion: </strong>CMS implements the Security &amp; Privacy Planning taken from NIST 800-53 Rev5 and tailored into CMS environment within the <a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">ARS 5.1.</a> to define CMS baseline of minimum information security and privacy assurance. These controls are based on governance documents and laws, regulations, and other authorities both internal to CMS and from external institutions.</p><p>CMS also implements the <a href="https://security.cms.gov/learn/cms-security-and-privacy-handbooks">Security and Privacy Handbooks</a> that provide overall guidance on how to implement CMS policies and standards across many cybersecurity topics while considering CMS Mission and Business objectives.</p><p>Some of the roles with responsibilities tied to Task P-4 includes the mission or business Owner (BO) and Senior Accountable Official for Risk Management or Risk Executive (Function).</p><h3>Task P-5: Common control identification</h3><p>Identify, document, and publish CMS-wide common controls that can be inherited by organizational systems.</p><p><strong>Potential inputs</strong></p><ul><li>Utilize the CMS information system inventory, the current security and privacy controls and their implementation status to document each security and privacy requirements</li><li>Existing common control providers and associated security and privacy plans</li><li>Information security and privacy program plans</li><li>Organization- and system-level security and privacy risk assessment results</li></ul><p><strong>Expected outputs</strong></p><ul><li>A list of common control providers and common controls available for CMS systems to inherit</li><li>Security and privacy plans (or equivalent documents) describing the common control implementation (including inputs, expected behavior, and expected outputs)</li></ul><p><strong>Discussion:</strong> CMS provides controls derived from NIST 800-53 Rev5 and HHS IS2P control baselines into the <a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguard (ARS) 5.1</a> and made available for inheritance to CMS systems.These serve as a starting point for determining the appropriate controls and countermeasures necessary to protect CMS information systems.</p><p>The CMS Common control provider is tasked with providing control inheritance and management of these common controls.</p><p>Some of the roles with responsibilities tied to Task P-5 include the Senior Agency Information Security Officer (SAISO), Senior Agency Official for Privacy (SAOP), and Common Control Provider.</p><h3>Task P-6: Impact-level prioritization (optional)</h3><p>Prioritize CMS systems and assets based on their impact level, to aid in guiding resource allocation and risk management efforts.</p><p>This task is optional.</p><p><strong>Potential inputs</strong></p><ul><li>Security categorization information for CMS systems</li><li>System descriptions</li><li>Organization- and system-level risk assessment and impact analyses</li><li>Organization mission or business objectives</li><li>Cybersecurity Framework Profiles</li></ul><p><strong>Expected outputs</strong></p><ul><li>CMS systems and assets prioritized by their impact level into low-, moderate-, and high-impact sub- categories</li><li>Guidelines for allocating resources based on the prioritization</li></ul><p>These outputs allow CMS to focus on protecting high-impact systems and assets critical to its mission, ensuring that the most significant risks are addressed first.</p><p><strong>Discussion:</strong> Impact-level prioritization enforces Security categorization that describes the potential adverse impacts to CMS operations, assets, and individuals if CMS information and information systems are compromised through a loss of confidentiality, integrity, and/or availability (CIA).</p><p>CMS has synthesized and identified the information types that apply to CMS using NIST 800-60 volume 1 Rev 1 as a guide into nine (9) CMS information types.</p><p>CMS prioritizes systems that support its Mission Essential Functions (MEFs) and its Essential Supporting Activities (ESAs) while providing ARS 5.1 controls for all Low, Moderate, High and HVA systems. These priorities are based on the system's risk profile and vulnerability metrics, indicating a direct correlation with the task's goal of impact-level prioritization based on risk.</p><p>Some of the roles with responsibilities tied to Task P-6 include the Senior Accountable Official for Risk Management or Risk Executive (Function), and Mission or Business Owners.</p><p><strong>Cybersecurity Framework:</strong> ID.AM-5</p><h3>Task P-7: Organization-wide continuous monitoring strategy</h3><p>Develop and implement an organization-wide strategy for continuously monitoring control effectiveness.</p><p><strong>Potential inputs</strong></p><ul><li>Risk management strategy and priorities</li><li>Organization- and system-level risk assessment results</li><li>CMS security and privacy policies</li></ul><p><strong>Expected outputs</strong></p><ul><li>A comprehensive continuous monitoring strategy that includes mechanisms for assessing control effectiveness, reporting on security and privacy posture, and responding to changes in risk</li></ul><p><strong>Discussion:</strong> CMS complies with the HHS Information Security Continuous Monitoring (ISCM) strategy and further defines the control assessment frequencies within the <a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS)</a>.</p><p>CMS maintains an ongoing awareness of information security, vulnerabilities, and threats to support its risk management decisions. This includes continuous visibility into the actions of users, applications, and devices through a centralized log data collection.</p><p dir="ltr">By implementing a robust continuous monitoring program, the&nbsp;<a href="https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Mitigation (CDM) Program</a>&nbsp;and&nbsp;<a href="https://security.cms.gov/learn/security-controls-assessment-sca">Security Control Assessments</a>&nbsp;determine if a system's security and privacy controls are implemented correctly and operating effectively.</p><p>The CDM provides automated scanning capabilities and risk analysis to strengthen the security posture of CMS FISMA systems on an ongoing basis. This lets CMS maintain situational awareness of its security and privacy posture, facilitating timely responses to emerging threats and vulnerabilities. CMS also uses asset inventories and <a href="https://security.cms.gov/posts/avoid-database-breaches-ispgs-free-vulnerability-scanning-service">vulnerability management scanning</a> to keep tabs on both resources that employees use (e.g. laptops) and the applications and infrastructure they use as an effort to enhance its continuous monitoring program.</p><p>Some of the roles with responsibilities tied to Task P-6 include the Senior Accountable Official for Risk Management or Risk Executive (Function), Chief Information Officer (CIO), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).</p><p><strong>Cybersecurity Framework:</strong> DE.CM; ID.SC-4</p><h2>System Level Prepare Tasks</h2><p>System level Prepare tasks also take into consideration mission or business process concerns.</p><h3>Task P-8: Risk mission or business focus</h3><p>Identify the missions, business functions, and mission or business processes that the information system is intended to support. Ensure that they provide adequate support to CMS objectives.</p><p><strong>Potential inputs</strong></p><ul><li>CMS mission statement</li><li>CMS policies</li><li>Mission or business process information</li><li>System stakeholder information</li><li>Cybersecurity Framework Profiles</li><li>Requests for proposal (RFPs) or other acquisition documents</li><li>Concept of operations and any current or future operational requirements</li></ul><p><strong>Expected outputs</strong></p><ul><li>Documentation linking information systems to the various missions, business functions, and mission or business processes that the systems will support</li><li>Establish a prioritized list of information systems requirements based on the systems mission and business importance</li></ul><p><strong>Discussion: </strong>The overall goal of Task P-8 is to ensure that CMS technology investments are directly tied to supporting its mission and business goals.</p><p>CMS has established and continues to support the development and maintenance of Business Continuity Plans and Disaster Recovery Plans for the protection of systems and components that are tied to its Essential Support Activities (ESAs), to ensure that CMS can perform Mission Essential Functions (MEFs).</p><p>For example, the CMS <a href="https://share.cms.gov/center/CMMI-BSG/COOP/SitePages/Home.aspx">Continuity of Operations Plan (COOP)</a>, Emergency Relocation Group (ERG) and Devolution Emergency Response Group (DERG) all ensure the continuation of CMS essential functions.</p><p>CMS systems are required to have an&nbsp;<a href="https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook">Information System Contingency Plan (ISCP)</a> to protect CMS from potential risks and ensure the continuity of operations.&nbsp;</p><p>CMS also requires that its Business Owners (BO) complete a <a href="https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook#what-is-a-business-impact-analysis-bia">Business Impact Analysis (BIA)</a> every two (2) years to document the business impact of any service to CMS missions, business functions, and mission or business processes.</p><p>Some of the roles with responsibilities tied to Task P-8 include the Mission or Business Owner and Information System Owner (ISO).</p><p><strong>Cybersecurity Framework:</strong> Profile; Implementation Tiers; ID.BE</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task P-9: System stakeholders</h3><p>Identify stakeholders who have an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system. This ensures that their needs are considered in the system's risk management process.</p><p><strong>Potential inputs</strong></p><ul><li>CMS mission statement</li><li>Mission or business objectives</li><li>Missions, business functions, and mission or business processes that the system will support</li><li>Other mission or business process information</li><li>CMS security and privacy policies and procedures</li><li>CMS charts</li><li>Information about individuals or groups (internal and external) that have an interest in and decision-making responsibility for the system. This includes stakeholder analysis or feedback from previous projects or operational activities</li></ul><p><strong>Expected outputs</strong></p><ul><li>A comprehensive list of stakeholders for each system</li><li>A defined process of engagement and collaboration outlining how stakeholders will be involved in the system's risk management process</li></ul><p dir="ltr"><strong>Discussion:&nbsp;</strong>The&nbsp;<a href="https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#roles-and-responsibilities">CMS IS2P2 Roles and Responsibilities</a> section provides descriptions for CMS personnel that are required to complete their records such as the&nbsp;<a href="https://security.cms.gov/learn/system-security-and-privacy-plan-sspp">System Security and Privacy Plan (SSPP)</a> generated by&nbsp;<a href="https://security.cms.gov/learn/cms-fisma-continuous-tracking-system-cfacts">CFACTS</a>, the tool used at CMS for Governance, Risk, and Compliance (GRC).<strong>&nbsp;</strong></p><p>CMS systems are encouraged to maintain a list of stakeholders within CFACTS including any interconnecting systems and their stakeholders under the Boundary tab in CFACTS as an effort to improve stakeholder engagement in managing and documenting the risk management process of their systems.</p><p>Some of the roles with responsibilities tied to Task P-9 include the System Owner (SO), Senior Agency Officials for Privacy (SAOP), Chief Information Officer (CIO), and others.</p><p><strong>Cybersecurity Framework:</strong> ID.AM; ID.BE</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task P-10: Asset identification</h3><p>Identify assets that require protection such as assets associated with CMS information systems, including hardware, software, data, and personnel.</p><p><strong>Potential inputs</strong></p><ul><li>An inventory of each information system's current assets</li><li>Each information systems operational requirements, based on the CMS missions, business functions, and mission or business processes that the system will support</li><li>Business impact analyses</li><li>Internal stakeholders</li><li>System stakeholder information</li><li>System information</li><li>Information about other systems that interact with the system</li></ul><p><strong>Expected outputs</strong></p><ul><li>An updated and comprehensive asset inventory for each systemthat requires protection<ul><li>The assets in each inventory must be categorized based on their importance to CMS's mission and their level of sensitivity</li></ul></li></ul><p dir="ltr"><strong>Discussion:&nbsp;</strong>The CMS&nbsp;<a href="https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Mitigation (CDM)</a> program maintains an automated authorized hardware and software inventory, including FISMA tagging, mapping and asset discovery as part of its Hardware Asset Management (HWAM) and Software Asset Management (SWAM).&nbsp;</p><p>The program is implemented in four (4) phases to address:</p><ul><li>What is on the network</li><li>Who is on the network</li><li>What is happening on the network</li><li>How the data is protected</li></ul><p>CMS system assets are identified using data analytics in Tableau and then pushed to CFACTS.</p><p>Some of the roles with responsibilities tied to Task P-10 include the System Owner (SO) and Information System Security Officer (ISSO).</p><p><strong>Cybersecurity Framework:</strong> ID.AM</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task P-11: Authorization boundary</h3><p>Determine the authorization boundary of the information system. Clearly delineate the components that are included within the system's authorization scope. To standardize the approach to determine and define the authorization boundary, systems are encouraged to create a checklist or boundary diagram template for reporting systems or ISSOs.</p><p><strong>Potential inputs</strong></p><ul><li>System design documentation</li><li>Network diagrams</li><li>System stakeholder information</li><li>Asset information</li><li>Network and/or enterprise architecture diagrams that include the integration and dependency information for interconnected systems</li><li>CMS structure (charts, information)</li></ul><p><strong>Expected outputs</strong></p><ul><li>Documented authorization boundary that includes diagrams or other visual representations of the system boundary. Having these effectively determines the scope for risk assessments and for defining the extent of security and privacy control.</li></ul><p><strong>Discussion:</strong> CMS implements an <a href="https://security.cms.gov/learn/ongoing-authorization-oa">Ongoing Authorization (OA) program</a> and a <a href="https://security.cms.gov/learn/fedramp">Federal Risk and Authorization Management Program (FedRAMP)</a> that define the scope of a particular system that can be continuously managed and monitored.</p><p>The OA program supports the FISMA authorization system boundary, which can include one or more cloud offerings.</p><p>The FedRAMP authorization boundary is exclusively for cloud service offerings, and may include the full stack (infrastructure, platform, and software) or just parts.</p><p>Defining the authorization boundaries can be identified in the Boundary tab for each system within CFACTS.</p><p>Some of the roles with responsibilities tied to Task P-11 include the Authorizing Official (AO), System Owner, and Enterprise Architect.</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task P-12: Information types</h3><p>Identify the types of information to be processed, stored, and transmitted by the information system to determine the appropriate levels of protection.</p><p><strong>Potential inputs</strong></p><ul><li>System design documentation</li><li>Assets to be protected</li><li>Mission or business process information</li><li>Data classification and categorization policies</li><li>Consideration of legal and regulatory requirements impacting data</li></ul><p><strong>Expected outputs</strong></p><ul><li>A list of information types for the system categorized by the level of sensitivity and impact</li><li>A detailed documentation of the type and level of protection required for each information type needed to comply with legal and regulatory requirements related to information protection</li></ul><p><strong>Discussion:</strong> CMS provides <a href="https://security.cms.gov/posts/watch-and-learn-system-categorization-cfacts">system categorization in CFACTS</a>guidance to help systems complete their FIPS 199 security categorization in CFACTS<strong>.</strong> Theinformation types are categorized based on security and privacy consideration, determined by the CMS Policy team and documented in CFACTS.</p><p>The CMS Office of Strategic Operations and Regulatory Affairs (OSORA) (email: <a href="mailto:OSORA_Regs_Scheduling@cms.hhs.gov">OSORA_Regs_Scheduling@cms.hhs.gov</a>) and the CMS Records Retention (email: <a href="mailto:Records_Retention@cms.hhs.gov">Records_Retention@cms.hhs.gov</a>) offer guidance on protection and retention of all CMS data.</p><p>Some of the roles with responsibilities tied to Task P-12 include the System Owner (SO) and Information Owner or Steward, and the Senior Agency Official for Privacy (SAOP).</p><p><strong>Cybersecurity Framework:</strong> ID.AM-5</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task P-13: Information life cycle</h3><p>Identify and understand all stages of the information life cycle, from creation to final disposition, for each information type processed, stored, or transmitted by the information system.</p><p>Understanding the importance of the information life cycle is vital for the design and evaluation of the information systems, because the controls for each stage of the information life cycle are linked to their respective CMS TLC phases.</p><p><strong>Potential inputs</strong></p><ul><li>Data management policies and procedures that align with CMS missions, business functions, and mission or business processes the system will support</li><li>System stakeholder information</li><li>Authorization boundary information</li><li>Information about other systems that interact with the system (e.g., information exchange/connection agreements)</li><li>System design documentation outlining data flows and storage</li><li>System element information</li><li>List of system information types</li></ul><p><strong>Expected outputs</strong></p><ul><li>Identify all security and privacy controls required at each stage of the information life cycle</li><li>Document the stages through which information passes in the system, such as a data map or model illustrating how information is structured or is processed by the system throughout its life cycle<ul><li>Such documentation includes data flow diagrams, entity relationship diagrams, database schemas, and data dictionaries</li></ul></li></ul><p><strong>Discussion:</strong> The <a href="https://www.cms.gov/about-cms/leadership/office-strategic-operations-regulatory-affairs">CMS Office of Strategic Operations and Regulatory Affairs (OSORA)</a> provides guidance on the CMS systems information life cycle.</p><p>The <a href="https://security.cms.gov/learn/cms-technical-reference-architecture-tra">Technical Reference Architecture (TRA)</a> provides the authoritative technical architecture approach and technical reference standards that must be followed by all CMS systems. This approach helps in identifying potential vulnerabilities and in ensuring that data is protected appropriately at all stages.</p><p>The information life cycle task is vital for systems handling sensitive or regulated data, ensuring compliance with data protection laws and policies.</p><p>Some of the roles with responsibilities tied to Task P-13 include the Senior Agency Official for Privacy (SAOP) and System Owner, and the Information Owner/Steward.</p><p><strong>Cybersecurity Framework:</strong> ID.AM-3; ID.AM-4</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task P-14: System-level risk assessment</h3><p>Conduct a system-level risk assessment to identify, prioritize, and document risks associated with the operation and use of the system. Update the results on an ongoing basis.</p><p><strong>Potential inputs</strong></p><ul><li>Asset inventory that needs to be protected</li><li>Missions, business functions, and mission or business processes the system will support</li><li>Business impact analyses or criticality analyses</li><li>System stakeholder information</li><li>Information about other systems that interact with the system</li><li>Provider information</li><li>Threat information</li><li>Data map</li><li>System design documentation (system architecture)</li><li>Cybersecurity Framework Profiles</li><li>Risk management strategy</li><li>Organization-level risk assessment results</li><li>Any previous risk assessments or relevant security and privacy incident reports</li></ul><p><strong>Expected outputs</strong></p><ul><li>Security and privacy risk assessment reports detailing identified risks, their likelihood, impact, and recommended mitigation strategies</li><li>Established an action plan to mitigate identified risks and weaknesses</li></ul><p><strong>Discussion:</strong> <a href="https://security.cms.gov/ispg/risk-management-and-reporting">CMS Risk Management and Reporting</a> provides information on any potential security and privacy risks to CMS information and system.</p><p>The <a href="https://security.cms.gov/policy-guidance/cms-cyber-risk-management-plan-crmp">CMS Cyber Risk Management Plan</a> lays the foundation for modernizing CMS approach to identifying and mitigating security and privacy risks associated with the operation of CMS FISMA systems.</p><p>CMS implements <a href="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap">CSRAP</a>, a security and risk assessment program for CMS FISMA systems that aligns with ISPG strategies and the strategic goal of risk-based program management.</p><p>The <a href="https://security.cms.gov/learn/cms-information-system-risk-assessment-isra">CMS ISRA</a> documents the overall risk to a system and potential risk reduction strategies.</p><p>CMS has established a corrective action plan roadmap to address system weaknesses and the resources required to fix them in a <a href="https://security.cms.gov/learn/plan-action-and-milestones-poam">Plan of Action and Milestones (POA&amp;M)</a> that is required whenever audits reveal an area of weakness in security controls.</p><p>Risk assessments at CMS are conducted and tracked within CFACTS, showcasing a direct application of this task at the system level.</p><p>Some of the roles with responsibilities tied to Task P-14 include the System Owner (SO) and System Security Officer (SSO) or System Privacy Officer (SPO).</p><p><strong>Cybersecurity Framework:</strong> ID.RA; ID.SC-2</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task P-15: Requirement definitions</h3><p>Define the security and privacy requirements specific to the system and its operation environment. Requirements should be things needed to mitigate identified risks and to comply with CMS policies and federal regulations.</p><p><strong>Potential inputs</strong></p><ul><li>System design documentation</li><li>Organization- and system-level risk assessment results</li><li>Set of stakeholder assets to be protected</li><li>Missions, business functions, and mission or business processes the system will support</li><li>Business impact analyses or criticality analyses</li><li>System stakeholder information</li><li>Data map of the information life cycle for PII</li><li>Cybersecurity Framework Profiles</li><li>Information about other systems that interact with the system</li><li>Supply chain information</li><li>Threat information</li><li>Laws, executive orders, directives, regulations, or policies that apply to the system</li><li>Risk management strategy</li></ul><p><strong>Expected outputs</strong></p><ul><li>Documented security and privacy requirements for the system</li><li>A plan for implementing the necessary controls to meet these requirements</li></ul><p><strong>Discussion:</strong> CMS implements <a href="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-12-security-privacy-planning-pl#security-privacy-planning-controls">Security and Privacy Planning Controls</a> to provide guidance on developing the <a href="https://security.cms.gov/learn/system-security-and-privacy-plan-sspp">SSPP</a> within CFACTS. The SSPP relates CMS security requirements, defined in the <a href="https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2">CMS IS2P2</a>, to a set of security controls and control enhancements outlined in the <a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS ARS 5.1.</a></p><p dir="ltr">The&nbsp;<a href="https://security.cms.gov/learn/security-and-privacy-requirements-it-procurements#security-and-privacy-language-for-it-procurements">CMS Security and Privacy Language for IT Procurements</a> helps guide the CISO Team and procurement personnel to determine what kind of security and privacy requirements should be written into a contract before operating in a CMS environment.&nbsp;</p><p>Some of the roles with responsibilities tied to Task P-15 include the Mission or Business Owner (BO) and System Owner (SO) or Information Owner/Steward.</p><p><strong>Cybersecurity Framework:</strong> ID.GV; PR.IP</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task P-16: Enterprise Architecture</h3><p>Determine the placement of the system within the enterprise architecture such that the system's architecture is aligned with CMS's enterprise architecture to support efficient and secure integration and operation within CMS's IT environment.</p><p><strong>Potential inputs</strong></p><ul><li>Security and privacy requirements; organization- and system-level risk assessment results; enterprise architecture information; security architecture information; privacy architecture information; asset information.</li></ul><p><strong>Expected outputs</strong></p><ul><li>Updated enterprise architecture confirming the system's completion of alignment; updated security architecture; updated privacy architecture; plans to use cloud-based systems and shared systems, services, or applications for integration and optimization.</li></ul><p><strong>Discussion:</strong> The <a href="https://security.cms.gov/learn/cms-technical-reference-architecture-tra">CMS TRA</a> provides the authoritative technical architecture approach and technical reference standards for all CMS information technology (IT) systems. The infrastructure requirements needed to support and secure high-quality delivery of healthcare services to beneficiaries, providers, and business partners, including aligning CMS systems with the Federal Enterprise Architecture Framework (FEAF).</p><p>Some of the roles with responsibilities tied to Task P-16 include the Enterprise Architect and Security or Privacy Architect.</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task P-17: Requirements allocation</h3><p>Allocate the defined security and privacy requirements to specific system components, processes and operation environments to ensure comprehensive coverage across the system.</p><p><strong>Potential inputs</strong></p><ul><li>Organization- and system-level risk assessment results</li><li>Documented security and privacy requirements</li><li>List of common control providers and common controls available for inheritance</li><li>System description</li><li>System element information</li><li>System component inventory</li><li>Relevant laws, executive orders, directives, regulations, and policies.</li></ul><p><strong>Expected outputs</strong></p><ul><li>List of security and privacy requirements allocated to the system, its elements and components, and the environment of operation to ensure that all parts of the system contribute to the overall security and privacy posture</li></ul><p><strong>Discussion:</strong> CMS implements <a href="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-15-system-services-acquisition#system-services-acquisition-controls">System and Services Acquisition controls</a> to determine information security and privacy requirements for the information system or information system service in mission or business process planning, document and allocate the resources required to protect the information system or information system service.</p><p>Controls for each stage of the information lifecycle are identified by their linked TLC phase, which is relevant for allocating security and privacy requirements to specific system components or processes.</p><p>Some of the roles with responsibilities tied to Task P-17 include the System Security Officer (SSO) or System Privacy Officer (SPO) and System Owner (SO).</p><p><strong>Cybersecurity Framework:</strong> ID.GV</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul><h3>Task P-18: System registration</h3><p>Register the information system within CMS's IT environment. This will formalize its status and ensure that it is recognized and managed as part of CMSs portfolio of information systems.</p><p><strong>Potential inputs</strong></p><ul><li>CMS policy on system registration</li><li>System information (system description, security and privacy requirements, architecture details)</li><li>Information from previous tasks (for example, risk assessment reports, requirements documentation)</li></ul><p><strong>Expected outputs</strong></p><ul><li>The system is registered in CMS's IT portfolio in accordance with CMS policies</li><li>Documentation acknowledging the system's registration and outlining any conditions or requirements for operation and maintenance within CMS</li></ul><p><strong>Discussion:</strong> CMS implements a <a href="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-12-security-privacy-planning-pl">Security and Privacy Planning (PL) handbook</a> that provides <a href="https://security.cms.gov/learn/security-and-privacy-requirements-it-procurements">privacy and security requirements</a> for use during the new <a href="https://security.cms.gov/learn/authorization-operate-ato">Authorization to Operate (ATO)</a> cycle for documenting system security compliance enforced by the CMS Chief Information Security Officer (CISO).</p><p>CMS also implements the <a href="https://www.cms.gov/data-research/cms-information-technology/tlc">CMS TLC</a>, a governance framework that provides overall guidance for developing and maintaining IT solutions through these four phases: Initiate, Develop, Operate, and Retire. The TLC is enforced by the CMS Office of Information Technology (OIT).</p><p>The&nbsp;<a href="https://www.cms.gov/tra/Foundation/FD_0060_Foundation_TRB.htm">CMS Technical Review Board (TRB)</a> provides system architecture and infrastructure requirements for all CMS systems to be compliant with as described in the&nbsp;<a href="https://security.cms.gov/learn/cms-technical-reference-architecture-tra">TRA.</a>&nbsp;</p><p>Some of the roles with responsibilities tied to Task P-18 include the System Owner (SO) and Chief Information Officer (CIO).</p><p><strong>Cybersecurity Framework:</strong> ID.GV</p><p><strong>TLC Cycle Phase:</strong></p><ul><li>New: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/initiate">Initiate</a></li><li>Existing: <a href="https://www.cms.gov/data-research/cms-information-technology/tlc/operate">Operate</a></li></ul></div></section></div></div></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"cms-risk-management-framework-rmf-prepare-step\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"policy-guidance\",\"cms-risk-management-framework-rmf-prepare-step\"],\"initialTree\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"cms-risk-management-framework-rmf-prepare-step\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"cms-risk-management-framework-rmf-prepare-step\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[3055,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"907\",\"static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js\"],\"default\"]\n18:Tb93c,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the Risk Management Framework (RMF)?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist\"\u003eThe National Institute of Standards and Technology (NIST)\u003c/a\u003e created the RMF to provide a structured, flexible process to manage risk throughout a systems life cycle. Using the RMF process helps CMS authorize and monitor our information systems and keep them safe.\u003c/p\u003e\u003cp\u003eThe RMF is made up of 7 steps:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003ePrepare\u003c/strong\u003e (this step)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-categorize-step\"\u003eCategorize\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-select-step\"\u003eSelect\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-implement-step\"\u003eImplement\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-assess-step\"\u003eAssess\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-authorize-step\"\u003eAuthorize\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step\"\u003eMonitor\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWhat is the Prepare Step?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Prepare step outlines the essential activities that all levels of CMS should carry out in order to manage its security and privacy risks.\u003c/p\u003e\u003cp\u003eCompleting the Prepare step will generate these outcomes for CMS:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify key risk management roles\u003c/li\u003e\u003cli\u003eEstablish risk management strategy\u003c/li\u003e\u003cli\u003eDetermine risk tolerance\u003c/li\u003e\u003cli\u003eComplete CMS-wide risk assessment\u003c/li\u003e\u003cli\u003eDevelop and implement CMS-wide strategy for continuous monitoring\u003c/li\u003e\u003cli\u003eIdentify common controls\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eOrganizational-level Prepare Tasks\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eOrganizational-level tasks are completed as part of the Information Security and Privacy Program managed by the Office of Information Technology (OIT).\u003c/p\u003e\u003cp\u003eIndividual systems do not need to complete these organizational-level tasks, but they are listed here for reference.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-1: Risk management roles\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe first Prepare task is to identify and assign individuals to specific roles associated with security and privacy risk management. Clearly defining roles and responsibilities provides a solid foundation for the entire risk management process, ensuring accountability and clear ownership throughout CMS.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDefined organizational security and privacy policies and procedures. Those help prepare CMS to manage its security and privacy risks using the RMF.\u003c/li\u003e\u003cli\u003eOrganizational charts to facilitate better communication between CMS senior leaders and executives, its mission and business process levels.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocumented Risk Management Framework role assignments. Individuals are identified and assigned key roles for executing the RMF.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e Task P-1 highlights the importance of having adequate resources and a defined governance structure in place to make it possible to create cost-effective and consistent risk management processes across CMS.\u003c/p\u003e\u003cp\u003eCMS has documented roles with risk management responsibilities in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#roles-and-responsibilities\"\u003eCMS IS2P2 for roles and responsibilities\u003c/a\u003e. This information was derived from the HHS IS2P, NIST guidance, and OMB policy requirements, then narrowed down to CMS-specific needs.\u003c/p\u003e\u003cp\u003eRoles with responsibilities tied to Task P-1 include the Head of the Agency, the Chief Information Officer (CIO), and the Senior Agency Information Security Officer (SAISO).\u003c/p\u003e\u003cp\u003eFor additional information on roles and responsibilities visit the \u003ca href=\"https://csrc.nist.gov/csrc/media/Projects/risk-management/documents/Additional%20Resources/NIST%20RMF%20Roles%20and%20Responsibilities%20Crosswalk.pdf\"\u003eNIST RMF roles and responsibilities crosswalk\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://www.cms.gov/about-cms/agency-information/cmsleadership/downloads/cms_organizational_chart.pdf\"\u003eCMS Organizational Chart (PDF),\u003c/a\u003e provides the CMS organizational structure, current roles and points of contacts.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.AM-6; ID.GV-2\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-2: Risk management strategy\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEstablish a risk management strategy for CMS that includes the organizational objectives and a determination of risk tolerance.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOrganizational mission statement that defines CMS purpose, values and objectives.\u003c/li\u003e\u003cli\u003eOrganizational policies and procedures that align with CMS values and objectives.\u003c/li\u003e\u003cli\u003eOrganizational risk assumptions, constraints, priorities and trade-offs that will inform CMSs risk management strategy, guide its risk assessment, response, and monitoring activities.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eA defined risk management strategy of how CMS will assess, respond to, and monitor risk\u003c/li\u003e\u003cli\u003eStatement of risk tolerance that includes information security and privacy risk (CMS ability to handle different levels of risk), the risk impact, its tolerance level (what CMS is willing to accept) and the risk review schedule\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS uses the\u003ca href=\"https://security.cms.gov/ispg/risk-management-and-reporting\"\u003eCyber risk management and reporting strategy\u003c/a\u003e to help ISSOs, Business Owners, and other stakeholders identify and mitigate security and privacy risks to their FISMA systems.\u003c/p\u003e\u003cp\u003eOther supporting documents include:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#risk-management-and-compliance\"\u003eCMS IS2P2 Risk management and compliance section\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS) 5.1\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-cyber-risk-management-plan-crmp\"\u003eCMS Cyber Risk Management Plan (CRMP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/cms-information-system-risk-assessment-isra\"\u003eCMS Information System Risk Assessment (ISRA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCMS Cyber Security and Risk Assessment Program (CSRAP)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS has established an \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization program\u003c/a\u003e that monitors CMS FISMA systems to address real-time threats and allow you to make risk-based decisions.\u003c/p\u003e\u003cp\u003eThe CMS ARS provides \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars#security-and-privacy-controls\"\u003emandatory and supplemental controls\u003c/a\u003e, customizable by Business Owners, to meet mission or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance.\u003c/p\u003e\u003cp\u003eRoles with responsibilities tied to Task P-2 include the Head of the Agency and Risk Executive (Function).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.RM; ID.SC\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-3: Risk assessment—organization\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAssess security and privacy risks across CMS, and update the risk assessment results on an ongoing basis.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eRisk management strategy\u003c/li\u003e\u003cli\u003eMission or business objectives\u003c/li\u003e\u003cli\u003eCurrent threat information\u003c/li\u003e\u003cli\u003eSystem-level security and privacy risk assessment results\u003c/li\u003e\u003cli\u003eSupply chain risk assessment results\u003c/li\u003e\u003cli\u003ePrevious organization-level security and privacy risk assessment results\u003c/li\u003e\u003cli\u003eInformation sharing agreements or memoranda of understanding\u003c/li\u003e\u003cli\u003eSecurity and privacy information from continuous monitoring\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocumented risk assessment results that identify strategies used to identify and prioritize risks that could impact CMS operations, assets and individuals\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS carries out security control assessments and vulnerability scanning to identify and report on CMS organizational risks. The \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCybersecurity Integration Center (CCIC)\u003c/a\u003e provides reporting metrics and risk analysis through \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e by ingesting scan logs and identifying risks using its Security Incident Event Management (SIEM) tool.\u003c/p\u003e\u003cp\u003eCMS manages its risk assessment process through the \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eYou can schedule assessments through the CMS CSRAP Confluence page. Select dates for the type of CSRAP assessment you require:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813098\"\u003eSecurity Assessment slots\u003c/a\u003e (login required)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813170\"\u003eRisk Assessment slots\u003c/a\u003e (login required)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eYou can schedule \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCSRAP\u003c/a\u003e/\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003eSCA\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003ePenetration Testing (PenTest)\u003c/a\u003e for both security \u0026amp; privacy assessments.\u003c/p\u003e\u003cp\u003eFor more information email the CSRAP team at \u003ca href=\"mailto:CSRAP@cms.hhs.gov\"\u003eCSRAP@cms.hhs.gov\u003c/a\u003e with your requested dates.\u003c/p\u003e\u003cp\u003eCMS also communicates in monthly \u003ca href=\"https://security.cms.gov/learn/cyber-risk-reports\"\u003eCyber Risk Reports\u003c/a\u003e. We use Tableau dashboards for snapshots of the overall health of CMS systems, including the \u003ca href=\"https://security.cms.gov/learn/cms-information-system-risk-assessment-isra\"\u003eCMS Information System Risk Assessment (ISRA)\u003c/a\u003e. Those are completed within the security category tab of the \u003ca href=\"https://security.cms.gov/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCMS FISMA Continuous Tracking System (CFACTS)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-3 include: Senior Accountable Official for Risk Management or Risk Executive (Function), and Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.RA; ID.SC-2\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-4: Organizationally tailored control baselines and cybersecurity framework profiles (optional)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEstablish, document, and publish organizationally-tailored control baselines and cybersecurity framework profiles. This task is optional.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocumented security and privacy requirements directing the use of organizationally tailored control baselines, using federal cybersecurity guidelines and standards\u003c/li\u003e\u003cli\u003eMission or business objectives\u003c/li\u003e\u003cli\u003eEnterprise architecture\u003c/li\u003e\u003cli\u003eSecurity architecture\u003c/li\u003e\u003cli\u003ePrivacy architecture\u003c/li\u003e\u003cli\u003eCMS- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eList of common control providers and common controls available for inheritance\u003c/li\u003e\u003cli\u003eNIST Special Publication 800-53B control baselines\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eList of approved or directed organizationally-tailored control baselines that are specific to CMS's risk profile and operational needs\u003c/li\u003e\u003cli\u003eImplementation of NIST CSF Profiles that align with CMSs functions, categories, and subcategories of the business requirements, risk tolerance, and resources\u003cul\u003e\u003cli\u003eFor CMS-specific cybersecurity activities, these CSF profiles can describe:\u003cul\u003e\u003cli\u003eThe \u003cstrong\u003ecurrent state\u003c/strong\u003e: Profile indicates CMS cybersecurity outcomes that are currently being achieved\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003edesired target state\u003c/strong\u003e: Profile indicates the outcomes needed to achieve CMS cybersecurity risk management goals\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion: \u003c/strong\u003eCMS implements the Security \u0026amp; Privacy Planning taken from NIST 800-53 Rev5 and tailored into CMS environment within the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eARS 5.1.\u003c/a\u003e to define CMS baseline of minimum information security and privacy assurance. These controls are based on governance documents and laws, regulations, and other authorities both internal to CMS and from external institutions.\u003c/p\u003e\u003cp\u003eCMS also implements the \u003ca href=\"https://security.cms.gov/learn/cms-security-and-privacy-handbooks\"\u003eSecurity and Privacy Handbooks\u003c/a\u003e that provide overall guidance on how to implement CMS policies and standards across many cybersecurity topics while considering CMS Mission and Business objectives.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-4 includes the mission or business Owner (BO) and Senior Accountable Official for Risk Management or Risk Executive (Function).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-5: Common control identification\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIdentify, document, and publish CMS-wide common controls that can be inherited by organizational systems.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eUtilize the CMS information system inventory, the current security and privacy controls and their implementation status to document each security and privacy requirements\u003c/li\u003e\u003cli\u003eExisting common control providers and associated security and privacy plans\u003c/li\u003e\u003cli\u003eInformation security and privacy program plans\u003c/li\u003e\u003cli\u003eOrganization- and system-level security and privacy risk assessment results\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eA list of common control providers and common controls available for CMS systems to inherit\u003c/li\u003e\u003cli\u003eSecurity and privacy plans (or equivalent documents) describing the common control implementation (including inputs, expected behavior, and expected outputs)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS provides controls derived from NIST 800-53 Rev5 and HHS IS2P control baselines into the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguard (ARS) 5.1\u003c/a\u003e and made available for inheritance to CMS systems.These serve as a starting point for determining the appropriate controls and countermeasures necessary to protect CMS information systems.\u003c/p\u003e\u003cp\u003eThe CMS Common control provider is tasked with providing control inheritance and management of these common controls.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-5 include the Senior Agency Information Security Officer (SAISO), Senior Agency Official for Privacy (SAOP), and Common Control Provider.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-6: Impact-level prioritization (optional)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePrioritize CMS systems and assets based on their impact level, to aid in guiding resource allocation and risk management efforts.\u003c/p\u003e\u003cp\u003eThis task is optional.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity categorization information for CMS systems\u003c/li\u003e\u003cli\u003eSystem descriptions\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment and impact analyses\u003c/li\u003e\u003cli\u003eOrganization mission or business objectives\u003c/li\u003e\u003cli\u003eCybersecurity Framework Profiles\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS systems and assets prioritized by their impact level into low-, moderate-, and high-impact sub- categories\u003c/li\u003e\u003cli\u003eGuidelines for allocating resources based on the prioritization\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese outputs allow CMS to focus on protecting high-impact systems and assets critical to its mission, ensuring that the most significant risks are addressed first.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e Impact-level prioritization enforces Security categorization that describes the potential adverse impacts to CMS operations, assets, and individuals if CMS information and information systems are compromised through a loss of confidentiality, integrity, and/or availability (CIA).\u003c/p\u003e\u003cp\u003eCMS has synthesized and identified the information types that apply to CMS using NIST 800-60 volume 1 Rev 1 as a guide into nine (9) CMS information types.\u003c/p\u003e\u003cp\u003eCMS prioritizes systems that support its Mission Essential Functions (MEFs) and its Essential Supporting Activities (ESAs) while providing ARS 5.1 controls for all Low, Moderate, High and HVA systems. These priorities are based on the system's risk profile and vulnerability metrics, indicating a direct correlation with the task's goal of impact-level prioritization based on risk.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-6 include the Senior Accountable Official for Risk Management or Risk Executive (Function), and Mission or Business Owners.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.AM-5\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-7: Organization-wide continuous monitoring strategy\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDevelop and implement an organization-wide strategy for continuously monitoring control effectiveness.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eRisk management strategy and priorities\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eCMS security and privacy policies\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eA comprehensive continuous monitoring strategy that includes mechanisms for assessing control effectiveness, reporting on security and privacy posture, and responding to changes in risk\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS complies with the HHS Information Security Continuous Monitoring (ISCM) strategy and further defines the control assessment frequencies within the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eCMS maintains an ongoing awareness of information security, vulnerabilities, and threats to support its risk management decisions. This includes continuous visibility into the actions of users, applications, and devices through a centralized log data collection.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eBy implementing a robust continuous monitoring program, the\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM) Program\u003c/a\u003e\u0026nbsp;and\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003eSecurity Control Assessments\u003c/a\u003e\u0026nbsp;determine if a system's security and privacy controls are implemented correctly and operating effectively.\u003c/p\u003e\u003cp\u003eThe CDM provides automated scanning capabilities and risk analysis to strengthen the security posture of CMS FISMA systems on an ongoing basis. This lets CMS maintain situational awareness of its security and privacy posture, facilitating timely responses to emerging threats and vulnerabilities. CMS also uses asset inventories and \u003ca href=\"https://security.cms.gov/posts/avoid-database-breaches-ispgs-free-vulnerability-scanning-service\"\u003evulnerability management scanning\u003c/a\u003e to keep tabs on both resources that employees use (e.g. laptops) and the applications and infrastructure they use as an effort to enhance its continuous monitoring program.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-6 include the Senior Accountable Official for Risk Management or Risk Executive (Function), Chief Information Officer (CIO), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e DE.CM; ID.SC-4\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eSystem Level Prepare Tasks\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSystem level Prepare tasks also take into consideration mission or business process concerns.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-8: Risk mission or business focus\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIdentify the missions, business functions, and mission or business processes that the information system is intended to support. Ensure that they provide adequate support to CMS objectives.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS mission statement\u003c/li\u003e\u003cli\u003eCMS policies\u003c/li\u003e\u003cli\u003eMission or business process information\u003c/li\u003e\u003cli\u003eSystem stakeholder information\u003c/li\u003e\u003cli\u003eCybersecurity Framework Profiles\u003c/li\u003e\u003cli\u003eRequests for proposal (RFPs) or other acquisition documents\u003c/li\u003e\u003cli\u003eConcept of operations and any current or future operational requirements\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocumentation linking information systems to the various missions, business functions, and mission or business processes that the systems will support\u003c/li\u003e\u003cli\u003eEstablish a prioritized list of information systems requirements based on the systems mission and business importance\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion: \u003c/strong\u003eThe overall goal of Task P-8 is to ensure that CMS technology investments are directly tied to supporting its mission and business goals.\u003c/p\u003e\u003cp\u003eCMS has established and continues to support the development and maintenance of Business Continuity Plans and Disaster Recovery Plans for the protection of systems and components that are tied to its Essential Support Activities (ESAs), to ensure that CMS can perform Mission Essential Functions (MEFs).\u003c/p\u003e\u003cp\u003eFor example, the CMS \u003ca href=\"https://share.cms.gov/center/CMMI-BSG/COOP/SitePages/Home.aspx\"\u003eContinuity of Operations Plan (COOP)\u003c/a\u003e, Emergency Relocation Group (ERG) and Devolution Emergency Response Group (DERG) all ensure the continuation of CMS essential functions.\u003c/p\u003e\u003cp\u003eCMS systems are required to have an\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook\"\u003eInformation System Contingency Plan (ISCP)\u003c/a\u003e to protect CMS from potential risks and ensure the continuity of operations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCMS also requires that its Business Owners (BO) complete a \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook#what-is-a-business-impact-analysis-bia\"\u003eBusiness Impact Analysis (BIA)\u003c/a\u003e every two (2) years to document the business impact of any service to CMS missions, business functions, and mission or business processes.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-8 include the Mission or Business Owner and Information System Owner (ISO).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e Profile; Implementation Tiers; ID.BE\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-9: System stakeholders\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIdentify stakeholders who have an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system. This ensures that their needs are considered in the system's risk management process.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS mission statement\u003c/li\u003e\u003cli\u003eMission or business objectives\u003c/li\u003e\u003cli\u003eMissions, business functions, and mission or business processes that the system will support\u003c/li\u003e\u003cli\u003eOther mission or business process information\u003c/li\u003e\u003cli\u003eCMS security and privacy policies and procedures\u003c/li\u003e\u003cli\u003eCMS charts\u003c/li\u003e\u003cli\u003eInformation about individuals or groups (internal and external) that have an interest in and decision-making responsibility for the system. This includes stakeholder analysis or feedback from previous projects or operational activities\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eA comprehensive list of stakeholders for each system\u003c/li\u003e\u003cli\u003eA defined process of engagement and collaboration outlining how stakeholders will be involved in the system's risk management process\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eDiscussion:\u0026nbsp;\u003c/strong\u003eThe\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#roles-and-responsibilities\"\u003eCMS IS2P2 Roles and Responsibilities\u003c/a\u003e section provides descriptions for CMS personnel that are required to complete their records such as the\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e generated by\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e, the tool used at CMS for Governance, Risk, and Compliance (GRC).\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCMS systems are encouraged to maintain a list of stakeholders within CFACTS including any interconnecting systems and their stakeholders under the Boundary tab in CFACTS as an effort to improve stakeholder engagement in managing and documenting the risk management process of their systems.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-9 include the System Owner (SO), Senior Agency Officials for Privacy (SAOP), Chief Information Officer (CIO), and others.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.AM; ID.BE\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-10: Asset identification\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIdentify assets that require protection such as assets associated with CMS information systems, including hardware, software, data, and personnel.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAn inventory of each information system's current assets\u003c/li\u003e\u003cli\u003eEach information systems operational requirements, based on the CMS missions, business functions, and mission or business processes that the system will support\u003c/li\u003e\u003cli\u003eBusiness impact analyses\u003c/li\u003e\u003cli\u003eInternal stakeholders\u003c/li\u003e\u003cli\u003eSystem stakeholder information\u003c/li\u003e\u003cli\u003eSystem information\u003c/li\u003e\u003cli\u003eInformation about other systems that interact with the system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAn updated and comprehensive asset inventory for each systemthat requires protection\u003cul\u003e\u003cli\u003eThe assets in each inventory must be categorized based on their importance to CMS's mission and their level of sensitivity\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eDiscussion:\u0026nbsp;\u003c/strong\u003eThe CMS\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e program maintains an automated authorized hardware and software inventory, including FISMA tagging, mapping and asset discovery as part of its Hardware Asset Management (HWAM) and Software Asset Management (SWAM).\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe program is implemented in four (4) phases to address:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWhat is on the network\u003c/li\u003e\u003cli\u003eWho is on the network\u003c/li\u003e\u003cli\u003eWhat is happening on the network\u003c/li\u003e\u003cli\u003eHow the data is protected\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS system assets are identified using data analytics in Tableau and then pushed to CFACTS.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-10 include the System Owner (SO) and Information System Security Officer (ISSO).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.AM\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-11: Authorization boundary\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDetermine the authorization boundary of the information system. Clearly delineate the components that are included within the system's authorization scope. To standardize the approach to determine and define the authorization boundary, systems are encouraged to create a checklist or boundary diagram template for reporting systems or ISSOs.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem design documentation\u003c/li\u003e\u003cli\u003eNetwork diagrams\u003c/li\u003e\u003cli\u003eSystem stakeholder information\u003c/li\u003e\u003cli\u003eAsset information\u003c/li\u003e\u003cli\u003eNetwork and/or enterprise architecture diagrams that include the integration and dependency information for interconnected systems\u003c/li\u003e\u003cli\u003eCMS structure (charts, information)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocumented authorization boundary that includes diagrams or other visual representations of the system boundary. Having these effectively determines the scope for risk assessments and for defining the extent of security and privacy control.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS implements an \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA) program\u003c/a\u003e and a \u003ca href=\"https://security.cms.gov/learn/fedramp\"\u003eFederal Risk and Authorization Management Program (FedRAMP)\u003c/a\u003e that define the scope of a particular system that can be continuously managed and monitored.\u003c/p\u003e\u003cp\u003eThe OA program supports the FISMA authorization system boundary, which can include one or more cloud offerings.\u003c/p\u003e\u003cp\u003eThe FedRAMP authorization boundary is exclusively for cloud service offerings, and may include the full stack (infrastructure, platform, and software) or just parts.\u003c/p\u003e\u003cp\u003eDefining the authorization boundaries can be identified in the Boundary tab for each system within CFACTS.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-11 include the Authorizing Official (AO), System Owner, and Enterprise Architect.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-12: Information types\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIdentify the types of information to be processed, stored, and transmitted by the information system to determine the appropriate levels of protection.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem design documentation\u003c/li\u003e\u003cli\u003eAssets to be protected\u003c/li\u003e\u003cli\u003eMission or business process information\u003c/li\u003e\u003cli\u003eData classification and categorization policies\u003c/li\u003e\u003cli\u003eConsideration of legal and regulatory requirements impacting data\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eA list of information types for the system categorized by the level of sensitivity and impact\u003c/li\u003e\u003cli\u003eA detailed documentation of the type and level of protection required for each information type needed to comply with legal and regulatory requirements related to information protection\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS provides \u003ca href=\"https://security.cms.gov/posts/watch-and-learn-system-categorization-cfacts\"\u003esystem categorization in CFACTS\u003c/a\u003eguidance to help systems complete their FIPS 199 security categorization in CFACTS\u003cstrong\u003e.\u003c/strong\u003e Theinformation types are categorized based on security and privacy consideration, determined by the CMS Policy team and documented in CFACTS.\u003c/p\u003e\u003cp\u003eThe CMS Office of Strategic Operations and Regulatory Affairs (OSORA) (email: \u003ca href=\"mailto:OSORA_Regs_Scheduling@cms.hhs.gov\"\u003eOSORA_Regs_Scheduling@cms.hhs.gov\u003c/a\u003e) and the CMS Records Retention (email: \u003ca href=\"mailto:Records_Retention@cms.hhs.gov\"\u003eRecords_Retention@cms.hhs.gov\u003c/a\u003e) offer guidance on protection and retention of all CMS data.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-12 include the System Owner (SO) and Information Owner or Steward, and the Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.AM-5\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-13: Information life cycle\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIdentify and understand all stages of the information life cycle, from creation to final disposition, for each information type processed, stored, or transmitted by the information system.\u003c/p\u003e\u003cp\u003eUnderstanding the importance of the information life cycle is vital for the design and evaluation of the information systems, because the controls for each stage of the information life cycle are linked to their respective CMS TLC phases.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eData management policies and procedures that align with CMS missions, business functions, and mission or business processes the system will support\u003c/li\u003e\u003cli\u003eSystem stakeholder information\u003c/li\u003e\u003cli\u003eAuthorization boundary information\u003c/li\u003e\u003cli\u003eInformation about other systems that interact with the system (e.g., information exchange/connection agreements)\u003c/li\u003e\u003cli\u003eSystem design documentation outlining data flows and storage\u003c/li\u003e\u003cli\u003eSystem element information\u003c/li\u003e\u003cli\u003eList of system information types\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify all security and privacy controls required at each stage of the information life cycle\u003c/li\u003e\u003cli\u003eDocument the stages through which information passes in the system, such as a data map or model illustrating how information is structured or is processed by the system throughout its life cycle\u003cul\u003e\u003cli\u003eSuch documentation includes data flow diagrams, entity relationship diagrams, database schemas, and data dictionaries\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e The \u003ca href=\"https://www.cms.gov/about-cms/leadership/office-strategic-operations-regulatory-affairs\"\u003eCMS Office of Strategic Operations and Regulatory Affairs (OSORA)\u003c/a\u003e provides guidance on the CMS systems information life cycle.\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cms-technical-reference-architecture-tra\"\u003eTechnical Reference Architecture (TRA)\u003c/a\u003e provides the authoritative technical architecture approach and technical reference standards that must be followed by all CMS systems. This approach helps in identifying potential vulnerabilities and in ensuring that data is protected appropriately at all stages.\u003c/p\u003e\u003cp\u003eThe information life cycle task is vital for systems handling sensitive or regulated data, ensuring compliance with data protection laws and policies.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-13 include the Senior Agency Official for Privacy (SAOP) and System Owner, and the Information Owner/Steward.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.AM-3; ID.AM-4\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-14: System-level risk assessment\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eConduct a system-level risk assessment to identify, prioritize, and document risks associated with the operation and use of the system. Update the results on an ongoing basis.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAsset inventory that needs to be protected\u003c/li\u003e\u003cli\u003eMissions, business functions, and mission or business processes the system will support\u003c/li\u003e\u003cli\u003eBusiness impact analyses or criticality analyses\u003c/li\u003e\u003cli\u003eSystem stakeholder information\u003c/li\u003e\u003cli\u003eInformation about other systems that interact with the system\u003c/li\u003e\u003cli\u003eProvider information\u003c/li\u003e\u003cli\u003eThreat information\u003c/li\u003e\u003cli\u003eData map\u003c/li\u003e\u003cli\u003eSystem design documentation (system architecture)\u003c/li\u003e\u003cli\u003eCybersecurity Framework Profiles\u003c/li\u003e\u003cli\u003eRisk management strategy\u003c/li\u003e\u003cli\u003eOrganization-level risk assessment results\u003c/li\u003e\u003cli\u003eAny previous risk assessments or relevant security and privacy incident reports\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity and privacy risk assessment reports detailing identified risks, their likelihood, impact, and recommended mitigation strategies\u003c/li\u003e\u003cli\u003eEstablished an action plan to mitigate identified risks and weaknesses\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e \u003ca href=\"https://security.cms.gov/ispg/risk-management-and-reporting\"\u003eCMS Risk Management and Reporting\u003c/a\u003e provides information on any potential security and privacy risks to CMS information and system.\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/policy-guidance/cms-cyber-risk-management-plan-crmp\"\u003eCMS Cyber Risk Management Plan\u003c/a\u003e lays the foundation for modernizing CMS approach to identifying and mitigating security and privacy risks associated with the operation of CMS FISMA systems.\u003c/p\u003e\u003cp\u003eCMS implements \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCSRAP\u003c/a\u003e, a security and risk assessment program for CMS FISMA systems that aligns with ISPG strategies and the strategic goal of risk-based program management.\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cms-information-system-risk-assessment-isra\"\u003eCMS ISRA\u003c/a\u003e documents the overall risk to a system and potential risk reduction strategies.\u003c/p\u003e\u003cp\u003eCMS has established a corrective action plan roadmap to address system weaknesses and the resources required to fix them in a \u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e that is required whenever audits reveal an area of weakness in security controls.\u003c/p\u003e\u003cp\u003eRisk assessments at CMS are conducted and tracked within CFACTS, showcasing a direct application of this task at the system level.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-14 include the System Owner (SO) and System Security Officer (SSO) or System Privacy Officer (SPO).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.RA; ID.SC-2\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-15: Requirement definitions\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDefine the security and privacy requirements specific to the system and its operation environment. Requirements should be things needed to mitigate identified risks and to comply with CMS policies and federal regulations.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem design documentation\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eSet of stakeholder assets to be protected\u003c/li\u003e\u003cli\u003eMissions, business functions, and mission or business processes the system will support\u003c/li\u003e\u003cli\u003eBusiness impact analyses or criticality analyses\u003c/li\u003e\u003cli\u003eSystem stakeholder information\u003c/li\u003e\u003cli\u003eData map of the information life cycle for PII\u003c/li\u003e\u003cli\u003eCybersecurity Framework Profiles\u003c/li\u003e\u003cli\u003eInformation about other systems that interact with the system\u003c/li\u003e\u003cli\u003eSupply chain information\u003c/li\u003e\u003cli\u003eThreat information\u003c/li\u003e\u003cli\u003eLaws, executive orders, directives, regulations, or policies that apply to the system\u003c/li\u003e\u003cli\u003eRisk management strategy\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocumented security and privacy requirements for the system\u003c/li\u003e\u003cli\u003eA plan for implementing the necessary controls to meet these requirements\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS implements \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-12-security-privacy-planning-pl#security-privacy-planning-controls\"\u003eSecurity and Privacy Planning Controls\u003c/a\u003e to provide guidance on developing the \u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003eSSPP\u003c/a\u003e within CFACTS. The SSPP relates CMS security requirements, defined in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"\u003eCMS IS2P2\u003c/a\u003e, to a set of security controls and control enhancements outlined in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS ARS 5.1.\u003c/a\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/security-and-privacy-requirements-it-procurements#security-and-privacy-language-for-it-procurements\"\u003eCMS Security and Privacy Language for IT Procurements\u003c/a\u003e helps guide the CISO Team and procurement personnel to determine what kind of security and privacy requirements should be written into a contract before operating in a CMS environment.\u0026nbsp;\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-15 include the Mission or Business Owner (BO) and System Owner (SO) or Information Owner/Steward.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.GV; PR.IP\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-16: Enterprise Architecture\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDetermine the placement of the system within the enterprise architecture such that the system's architecture is aligned with CMS's enterprise architecture to support efficient and secure integration and operation within CMS's IT environment.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity and privacy requirements; organization- and system-level risk assessment results; enterprise architecture information; security architecture information; privacy architecture information; asset information.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdated enterprise architecture confirming the system's completion of alignment; updated security architecture; updated privacy architecture; plans to use cloud-based systems and shared systems, services, or applications for integration and optimization.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e The \u003ca href=\"https://security.cms.gov/learn/cms-technical-reference-architecture-tra\"\u003eCMS TRA\u003c/a\u003e provides the authoritative technical architecture approach and technical reference standards for all CMS information technology (IT) systems. The infrastructure requirements needed to support and secure high-quality delivery of healthcare services to beneficiaries, providers, and business partners, including aligning CMS systems with the Federal Enterprise Architecture Framework (FEAF).\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-16 include the Enterprise Architect and Security or Privacy Architect.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-17: Requirements allocation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAllocate the defined security and privacy requirements to specific system components, processes and operation environments to ensure comprehensive coverage across the system.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eDocumented security and privacy requirements\u003c/li\u003e\u003cli\u003eList of common control providers and common controls available for inheritance\u003c/li\u003e\u003cli\u003eSystem description\u003c/li\u003e\u003cli\u003eSystem element information\u003c/li\u003e\u003cli\u003eSystem component inventory\u003c/li\u003e\u003cli\u003eRelevant laws, executive orders, directives, regulations, and policies.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eList of security and privacy requirements allocated to the system, its elements and components, and the environment of operation to ensure that all parts of the system contribute to the overall security and privacy posture\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS implements \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-15-system-services-acquisition#system-services-acquisition-controls\"\u003eSystem and Services Acquisition controls\u003c/a\u003e to determine information security and privacy requirements for the information system or information system service in mission or business process planning, document and allocate the resources required to protect the information system or information system service.\u003c/p\u003e\u003cp\u003eControls for each stage of the information lifecycle are identified by their linked TLC phase, which is relevant for allocating security and privacy requirements to specific system components or processes.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-17 include the System Security Officer (SSO) or System Privacy Officer (SPO) and System Owner (SO).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.GV\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-18: System registration\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eRegister the information system within CMS's IT environment. This will formalize its status and ensure that it is recognized and managed as part of CMSs portfolio of information systems.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS policy on system registration\u003c/li\u003e\u003cli\u003eSystem information (system description, security and privacy requirements, architecture details)\u003c/li\u003e\u003cli\u003eInformation from previous tasks (for example, risk assessment reports, requirements documentation)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe system is registered in CMS's IT portfolio in accordance with CMS policies\u003c/li\u003e\u003cli\u003eDocumentation acknowledging the system's registration and outlining any conditions or requirements for operation and maintenance within CMS\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS implements a \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-12-security-privacy-planning-pl\"\u003eSecurity and Privacy Planning (PL) handbook\u003c/a\u003e that provides \u003ca href=\"https://security.cms.gov/learn/security-and-privacy-requirements-it-procurements\"\u003eprivacy and security requirements\u003c/a\u003e for use during the new \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e cycle for documenting system security compliance enforced by the CMS Chief Information Security Officer (CISO).\u003c/p\u003e\u003cp\u003eCMS also implements the \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc\"\u003eCMS TLC\u003c/a\u003e, a governance framework that provides overall guidance for developing and maintaining IT solutions through these four phases: Initiate, Develop, Operate, and Retire. The TLC is enforced by the CMS Office of Information Technology (OIT).\u003c/p\u003e\u003cp\u003eThe\u0026nbsp;\u003ca href=\"https://www.cms.gov/tra/Foundation/FD_0060_Foundation_TRB.htm\"\u003eCMS Technical Review Board (TRB)\u003c/a\u003e provides system architecture and infrastructure requirements for all CMS systems to be compliant with as described in the\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/cms-technical-reference-architecture-tra\"\u003eTRA.\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-18 include the System Owner (SO) and Chief Information Officer (CIO).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.GV\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"19:Tb93c,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is the Risk Management Framework (RMF)?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist\"\u003eThe National Institute of Standards and Technology (NIST)\u003c/a\u003e created the RMF to provide a structured, flexible process to manage risk throughout a systems life cycle. Using the RMF process helps CMS authorize and monitor our information systems and keep them safe.\u003c/p\u003e\u003cp\u003eThe RMF is made up of 7 steps:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003ePrepare\u003c/strong\u003e (this step)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-categorize-step\"\u003eCategorize\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-select-step\"\u003eSelect\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-implement-step\"\u003eImplement\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-assess-step\"\u003eAssess\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-authorize-step\"\u003eAuthorize\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step\"\u003eMonitor\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWhat is the Prepare Step?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Prepare step outlines the essential activities that all levels of CMS should carry out in order to manage its security and privacy risks.\u003c/p\u003e\u003cp\u003eCompleting the Prepare step will generate these outcomes for CMS:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify key risk management roles\u003c/li\u003e\u003cli\u003eEstablish risk management strategy\u003c/li\u003e\u003cli\u003eDetermine risk tolerance\u003c/li\u003e\u003cli\u003eComplete CMS-wide risk assessment\u003c/li\u003e\u003cli\u003eDevelop and implement CMS-wide strategy for continuous monitoring\u003c/li\u003e\u003cli\u003eIdentify common controls\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eOrganizational-level Prepare Tasks\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eOrganizational-level tasks are completed as part of the Information Security and Privacy Program managed by the Office of Information Technology (OIT).\u003c/p\u003e\u003cp\u003eIndividual systems do not need to complete these organizational-level tasks, but they are listed here for reference.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-1: Risk management roles\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe first Prepare task is to identify and assign individuals to specific roles associated with security and privacy risk management. Clearly defining roles and responsibilities provides a solid foundation for the entire risk management process, ensuring accountability and clear ownership throughout CMS.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDefined organizational security and privacy policies and procedures. Those help prepare CMS to manage its security and privacy risks using the RMF.\u003c/li\u003e\u003cli\u003eOrganizational charts to facilitate better communication between CMS senior leaders and executives, its mission and business process levels.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocumented Risk Management Framework role assignments. Individuals are identified and assigned key roles for executing the RMF.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e Task P-1 highlights the importance of having adequate resources and a defined governance structure in place to make it possible to create cost-effective and consistent risk management processes across CMS.\u003c/p\u003e\u003cp\u003eCMS has documented roles with risk management responsibilities in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#roles-and-responsibilities\"\u003eCMS IS2P2 for roles and responsibilities\u003c/a\u003e. This information was derived from the HHS IS2P, NIST guidance, and OMB policy requirements, then narrowed down to CMS-specific needs.\u003c/p\u003e\u003cp\u003eRoles with responsibilities tied to Task P-1 include the Head of the Agency, the Chief Information Officer (CIO), and the Senior Agency Information Security Officer (SAISO).\u003c/p\u003e\u003cp\u003eFor additional information on roles and responsibilities visit the \u003ca href=\"https://csrc.nist.gov/csrc/media/Projects/risk-management/documents/Additional%20Resources/NIST%20RMF%20Roles%20and%20Responsibilities%20Crosswalk.pdf\"\u003eNIST RMF roles and responsibilities crosswalk\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://www.cms.gov/about-cms/agency-information/cmsleadership/downloads/cms_organizational_chart.pdf\"\u003eCMS Organizational Chart (PDF),\u003c/a\u003e provides the CMS organizational structure, current roles and points of contacts.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.AM-6; ID.GV-2\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-2: Risk management strategy\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEstablish a risk management strategy for CMS that includes the organizational objectives and a determination of risk tolerance.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOrganizational mission statement that defines CMS purpose, values and objectives.\u003c/li\u003e\u003cli\u003eOrganizational policies and procedures that align with CMS values and objectives.\u003c/li\u003e\u003cli\u003eOrganizational risk assumptions, constraints, priorities and trade-offs that will inform CMSs risk management strategy, guide its risk assessment, response, and monitoring activities.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eA defined risk management strategy of how CMS will assess, respond to, and monitor risk\u003c/li\u003e\u003cli\u003eStatement of risk tolerance that includes information security and privacy risk (CMS ability to handle different levels of risk), the risk impact, its tolerance level (what CMS is willing to accept) and the risk review schedule\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS uses the\u003ca href=\"https://security.cms.gov/ispg/risk-management-and-reporting\"\u003eCyber risk management and reporting strategy\u003c/a\u003e to help ISSOs, Business Owners, and other stakeholders identify and mitigate security and privacy risks to their FISMA systems.\u003c/p\u003e\u003cp\u003eOther supporting documents include:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#risk-management-and-compliance\"\u003eCMS IS2P2 Risk management and compliance section\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS) 5.1\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-cyber-risk-management-plan-crmp\"\u003eCMS Cyber Risk Management Plan (CRMP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/cms-information-system-risk-assessment-isra\"\u003eCMS Information System Risk Assessment (ISRA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCMS Cyber Security and Risk Assessment Program (CSRAP)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS has established an \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization program\u003c/a\u003e that monitors CMS FISMA systems to address real-time threats and allow you to make risk-based decisions.\u003c/p\u003e\u003cp\u003eThe CMS ARS provides \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars#security-and-privacy-controls\"\u003emandatory and supplemental controls\u003c/a\u003e, customizable by Business Owners, to meet mission or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance.\u003c/p\u003e\u003cp\u003eRoles with responsibilities tied to Task P-2 include the Head of the Agency and Risk Executive (Function).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.RM; ID.SC\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-3: Risk assessment—organization\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAssess security and privacy risks across CMS, and update the risk assessment results on an ongoing basis.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eRisk management strategy\u003c/li\u003e\u003cli\u003eMission or business objectives\u003c/li\u003e\u003cli\u003eCurrent threat information\u003c/li\u003e\u003cli\u003eSystem-level security and privacy risk assessment results\u003c/li\u003e\u003cli\u003eSupply chain risk assessment results\u003c/li\u003e\u003cli\u003ePrevious organization-level security and privacy risk assessment results\u003c/li\u003e\u003cli\u003eInformation sharing agreements or memoranda of understanding\u003c/li\u003e\u003cli\u003eSecurity and privacy information from continuous monitoring\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocumented risk assessment results that identify strategies used to identify and prioritize risks that could impact CMS operations, assets and individuals\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS carries out security control assessments and vulnerability scanning to identify and report on CMS organizational risks. The \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCybersecurity Integration Center (CCIC)\u003c/a\u003e provides reporting metrics and risk analysis through \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e by ingesting scan logs and identifying risks using its Security Incident Event Management (SIEM) tool.\u003c/p\u003e\u003cp\u003eCMS manages its risk assessment process through the \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eYou can schedule assessments through the CMS CSRAP Confluence page. Select dates for the type of CSRAP assessment you require:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813098\"\u003eSecurity Assessment slots\u003c/a\u003e (login required)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813170\"\u003eRisk Assessment slots\u003c/a\u003e (login required)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eYou can schedule \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCSRAP\u003c/a\u003e/\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003eSCA\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003ePenetration Testing (PenTest)\u003c/a\u003e for both security \u0026amp; privacy assessments.\u003c/p\u003e\u003cp\u003eFor more information email the CSRAP team at \u003ca href=\"mailto:CSRAP@cms.hhs.gov\"\u003eCSRAP@cms.hhs.gov\u003c/a\u003e with your requested dates.\u003c/p\u003e\u003cp\u003eCMS also communicates in monthly \u003ca href=\"https://security.cms.gov/learn/cyber-risk-reports\"\u003eCyber Risk Reports\u003c/a\u003e. We use Tableau dashboards for snapshots of the overall health of CMS systems, including the \u003ca href=\"https://security.cms.gov/learn/cms-information-system-risk-assessment-isra\"\u003eCMS Information System Risk Assessment (ISRA)\u003c/a\u003e. Those are completed within the security category tab of the \u003ca href=\"https://security.cms.gov/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCMS FISMA Continuous Tracking System (CFACTS)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-3 include: Senior Accountable Official for Risk Management or Risk Executive (Function), and Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.RA; ID.SC-2\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-4: Organizationally tailored control baselines and cybersecurity framework profiles (optional)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEstablish, document, and publish organizationally-tailored control baselines and cybersecurity framework profiles. This task is optional.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocumented security and privacy requirements directing the use of organizationally tailored control baselines, using federal cybersecurity guidelines and standards\u003c/li\u003e\u003cli\u003eMission or business objectives\u003c/li\u003e\u003cli\u003eEnterprise architecture\u003c/li\u003e\u003cli\u003eSecurity architecture\u003c/li\u003e\u003cli\u003ePrivacy architecture\u003c/li\u003e\u003cli\u003eCMS- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eList of common control providers and common controls available for inheritance\u003c/li\u003e\u003cli\u003eNIST Special Publication 800-53B control baselines\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eList of approved or directed organizationally-tailored control baselines that are specific to CMS's risk profile and operational needs\u003c/li\u003e\u003cli\u003eImplementation of NIST CSF Profiles that align with CMSs functions, categories, and subcategories of the business requirements, risk tolerance, and resources\u003cul\u003e\u003cli\u003eFor CMS-specific cybersecurity activities, these CSF profiles can describe:\u003cul\u003e\u003cli\u003eThe \u003cstrong\u003ecurrent state\u003c/strong\u003e: Profile indicates CMS cybersecurity outcomes that are currently being achieved\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003edesired target state\u003c/strong\u003e: Profile indicates the outcomes needed to achieve CMS cybersecurity risk management goals\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion: \u003c/strong\u003eCMS implements the Security \u0026amp; Privacy Planning taken from NIST 800-53 Rev5 and tailored into CMS environment within the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eARS 5.1.\u003c/a\u003e to define CMS baseline of minimum information security and privacy assurance. These controls are based on governance documents and laws, regulations, and other authorities both internal to CMS and from external institutions.\u003c/p\u003e\u003cp\u003eCMS also implements the \u003ca href=\"https://security.cms.gov/learn/cms-security-and-privacy-handbooks\"\u003eSecurity and Privacy Handbooks\u003c/a\u003e that provide overall guidance on how to implement CMS policies and standards across many cybersecurity topics while considering CMS Mission and Business objectives.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-4 includes the mission or business Owner (BO) and Senior Accountable Official for Risk Management or Risk Executive (Function).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-5: Common control identification\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIdentify, document, and publish CMS-wide common controls that can be inherited by organizational systems.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eUtilize the CMS information system inventory, the current security and privacy controls and their implementation status to document each security and privacy requirements\u003c/li\u003e\u003cli\u003eExisting common control providers and associated security and privacy plans\u003c/li\u003e\u003cli\u003eInformation security and privacy program plans\u003c/li\u003e\u003cli\u003eOrganization- and system-level security and privacy risk assessment results\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eA list of common control providers and common controls available for CMS systems to inherit\u003c/li\u003e\u003cli\u003eSecurity and privacy plans (or equivalent documents) describing the common control implementation (including inputs, expected behavior, and expected outputs)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS provides controls derived from NIST 800-53 Rev5 and HHS IS2P control baselines into the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguard (ARS) 5.1\u003c/a\u003e and made available for inheritance to CMS systems.These serve as a starting point for determining the appropriate controls and countermeasures necessary to protect CMS information systems.\u003c/p\u003e\u003cp\u003eThe CMS Common control provider is tasked with providing control inheritance and management of these common controls.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-5 include the Senior Agency Information Security Officer (SAISO), Senior Agency Official for Privacy (SAOP), and Common Control Provider.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-6: Impact-level prioritization (optional)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePrioritize CMS systems and assets based on their impact level, to aid in guiding resource allocation and risk management efforts.\u003c/p\u003e\u003cp\u003eThis task is optional.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity categorization information for CMS systems\u003c/li\u003e\u003cli\u003eSystem descriptions\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment and impact analyses\u003c/li\u003e\u003cli\u003eOrganization mission or business objectives\u003c/li\u003e\u003cli\u003eCybersecurity Framework Profiles\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS systems and assets prioritized by their impact level into low-, moderate-, and high-impact sub- categories\u003c/li\u003e\u003cli\u003eGuidelines for allocating resources based on the prioritization\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese outputs allow CMS to focus on protecting high-impact systems and assets critical to its mission, ensuring that the most significant risks are addressed first.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e Impact-level prioritization enforces Security categorization that describes the potential adverse impacts to CMS operations, assets, and individuals if CMS information and information systems are compromised through a loss of confidentiality, integrity, and/or availability (CIA).\u003c/p\u003e\u003cp\u003eCMS has synthesized and identified the information types that apply to CMS using NIST 800-60 volume 1 Rev 1 as a guide into nine (9) CMS information types.\u003c/p\u003e\u003cp\u003eCMS prioritizes systems that support its Mission Essential Functions (MEFs) and its Essential Supporting Activities (ESAs) while providing ARS 5.1 controls for all Low, Moderate, High and HVA systems. These priorities are based on the system's risk profile and vulnerability metrics, indicating a direct correlation with the task's goal of impact-level prioritization based on risk.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-6 include the Senior Accountable Official for Risk Management or Risk Executive (Function), and Mission or Business Owners.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.AM-5\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-7: Organization-wide continuous monitoring strategy\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDevelop and implement an organization-wide strategy for continuously monitoring control effectiveness.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eRisk management strategy and priorities\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eCMS security and privacy policies\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eA comprehensive continuous monitoring strategy that includes mechanisms for assessing control effectiveness, reporting on security and privacy posture, and responding to changes in risk\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS complies with the HHS Information Security Continuous Monitoring (ISCM) strategy and further defines the control assessment frequencies within the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eCMS maintains an ongoing awareness of information security, vulnerabilities, and threats to support its risk management decisions. This includes continuous visibility into the actions of users, applications, and devices through a centralized log data collection.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eBy implementing a robust continuous monitoring program, the\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM) Program\u003c/a\u003e\u0026nbsp;and\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003eSecurity Control Assessments\u003c/a\u003e\u0026nbsp;determine if a system's security and privacy controls are implemented correctly and operating effectively.\u003c/p\u003e\u003cp\u003eThe CDM provides automated scanning capabilities and risk analysis to strengthen the security posture of CMS FISMA systems on an ongoing basis. This lets CMS maintain situational awareness of its security and privacy posture, facilitating timely responses to emerging threats and vulnerabilities. CMS also uses asset inventories and \u003ca href=\"https://security.cms.gov/posts/avoid-database-breaches-ispgs-free-vulnerability-scanning-service\"\u003evulnerability management scanning\u003c/a\u003e to keep tabs on both resources that employees use (e.g. laptops) and the applications and infrastructure they use as an effort to enhance its continuous monitoring program.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-6 include the Senior Accountable Official for Risk Management or Risk Executive (Function), Chief Information Officer (CIO), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e DE.CM; ID.SC-4\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eSystem Level Prepare Tasks\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSystem level Prepare tasks also take into consideration mission or business process concerns.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTask P-8: Risk mission or business focus\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIdentify the missions, business functions, and mission or business processes that the information system is intended to support. Ensure that they provide adequate support to CMS objectives.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS mission statement\u003c/li\u003e\u003cli\u003eCMS policies\u003c/li\u003e\u003cli\u003eMission or business process information\u003c/li\u003e\u003cli\u003eSystem stakeholder information\u003c/li\u003e\u003cli\u003eCybersecurity Framework Profiles\u003c/li\u003e\u003cli\u003eRequests for proposal (RFPs) or other acquisition documents\u003c/li\u003e\u003cli\u003eConcept of operations and any current or future operational requirements\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocumentation linking information systems to the various missions, business functions, and mission or business processes that the systems will support\u003c/li\u003e\u003cli\u003eEstablish a prioritized list of information systems requirements based on the systems mission and business importance\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion: \u003c/strong\u003eThe overall goal of Task P-8 is to ensure that CMS technology investments are directly tied to supporting its mission and business goals.\u003c/p\u003e\u003cp\u003eCMS has established and continues to support the development and maintenance of Business Continuity Plans and Disaster Recovery Plans for the protection of systems and components that are tied to its Essential Support Activities (ESAs), to ensure that CMS can perform Mission Essential Functions (MEFs).\u003c/p\u003e\u003cp\u003eFor example, the CMS \u003ca href=\"https://share.cms.gov/center/CMMI-BSG/COOP/SitePages/Home.aspx\"\u003eContinuity of Operations Plan (COOP)\u003c/a\u003e, Emergency Relocation Group (ERG) and Devolution Emergency Response Group (DERG) all ensure the continuation of CMS essential functions.\u003c/p\u003e\u003cp\u003eCMS systems are required to have an\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook\"\u003eInformation System Contingency Plan (ISCP)\u003c/a\u003e to protect CMS from potential risks and ensure the continuity of operations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCMS also requires that its Business Owners (BO) complete a \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-contingency-plan-iscp-handbook#what-is-a-business-impact-analysis-bia\"\u003eBusiness Impact Analysis (BIA)\u003c/a\u003e every two (2) years to document the business impact of any service to CMS missions, business functions, and mission or business processes.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-8 include the Mission or Business Owner and Information System Owner (ISO).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e Profile; Implementation Tiers; ID.BE\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-9: System stakeholders\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIdentify stakeholders who have an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system. This ensures that their needs are considered in the system's risk management process.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS mission statement\u003c/li\u003e\u003cli\u003eMission or business objectives\u003c/li\u003e\u003cli\u003eMissions, business functions, and mission or business processes that the system will support\u003c/li\u003e\u003cli\u003eOther mission or business process information\u003c/li\u003e\u003cli\u003eCMS security and privacy policies and procedures\u003c/li\u003e\u003cli\u003eCMS charts\u003c/li\u003e\u003cli\u003eInformation about individuals or groups (internal and external) that have an interest in and decision-making responsibility for the system. This includes stakeholder analysis or feedback from previous projects or operational activities\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eA comprehensive list of stakeholders for each system\u003c/li\u003e\u003cli\u003eA defined process of engagement and collaboration outlining how stakeholders will be involved in the system's risk management process\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eDiscussion:\u0026nbsp;\u003c/strong\u003eThe\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2#roles-and-responsibilities\"\u003eCMS IS2P2 Roles and Responsibilities\u003c/a\u003e section provides descriptions for CMS personnel that are required to complete their records such as the\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e generated by\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e, the tool used at CMS for Governance, Risk, and Compliance (GRC).\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCMS systems are encouraged to maintain a list of stakeholders within CFACTS including any interconnecting systems and their stakeholders under the Boundary tab in CFACTS as an effort to improve stakeholder engagement in managing and documenting the risk management process of their systems.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-9 include the System Owner (SO), Senior Agency Officials for Privacy (SAOP), Chief Information Officer (CIO), and others.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.AM; ID.BE\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-10: Asset identification\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIdentify assets that require protection such as assets associated with CMS information systems, including hardware, software, data, and personnel.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAn inventory of each information system's current assets\u003c/li\u003e\u003cli\u003eEach information systems operational requirements, based on the CMS missions, business functions, and mission or business processes that the system will support\u003c/li\u003e\u003cli\u003eBusiness impact analyses\u003c/li\u003e\u003cli\u003eInternal stakeholders\u003c/li\u003e\u003cli\u003eSystem stakeholder information\u003c/li\u003e\u003cli\u003eSystem information\u003c/li\u003e\u003cli\u003eInformation about other systems that interact with the system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAn updated and comprehensive asset inventory for each systemthat requires protection\u003cul\u003e\u003cli\u003eThe assets in each inventory must be categorized based on their importance to CMS's mission and their level of sensitivity\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eDiscussion:\u0026nbsp;\u003c/strong\u003eThe CMS\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e program maintains an automated authorized hardware and software inventory, including FISMA tagging, mapping and asset discovery as part of its Hardware Asset Management (HWAM) and Software Asset Management (SWAM).\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe program is implemented in four (4) phases to address:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWhat is on the network\u003c/li\u003e\u003cli\u003eWho is on the network\u003c/li\u003e\u003cli\u003eWhat is happening on the network\u003c/li\u003e\u003cli\u003eHow the data is protected\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS system assets are identified using data analytics in Tableau and then pushed to CFACTS.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-10 include the System Owner (SO) and Information System Security Officer (ISSO).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.AM\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-11: Authorization boundary\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDetermine the authorization boundary of the information system. Clearly delineate the components that are included within the system's authorization scope. To standardize the approach to determine and define the authorization boundary, systems are encouraged to create a checklist or boundary diagram template for reporting systems or ISSOs.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem design documentation\u003c/li\u003e\u003cli\u003eNetwork diagrams\u003c/li\u003e\u003cli\u003eSystem stakeholder information\u003c/li\u003e\u003cli\u003eAsset information\u003c/li\u003e\u003cli\u003eNetwork and/or enterprise architecture diagrams that include the integration and dependency information for interconnected systems\u003c/li\u003e\u003cli\u003eCMS structure (charts, information)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocumented authorization boundary that includes diagrams or other visual representations of the system boundary. Having these effectively determines the scope for risk assessments and for defining the extent of security and privacy control.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS implements an \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA) program\u003c/a\u003e and a \u003ca href=\"https://security.cms.gov/learn/fedramp\"\u003eFederal Risk and Authorization Management Program (FedRAMP)\u003c/a\u003e that define the scope of a particular system that can be continuously managed and monitored.\u003c/p\u003e\u003cp\u003eThe OA program supports the FISMA authorization system boundary, which can include one or more cloud offerings.\u003c/p\u003e\u003cp\u003eThe FedRAMP authorization boundary is exclusively for cloud service offerings, and may include the full stack (infrastructure, platform, and software) or just parts.\u003c/p\u003e\u003cp\u003eDefining the authorization boundaries can be identified in the Boundary tab for each system within CFACTS.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-11 include the Authorizing Official (AO), System Owner, and Enterprise Architect.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-12: Information types\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIdentify the types of information to be processed, stored, and transmitted by the information system to determine the appropriate levels of protection.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem design documentation\u003c/li\u003e\u003cli\u003eAssets to be protected\u003c/li\u003e\u003cli\u003eMission or business process information\u003c/li\u003e\u003cli\u003eData classification and categorization policies\u003c/li\u003e\u003cli\u003eConsideration of legal and regulatory requirements impacting data\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eA list of information types for the system categorized by the level of sensitivity and impact\u003c/li\u003e\u003cli\u003eA detailed documentation of the type and level of protection required for each information type needed to comply with legal and regulatory requirements related to information protection\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS provides \u003ca href=\"https://security.cms.gov/posts/watch-and-learn-system-categorization-cfacts\"\u003esystem categorization in CFACTS\u003c/a\u003eguidance to help systems complete their FIPS 199 security categorization in CFACTS\u003cstrong\u003e.\u003c/strong\u003e Theinformation types are categorized based on security and privacy consideration, determined by the CMS Policy team and documented in CFACTS.\u003c/p\u003e\u003cp\u003eThe CMS Office of Strategic Operations and Regulatory Affairs (OSORA) (email: \u003ca href=\"mailto:OSORA_Regs_Scheduling@cms.hhs.gov\"\u003eOSORA_Regs_Scheduling@cms.hhs.gov\u003c/a\u003e) and the CMS Records Retention (email: \u003ca href=\"mailto:Records_Retention@cms.hhs.gov\"\u003eRecords_Retention@cms.hhs.gov\u003c/a\u003e) offer guidance on protection and retention of all CMS data.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-12 include the System Owner (SO) and Information Owner or Steward, and the Senior Agency Official for Privacy (SAOP).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.AM-5\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-13: Information life cycle\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIdentify and understand all stages of the information life cycle, from creation to final disposition, for each information type processed, stored, or transmitted by the information system.\u003c/p\u003e\u003cp\u003eUnderstanding the importance of the information life cycle is vital for the design and evaluation of the information systems, because the controls for each stage of the information life cycle are linked to their respective CMS TLC phases.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eData management policies and procedures that align with CMS missions, business functions, and mission or business processes the system will support\u003c/li\u003e\u003cli\u003eSystem stakeholder information\u003c/li\u003e\u003cli\u003eAuthorization boundary information\u003c/li\u003e\u003cli\u003eInformation about other systems that interact with the system (e.g., information exchange/connection agreements)\u003c/li\u003e\u003cli\u003eSystem design documentation outlining data flows and storage\u003c/li\u003e\u003cli\u003eSystem element information\u003c/li\u003e\u003cli\u003eList of system information types\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify all security and privacy controls required at each stage of the information life cycle\u003c/li\u003e\u003cli\u003eDocument the stages through which information passes in the system, such as a data map or model illustrating how information is structured or is processed by the system throughout its life cycle\u003cul\u003e\u003cli\u003eSuch documentation includes data flow diagrams, entity relationship diagrams, database schemas, and data dictionaries\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e The \u003ca href=\"https://www.cms.gov/about-cms/leadership/office-strategic-operations-regulatory-affairs\"\u003eCMS Office of Strategic Operations and Regulatory Affairs (OSORA)\u003c/a\u003e provides guidance on the CMS systems information life cycle.\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cms-technical-reference-architecture-tra\"\u003eTechnical Reference Architecture (TRA)\u003c/a\u003e provides the authoritative technical architecture approach and technical reference standards that must be followed by all CMS systems. This approach helps in identifying potential vulnerabilities and in ensuring that data is protected appropriately at all stages.\u003c/p\u003e\u003cp\u003eThe information life cycle task is vital for systems handling sensitive or regulated data, ensuring compliance with data protection laws and policies.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-13 include the Senior Agency Official for Privacy (SAOP) and System Owner, and the Information Owner/Steward.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.AM-3; ID.AM-4\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-14: System-level risk assessment\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eConduct a system-level risk assessment to identify, prioritize, and document risks associated with the operation and use of the system. Update the results on an ongoing basis.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAsset inventory that needs to be protected\u003c/li\u003e\u003cli\u003eMissions, business functions, and mission or business processes the system will support\u003c/li\u003e\u003cli\u003eBusiness impact analyses or criticality analyses\u003c/li\u003e\u003cli\u003eSystem stakeholder information\u003c/li\u003e\u003cli\u003eInformation about other systems that interact with the system\u003c/li\u003e\u003cli\u003eProvider information\u003c/li\u003e\u003cli\u003eThreat information\u003c/li\u003e\u003cli\u003eData map\u003c/li\u003e\u003cli\u003eSystem design documentation (system architecture)\u003c/li\u003e\u003cli\u003eCybersecurity Framework Profiles\u003c/li\u003e\u003cli\u003eRisk management strategy\u003c/li\u003e\u003cli\u003eOrganization-level risk assessment results\u003c/li\u003e\u003cli\u003eAny previous risk assessments or relevant security and privacy incident reports\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity and privacy risk assessment reports detailing identified risks, their likelihood, impact, and recommended mitigation strategies\u003c/li\u003e\u003cli\u003eEstablished an action plan to mitigate identified risks and weaknesses\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e \u003ca href=\"https://security.cms.gov/ispg/risk-management-and-reporting\"\u003eCMS Risk Management and Reporting\u003c/a\u003e provides information on any potential security and privacy risks to CMS information and system.\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/policy-guidance/cms-cyber-risk-management-plan-crmp\"\u003eCMS Cyber Risk Management Plan\u003c/a\u003e lays the foundation for modernizing CMS approach to identifying and mitigating security and privacy risks associated with the operation of CMS FISMA systems.\u003c/p\u003e\u003cp\u003eCMS implements \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCSRAP\u003c/a\u003e, a security and risk assessment program for CMS FISMA systems that aligns with ISPG strategies and the strategic goal of risk-based program management.\u003c/p\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cms-information-system-risk-assessment-isra\"\u003eCMS ISRA\u003c/a\u003e documents the overall risk to a system and potential risk reduction strategies.\u003c/p\u003e\u003cp\u003eCMS has established a corrective action plan roadmap to address system weaknesses and the resources required to fix them in a \u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e that is required whenever audits reveal an area of weakness in security controls.\u003c/p\u003e\u003cp\u003eRisk assessments at CMS are conducted and tracked within CFACTS, showcasing a direct application of this task at the system level.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-14 include the System Owner (SO) and System Security Officer (SSO) or System Privacy Officer (SPO).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.RA; ID.SC-2\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-15: Requirement definitions\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDefine the security and privacy requirements specific to the system and its operation environment. Requirements should be things needed to mitigate identified risks and to comply with CMS policies and federal regulations.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem design documentation\u003c/li\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eSet of stakeholder assets to be protected\u003c/li\u003e\u003cli\u003eMissions, business functions, and mission or business processes the system will support\u003c/li\u003e\u003cli\u003eBusiness impact analyses or criticality analyses\u003c/li\u003e\u003cli\u003eSystem stakeholder information\u003c/li\u003e\u003cli\u003eData map of the information life cycle for PII\u003c/li\u003e\u003cli\u003eCybersecurity Framework Profiles\u003c/li\u003e\u003cli\u003eInformation about other systems that interact with the system\u003c/li\u003e\u003cli\u003eSupply chain information\u003c/li\u003e\u003cli\u003eThreat information\u003c/li\u003e\u003cli\u003eLaws, executive orders, directives, regulations, or policies that apply to the system\u003c/li\u003e\u003cli\u003eRisk management strategy\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocumented security and privacy requirements for the system\u003c/li\u003e\u003cli\u003eA plan for implementing the necessary controls to meet these requirements\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS implements \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-12-security-privacy-planning-pl#security-privacy-planning-controls\"\u003eSecurity and Privacy Planning Controls\u003c/a\u003e to provide guidance on developing the \u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003eSSPP\u003c/a\u003e within CFACTS. The SSPP relates CMS security requirements, defined in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"\u003eCMS IS2P2\u003c/a\u003e, to a set of security controls and control enhancements outlined in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS ARS 5.1.\u003c/a\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/security-and-privacy-requirements-it-procurements#security-and-privacy-language-for-it-procurements\"\u003eCMS Security and Privacy Language for IT Procurements\u003c/a\u003e helps guide the CISO Team and procurement personnel to determine what kind of security and privacy requirements should be written into a contract before operating in a CMS environment.\u0026nbsp;\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-15 include the Mission or Business Owner (BO) and System Owner (SO) or Information Owner/Steward.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.GV; PR.IP\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-16: Enterprise Architecture\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDetermine the placement of the system within the enterprise architecture such that the system's architecture is aligned with CMS's enterprise architecture to support efficient and secure integration and operation within CMS's IT environment.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity and privacy requirements; organization- and system-level risk assessment results; enterprise architecture information; security architecture information; privacy architecture information; asset information.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdated enterprise architecture confirming the system's completion of alignment; updated security architecture; updated privacy architecture; plans to use cloud-based systems and shared systems, services, or applications for integration and optimization.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e The \u003ca href=\"https://security.cms.gov/learn/cms-technical-reference-architecture-tra\"\u003eCMS TRA\u003c/a\u003e provides the authoritative technical architecture approach and technical reference standards for all CMS information technology (IT) systems. The infrastructure requirements needed to support and secure high-quality delivery of healthcare services to beneficiaries, providers, and business partners, including aligning CMS systems with the Federal Enterprise Architecture Framework (FEAF).\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-16 include the Enterprise Architect and Security or Privacy Architect.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-17: Requirements allocation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAllocate the defined security and privacy requirements to specific system components, processes and operation environments to ensure comprehensive coverage across the system.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOrganization- and system-level risk assessment results\u003c/li\u003e\u003cli\u003eDocumented security and privacy requirements\u003c/li\u003e\u003cli\u003eList of common control providers and common controls available for inheritance\u003c/li\u003e\u003cli\u003eSystem description\u003c/li\u003e\u003cli\u003eSystem element information\u003c/li\u003e\u003cli\u003eSystem component inventory\u003c/li\u003e\u003cli\u003eRelevant laws, executive orders, directives, regulations, and policies.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eList of security and privacy requirements allocated to the system, its elements and components, and the environment of operation to ensure that all parts of the system contribute to the overall security and privacy posture\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS implements \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-15-system-services-acquisition#system-services-acquisition-controls\"\u003eSystem and Services Acquisition controls\u003c/a\u003e to determine information security and privacy requirements for the information system or information system service in mission or business process planning, document and allocate the resources required to protect the information system or information system service.\u003c/p\u003e\u003cp\u003eControls for each stage of the information lifecycle are identified by their linked TLC phase, which is relevant for allocating security and privacy requirements to specific system components or processes.\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-17 include the System Security Officer (SSO) or System Privacy Officer (SPO) and System Owner (SO).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.GV\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTask P-18: System registration\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eRegister the information system within CMS's IT environment. This will formalize its status and ensure that it is recognized and managed as part of CMSs portfolio of information systems.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePotential inputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS policy on system registration\u003c/li\u003e\u003cli\u003eSystem information (system description, security and privacy requirements, architecture details)\u003c/li\u003e\u003cli\u003eInformation from previous tasks (for example, risk assessment reports, requirements documentation)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eExpected outputs\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe system is registered in CMS's IT portfolio in accordance with CMS policies\u003c/li\u003e\u003cli\u003eDocumentation acknowledging the system's registration and outlining any conditions or requirements for operation and maintenance within CMS\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDiscussion:\u003c/strong\u003e CMS implements a \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-12-security-privacy-planning-pl\"\u003eSecurity and Privacy Planning (PL) handbook\u003c/a\u003e that provides \u003ca href=\"https://security.cms.gov/learn/security-and-privacy-requirements-it-procurements\"\u003eprivacy and security requirements\u003c/a\u003e for use during the new \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e cycle for documenting system security compliance enforced by the CMS Chief Information Security Officer (CISO).\u003c/p\u003e\u003cp\u003eCMS also implements the \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc\"\u003eCMS TLC\u003c/a\u003e, a governance framework that provides overall guidance for developing and maintaining IT solutions through these four phases: Initiate, Develop, Operate, and Retire. The TLC is enforced by the CMS Office of Information Technology (OIT).\u003c/p\u003e\u003cp\u003eThe\u0026nbsp;\u003ca href=\"https://www.cms.gov/tra/Foundation/FD_0060_Foundation_TRB.htm\"\u003eCMS Technical Review Board (TRB)\u003c/a\u003e provides system architecture and infrastructure requirements for all CMS systems to be compliant with as described in the\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/cms-technical-reference-architecture-tra\"\u003eTRA.\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eSome of the roles with responsibilities tied to Task P-18 include the System Owner (SO) and Chief Information Officer (CIO).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Framework:\u003c/strong\u003e ID.GV\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTLC Cycle Phase:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNew: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/initiate\"\u003eInitiate\u003c/a\u003e\u003c/li\u003e\u003cli\u003eExisting: \u003ca href=\"https://www.cms.gov/data-research/cms-information-technology/tlc/operate\"\u003eOperate\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}\n1b:{\"self\":\"$1c\"}\n1f:[\"menu_ui\",\"scheduler\"]\n1e:{\"module\":\"$1f\"}\n22:[]\n21:{\"available_menus\":\"$22\",\"parent\":\"\"}\n23:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n20:{\"menu_ui\":\"$21\",\"scheduler\":\"$23\"}\n1d:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$1e\",\"third_party_settings\":\"$20\",\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1a:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":\"$1b\",\"attributes\":\"$1d\"}\n26:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}\n25:{\"self\":\"$26\"}\n27:{\"display_name\":\"jcallan - retired\"}\n24:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":\"$25\",\"attributes\":\"$27\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}\n29:{\"self\":\"$2a\"}\n2c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n2b:{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$2c\"}\n30:{\"drupal_internal__target_id\":\"resource_type\"}\n2f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$30\"}\n32:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/res"])</script><script>self.__next_f.push([1,"ource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"}\n33:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}\n31:{\"related\":\"$32\",\"self\":\"$33\"}\n2e:{\"data\":\"$2f\",\"links\":\"$31\"}\n36:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"}\n37:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}\n35:{\"related\":\"$36\",\"self\":\"$37\"}\n34:{\"data\":null,\"links\":\"$35\"}\n3e:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n3d:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$3e\"}\n3c:{\"help\":\"$3d\"}\n3b:{\"links\":\"$3c\"}\n3a:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$3b\"}\n39:[\"$3a\"]\n40:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"}\n41:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}\n3f:{\"related\":\"$40\",\"self\":\"$41\"}\n38:{\"data\":\"$39\",\"links\":\"$3f\"}\n2d:{\"vid\":\"$2e\",\"revision_user\":\"$34\",\"parent\":\"$38\"}\n28:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":\"$29\",\"attributes\":\"$2b\",\"relationships\":\"$2d\"}\n44:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n43:{\"self\":\"$44\"}\n46:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n45:{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$46\"}\n4a:{\"dru"])</script><script>self.__next_f.push([1,"pal_internal__target_id\":\"roles\"}\n49:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$4a\"}\n4c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n4d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n4b:{\"related\":\"$4c\",\"self\":\"$4d\"}\n48:{\"data\":\"$49\",\"links\":\"$4b\"}\n50:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n51:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n4f:{\"related\":\"$50\",\"self\":\"$51\"}\n4e:{\"data\":null,\"links\":\"$4f\"}\n58:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n57:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$58\"}\n56:{\"help\":\"$57\"}\n55:{\"links\":\"$56\"}\n54:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$55\"}\n53:[\"$54\"]\n5a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n5b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n59:{\"related\":\"$5a\",\"self\":\"$5b\"}\n52:{\"data\":\"$53\",\"links\":\"$59\"}\n47:{\"vid\":\"$48\",\"revision_user\":\"$4e\",\"parent\":\"$52\"}\n42:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$43\",\"attributes\":\"$45\",\"relationships\":\"$47\"}\n5e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n5d:{\"self\":\"$5e\"}\n60:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n5f:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Offi"])</script><script>self.__next_f.push([1,"cer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$60\"}\n64:{\"drupal_internal__target_id\":\"roles\"}\n63:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$64\"}\n66:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n67:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n65:{\"related\":\"$66\",\"self\":\"$67\"}\n62:{\"data\":\"$63\",\"links\":\"$65\"}\n6a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n6b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n69:{\"related\":\"$6a\",\"self\":\"$6b\"}\n68:{\"data\":null,\"links\":\"$69\"}\n72:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n71:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$72\"}\n70:{\"help\":\"$71\"}\n6f:{\"links\":\"$70\"}\n6e:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$6f\"}\n6d:[\"$6e\"]\n74:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n75:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n73:{\"related\":\"$74\",\"self\":\"$75\"}\n6c:{\"data\":\"$6d\",\"links\":\"$73\"}\n61:{\"vid\":\"$62\",\"revision_user\":\"$68\",\"parent\":\"$6c\"}\n5c:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$5d\",\"attributes\":\"$5f\",\"relationships\":\"$61\"}\n78:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n77:{\"self\":\"$78\"}\n7a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n79:{\"drupal_intern"])</script><script>self.__next_f.push([1,"al__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$7a\"}\n7e:{\"drupal_internal__target_id\":\"roles\"}\n7d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$7e\"}\n80:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n81:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n7f:{\"related\":\"$80\",\"self\":\"$81\"}\n7c:{\"data\":\"$7d\",\"links\":\"$7f\"}\n84:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n85:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n83:{\"related\":\"$84\",\"self\":\"$85\"}\n82:{\"data\":null,\"links\":\"$83\"}\n8c:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n8b:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$8c\"}\n8a:{\"help\":\"$8b\"}\n89:{\"links\":\"$8a\"}\n88:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$89\"}\n87:[\"$88\"]\n8e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n8f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n8d:{\"related\":\"$8e\",\"self\":\"$8f\"}\n86:{\"data\":\"$87\",\"links\":\"$8d\"}\n7b:{\"vid\":\"$7c\",\"revision_user\":\"$82\",\"parent\":\"$86\"}\n76:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$77\",\"attributes\":\"$79\",\"relationships\":\"$7b\"}\n92:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/"])</script><script>self.__next_f.push([1,"feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\n91:{\"self\":\"$92\"}\n94:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n93:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$94\"}\n98:{\"drupal_internal__target_id\":\"roles\"}\n97:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$98\"}\n9a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\n9b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\n99:{\"related\":\"$9a\",\"self\":\"$9b\"}\n96:{\"data\":\"$97\",\"links\":\"$99\"}\n9e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\n9f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\n9d:{\"related\":\"$9e\",\"self\":\"$9f\"}\n9c:{\"data\":null,\"links\":\"$9d\"}\na6:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\na5:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$a6\"}\na4:{\"help\":\"$a5\"}\na3:{\"links\":\"$a4\"}\na2:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$a3\"}\na1:[\"$a2\"]\na8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\na9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\na7:{\"related\":\"$a8\",\"self\":\"$a9\"}\na0:{\"data\":\"$a1\",\"links\":\"$a7\"}\n95:{\"vid\":\"$96\",\"revision_user\":\"$9c\",\"parent\":\"$a0\"}\n90:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2"])</script><script>self.__next_f.push([1,"da2c5056e\",\"links\":\"$91\",\"attributes\":\"$93\",\"relationships\":\"$95\"}\nac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}\nab:{\"self\":\"$ac\"}\nae:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nad:{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$ae\"}\nb2:{\"drupal_internal__target_id\":\"topics\"}\nb1:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$b2\"}\nb4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"}\nb5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}\nb3:{\"related\":\"$b4\",\"self\":\"$b5\"}\nb0:{\"data\":\"$b1\",\"links\":\"$b3\"}\nb8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"}\nb9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}\nb7:{\"related\":\"$b8\",\"self\":\"$b9\"}\nb6:{\"data\":null,\"links\":\"$b7\"}\nc0:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nbf:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c0\"}\nbe:{\"help\":\"$bf\"}\nbd:{\"links\":\"$be\"}\nbc:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$bd\"}\nbb:[\"$bc\"]\nc2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"}\nc3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}\nc1:{\"related\":\"$c2\",\"self\":\"$c3\"}\nba"])</script><script>self.__next_f.push([1,":{\"data\":\"$bb\",\"links\":\"$c1\"}\naf:{\"vid\":\"$b0\",\"revision_user\":\"$b6\",\"parent\":\"$ba\"}\naa:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":\"$ab\",\"attributes\":\"$ad\",\"relationships\":\"$af\"}\nc6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}\nc5:{\"self\":\"$c6\"}\nc8:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nc7:{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$c8\"}\ncc:{\"drupal_internal__target_id\":\"topics\"}\ncb:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$cc\"}\nce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"}\ncf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}\ncd:{\"related\":\"$ce\",\"self\":\"$cf\"}\nca:{\"data\":\"$cb\",\"links\":\"$cd\"}\nd2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"}\nd3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}\nd1:{\"related\":\"$d2\",\"self\":\"$d3\"}\nd0:{\"data\":null,\"links\":\"$d1\"}\nda:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nd9:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$da\"}\nd8:{\"help\":\"$d9\"}\nd7:{\"links\":\"$d8\"}\nd6:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$d7\"}\nd5:[\"$d6\"]\ndc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"}\ndd:{\"href\":\"https://cybergeek"])</script><script>self.__next_f.push([1,".cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}\ndb:{\"related\":\"$dc\",\"self\":\"$dd\"}\nd4:{\"data\":\"$d5\",\"links\":\"$db\"}\nc9:{\"vid\":\"$ca\",\"revision_user\":\"$d0\",\"parent\":\"$d4\"}\nc4:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":\"$c5\",\"attributes\":\"$c7\",\"relationships\":\"$c9\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--library\",\"id\":\"e6cc18dc-1d66-4792-8a64-55d63ef3a2ac\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/e6cc18dc-1d66-4792-8a64-55d63ef3a2ac?resourceVersion=id%3A6021\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/e6cc18dc-1d66-4792-8a64-55d63ef3a2ac?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__nid\":1235,\"drupal_internal__vid\":6021,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-05T21:51:25+00:00\",\"status\":true,\"title\":\"CMS Risk Management Framework (RMF): Prepare Step\",\"created\":\"2024-12-05T21:25:51+00:00\",\"changed\":\"2024-12-05T21:51:25+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-risk-management-framework-rmf-prepare-step\",\"pid\":1298,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2024-12-05\",\"field_related_resources\":[{\"uri\":\"entity:node/1221\",\"title\":\"CMS Risk Management Framework (RMF)\",\"options\":[],\"url\":\"/learn/cms-risk-management-framework-rmf\"},{\"uri\":\"entity:node/381\",\"title\":\"National Institute of Standards and Technology (NIST)\",\"options\":[],\"url\":\"/learn/national-institute-standards-and-technology-nist\"}],\"field_short_description\":{\"value\":\"Outline the essential activities needed for CMS to manage its security and privacy risks\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eOutline the essential activities needed for CMS to manage its security and privacy risks\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/e6cc18dc-1d66-4792-8a64-55d63ef3a2ac/node_type?resourceVersion=id%3A6021\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/e6cc18dc-1d66-4792-8a64-55d63ef3a2ac/relationships/node_type?resourceVersion=id%3A6021\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/e6cc18dc-1d66-4792-8a64-55d63ef3a2ac/revision_uid?resourceVersion=id%3A6021\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/e6cc18dc-1d66-4792-8a64-55d63ef3a2ac/relationships/revision_uid?resourceVersion=id%3A6021\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/e6cc18dc-1d66-4792-8a64-55d63ef3a2ac/uid?resourceVersion=id%3A6021\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/e6cc18dc-1d66-4792-8a64-55d63ef3a2ac/relationships/uid?resourceVersion=id%3A6021\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/e6cc18dc-1d66-4792-8a64-55d63ef3a2ac/field_resource_type?resourceVersion=id%3A6021\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/e6cc18dc-1d66-4792-8a64-55d63ef3a2ac/relationships/field_resource_type?resourceVersion=id%3A6021\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/e6cc18dc-1d66-4792-8a64-55d63ef3a2ac/field_roles?resourceVersion=id%3A6021\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/e6cc18dc-1d66-4792-8a64-55d63ef3a2ac/relationships/field_roles?resourceVersion=id%3A6021\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/e6cc18dc-1d66-4792-8a64-55d63ef3a2ac/field_topics?resourceVersion=id%3A6021\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/e6cc18dc-1d66-4792-8a64-55d63ef3a2ac/relationships/field_topics?resourceVersion=id%3A6021\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}},\"attributes\":{\"display_name\":\"jcallan - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}},\"attributes\":{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}},\"attributes\":{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}},\"attributes\":{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}}}}}],\"includedMap\":{\"ab4b0312-f678-40b9-ae06-79025f52ff43\":\"$1a\",\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\":\"$24\",\"e3394b9a-cbff-4bad-b68e-c6fad326132e\":\"$28\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$42\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$5c\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$76\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$90\",\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\":\"$aa\",\"65ef6410-4066-4db4-be03-c8eb26b63305\":\"$c4\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"CMS Risk Management Framework (RMF): Prepare Step | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Outline the essential activities needed for CMS to manage its security and privacy risks\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"CMS Risk Management Framework (RMF): Prepare Step | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Outline the essential activities needed for CMS to manage its security and privacy risks\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"CMS Risk Management Framework (RMF): Prepare Step | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Outline the essential activities needed for CMS to manage its security and privacy risks\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>