1 line
No EOL
330 KiB
Text
1 line
No EOL
330 KiB
Text
<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>RMH Chapter 11: Physical & Environmental Protection | CMS Information Security & Privacy Group</title><meta name="description" content="RMH Chapter 11 provides information about the Physical and Environmental Protection (PE) control family that supports system lifecycles"/><link rel="canonical" href="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-11-physical-environmental-protection"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="RMH Chapter 11: Physical & Environmental Protection | CMS Information Security & Privacy Group"/><meta property="og:description" content="RMH Chapter 11 provides information about the Physical and Environmental Protection (PE) control family that supports system lifecycles"/><meta property="og:url" content="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-11-physical-environmental-protection"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-11-physical-environmental-protection/opengraph-image.jpg?a856d5522b751df7"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="RMH Chapter 11: Physical & Environmental Protection | CMS Information Security & Privacy Group"/><meta name="twitter:description" content="RMH Chapter 11 provides information about the Physical and Environmental Protection (PE) control family that supports system lifecycles"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-11-physical-environmental-protection/opengraph-image.jpg?a856d5522b751df7"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=16&q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=32&q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=32&q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here's how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here's how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance & Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance & Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments & Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy & Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy & Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools & Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools & Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting & Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests & Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-library undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">RMH Chapter 11: Physical & Environmental Protection</h1><p class="hero__description">RMH Chapter 11 provides information about the Physical and Environmental Protection (PE) control family that supports system lifecycles</p><p class="font-sans-2xs line-height-sans-5 margin-bottom-0">Last reviewed<!-- -->: <!-- -->3/23/2021</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8"><section class="resource-collection radius-md padding-y-2 padding-x-3 bg-base-lightest"><h1 class="resource-collection__header h3 margin-top-0 margin-bottom-2">Related Resources</h1><div class="grid-row grid-gap-4"><div class="tablet:grid-col-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS) </a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2">CMS Information Systems Security and Privacy Policy (IS2P2)</a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/learn/fedramp">Federal Risk and Authorization Management Program (fedRAMP) </a></div></div></section><section><div class="text-block text-block--theme-library"><h2>Introduction</h2><p>This Handbook outlines procedures to help CMS staff and contractors implement the Physical and Environmental Protection family of controls taken from the National Institute of Standards and Technology (NIST) Special Publication 800-53 and tailored to the CMS environment in the CMS Acceptable Risk Safeguards (ARS). For more guidance on implementing CMS policies and standards across many cybersecurity topics, see the CMS Security and Privacy Handbooks. </p><p>The controls listed in this chapter focus on how the organization must: ensure that information systems are protected by limiting physical access to information systems, equipment, and the respective operating environments to only authorized individuals; protect the physical plant and support infrastructure for information systems; provide supporting utilities for information systems; protect information systems against environmental hazards; and provide appropriate environmental controls in facilities containing information systems. Procedures in this chapter describe requirements for physical access, access control, records management, emergency protections, and physical locations of systems, with regard to physical and environmental protection.</p><h2>Physical and Environmental Protection</h2><h3>Physical Access Authorizations (PE-2)</h3><p>The Physical Access Authorizations control includes employees, contractors, and others with permanent physical access authorization credentials; this control does not apply to visitors or areas within facilities that have been designated as publicly accessible. Access authorization credentials include badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials required consistent with federal standards, policies, and procedures. <a href="https://www.dhs.gov/homeland-security-presidential-directive-12">Homeland Security Presidential Directive 12 (HSPD-12)</a> is a strategic initiative intended to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy. HSPD-12 requires development and agency implementation of a mandatory, governmentwide standard for secure and reliable forms of identification for federal employees and contractors requiring physical access to federally controlled facilities and logical access to federally controlled information systems.</p><p><em><strong>Guidance for systems processing, storing, or transmitting PHI:</strong></em></p><p>Under the HIPAA Security Rule, this is an addressable implementation specification. HIPAA covered entities must conduct an analysis as described at 45 C.F.R. § 164.306 (Security standards: General rules) part (d) (Implementation specifications) to determine how it must be applied within the organization. Maintaining a current list of personnel that are authorized to access facilities where sensitive information is located protects the information from unauthorized access. For the purposes of this control, “sensitive information” includes personally identifiable information (PII) and protected health information (PHI). The table below outlines the CMS defined parameters for PE-2.</p><p><strong>Table 3: CMS Defined Parameters- Control PE-2</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-2</td><td><p>The organization:</p><p> c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; </p></td><td><p>The organization: </p><p>c. Reviews the access list detailing authorized facility access by individuals every (90 High, 180 Moderate, 365 Low) days;</p></td></tr></tbody></table><p>CMS develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; issues authorization credentials for facility access; reviews the access list detailing authorized facility access by individuals; and removes individuals from the facility access list when access is no longer required. Federal regulations require that the Physical Access Control System (PACS) utilize the HSPD-12 credential, commonly referred to as Personal Identity Verification (PIV), to control physical access. PIV credentials at CMS are maintained through the use of PACS. PACS enables an authority to control physical access to areas and resources in a given physical facility. PIV credentials for physical access are valid for no more than 5 years and 9 months but must be surrendered or canceled when access is no longer officially required. There is no requirement for a periodic reinvestigation to maintain a PIV credential.</p><p>In accordance with <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf">Federal Information Processing Standards (FIPS)-201-26</a> Personal Identity Verification (PIV) of Federal Employees and Contractors, these permissions must be removed from the credential within 18 hours of a change in cardholder status, resulting in loss of the access privilege. For physical access authorization to controlled areas, PACS Central within the Physical Access Management (PAM) system is to be used to submit a request. The request is then routed to the Access Authority of that area for authorization. The Access Authority for each area maintains the list of individuals with authorized access, performing reviews every 90 days. </p><h3>Physical Access Control (PE-3)</h3><p>Physical Access Control applies to organizational employees and visitors without permanent physical access-authorization credentials. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Identity, credential, and access management (ICAM) comprises the tools, policies and systems that allow an organization to manage, monitor and secure access to protected resources. The Federal ICAM (FICAM) program, managed by General Services Administration (GSA) Office of Information Integrity and Access, provides collaboration opportunities and guidance on IT policy, standards, implementation and architecture, to help federal agencies implement ICAM. The table below outlines the CMS defined parameters for PE-3.</p><p><strong>Table 4: CMS Defined Parameters- Control PE-3</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-3</td><td><p>The organization: </p><p>a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; </p><p>2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; </p><p>b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; </p><p>c. Provides [Assignment: organization defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; </p><p>d. Escorts visitors and monitors visitor activity [Assignment: organization defined circumstances requiring visitor escorts and monitoring]; </p><p>f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and </p><p>g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.</p></td><td><p>The organization: </p><p>a. Enforces physical access authorizations at defined entry/exit points to the facility (defined in the applicable security plan) where the information system resides by; </p><p>2. Controlling ingress/egress to the facility using guards and/or defined physical access control systems/devices (defined in the applicable security plan). </p><p>b. Maintains physical access audit logs for defined entry/exit points (defined in the applicable security plan); </p><p>c. Provides defined security safeguards (defined in the applicable security plan) to control access to areas within the facility officially designated as publicly accessible; </p><p>d. Escorts visitors and monitors visitor activity in defined circumstances requiring visitor escorts and monitoring (defined in the applicable security plan); </p><p>f. Inventories defined physical access devices (defined in the applicable security plan) no less often than every (90 High, 90 Moderate, or 180 Low) days; and </p><p>g. Changes combinations and keys for defined high-risk entry/exit points (defined in the applicable security plan) within every 365 days, and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated</p></td></tr></tbody></table><p>CMS enforces physical access control by promoting a secure location, protected with appropriate security structures and entry controls. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both.</p><p>Safeguards include:</p><ul><li>Verifying individual access authorizations before granting access to the facility;</li><li>Controlling ingress/egress to the facility using guards and/or defined physical access control systems/devices; and </li><li>Maintaining physical access audit logs for defined entry/exit points. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.</li></ul><p>Safeguards include:</p><ul><li>Providing defined security safeguards to control access to areas within the facility officially designated as publicly accessible; and</li><li>Escorting visitors and monitoring visitor activity in defined circumstances requiring visitor escorts and monitoring. A CMS employee or authorized contractor (i.e., contractor with escort privileges) who is in possession of a valid, CMS issued badge assumes responsibility for a visitor to CMS facilities.</li></ul><p>Note: All foreign national visits require prior approval and will be assigned a “host” who will be responsible for ensuring that the visit is in full compliance with applicable policies and procedures. Physical access control devices can include keys, locks, combinations, and card readers.</p><p>Safeguards include:</p><ul><li>Securing keys, combinations, and other physical access devices; changing combinations and keys for defined high-risk entry/exit points as required, and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated; and</li><li>Maintaining inventory of defined physical access devices, as required.</li></ul><h4>Information System Access (PE-3(1))</h4><p>Physical access authorizations are enforced, in addition to physical access controls, for those secure areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, data and communication centers). The table below outlines the CMS defined parameters for PE-3(1).</p><p><strong>Table 5: CMS Defined Parameters-Control PE-3(1)</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-3(1)</td><td>The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system].</td><td>The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at defined physical spaces (defined in the applicable security plan) containing a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers, etc.).</td></tr></tbody></table><p>CMS enforces physical access authorizations at physical spaces that contain information system components to provide an adequate level of security to protect CMS data and information systems from unauthorized access. Physical access authorizations include:</p><ul><li>Controlling access by the use of door and window locks and security personnel or physical authentication devices, such as biometrics and/or smart card/PIN combination; and</li><li>Storing and operating information system components in physically secure environments with access limited to authorized personnel.</li></ul><p>At CMS, personnel are required to obtain an upgraded background investigation and approval by Department of Public Safety (DPS) for authorization.</p><h3>Access Control for Transmission Medium (PE-4)</h3><p>A transmission medium is the means through which data is sent from one place to another, using cables or electromagnetic signals to transmit data. Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. These applied safeguards also help to prevent eavesdropping or unauthorized transit modification of unencrypted transmissions. The table below outlines the CMS-defined parameters for PE-4.</p><p><strong>Table 6: CMS Defined Parameters- Control PE-4</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-4</td><td>The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].</td><td>The organization controls physical access to telephone closets and information system distribution and transmission lines within organizational facilities using defined security safeguards (defined in the applicable security plan).</td></tr></tbody></table><p>CMS implements security safeguards to control physical access to information system distribution and transmission lines. Safeguards include: </p><p>Storing information system distribution and transmission lines in authorized access areas. Access is limited to authorized personnel to prevent theft, vandalism and undocumented changes. Contact based card readers, pins, and/or security guards control physical access.</p><p>Encasing transmission lines by metal conduit, which is capable of shielding sensitive circuits from electromagnetic interference, in an effort to prevent accidental damage, eavesdropping and disruption.</p><p>Disabling unused physical ports is a method used to help secure the network from unauthorized access.</p><h3>Access Control for Output Devices (PE-5)</h3><p>Controlling physical access by placing output devices in secured areas, allowing access to authorized individuals, and placing output devices in monitored locations prevents unauthorized individuals from obtaining the output. Printers, copiers, scanners and monitors are examples of information system output devices.</p><p><strong>Printers</strong>:</p><p>CMS provides personal printers to support individual users and network printers that are accessible by network connection. Each CMS employee, with an assigned office or cubicle, is issued a personal printer for use. This printer can only be used when the laptop is in the computer docking station. Network printers are shared output devices used amongst CMS employees and Contractors that have CMS issued laptops. Safeguards include:</p><ul><li>Setting up devices to automatically print cover pages, also known as separator pages, with each print job. These cover pages contain useful information, such as the 4-character CMS user identification (ID), which can be used to identify the originator of the print job.</li><li>Configuring devices to ensure data is not saved or stored within the device once the print job is cleared out of the print queue.</li></ul><p>Print at home capabilities are available for CMS employees who have a need to print documents while at an Alternative Duty Station (ADS). Completion and submission of the <a href="https://cmsintranet.share.cms.gov/CT/_layouts/15/WopiFrame2.aspx?sourcedoc=/CT/Documents/Print-at-HomeAgreement.docx&action=default&DefaultItemOpen=1">Print at Home Agreement </a>allows the employee to connect his or her personally owned Universal Serial Bus (USB) printer (parallel cables and wireless printers are not supported) to the CMS issued laptop and install the printer drivers and print documents. By signing this agreement, CMS employees are attesting to: • Ensure that CMS information is protected from unauthorized access, use, disclosure, duplication, modification, diversion, or destruction—whether accidental or intentional – in order to maintain confidentiality, integrity, and availability; • Implement proper physical security measures to be used to secure hardcopy documents, containing confidential, sensitive or proprietary information used by CMS to fulfill its mission; </p><p>Maintain all information and/or media containing confidential data such as paper and files in a secure location or locked cabinet when not in use. CMS documents containing protected health information (PHI), personally identifiable information (PII) or other sensitive data may not be printed using your home printer; and</p><p>Securely store any documents printed at home and to return documents to CMS for proper disposition (e.g., filing, shredding). (RMH Chapter 10: Media Protection provides additional information on media sanitization.)</p><p><strong>Copier/Scanner devices:</strong></p><p>Located in designated rooms throughout CMS, copier/scanner devices allow a full range of capabilities necessary to manage internal documents. Safeguards include:</p><ul><li>Requiring the use of PIV Credentials for copying and scan-to-email capabilities. Devicebased login is an effective way to control who can access and use the device and to manage and limit user access according to job responsibilities. </li><li>Configuring devices to ensure data is not saved or stored within the device beyond the completion of the copier/scanner action.</li></ul><p><strong>Monitors:</strong></p><p>CMS complies with the <a href="https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/rules-of-behavior-for-use-of-hhs-informationresources/index.html">Rules of Behavior for Use of Health and Human Services Information Resources (HHS RoB)</a> which includes the general security practice of locking workstations and removing PIV cards from laptops when leaving them unattended. All new users of HHS information resources must read the HHS RoB and sign the accompanying acknowledgement form before accessing data or other information, systems, and/or networks. This acknowledgement, affirming their knowledge of and agreement to the HHS RoB, must be completed annually thereafter. CMS users are offered two primary methods to lock the laptop:</p><ul><li>Use the Ctrl + Alt + Delete command and select “Lock”; or</li><li>Use the “Lock Computer” shortcut. This shortcut is installed on the Desktop of CMS issued laptops.</li></ul><p>CMS issued laptops are configured to automatically lock after 20 minutes of inactivity; in screen lock settings, this “Wait” time cannot be changed by the user.</p><h3>Monitoring Physical Access (PE-6)</h3><p>Physical access monitoring includes investigations of and responses to detected physical security incidents. Physical security incidents include security violations or suspicious physical access activities such as accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses. The table below outlines the CMS defined parameters for PE-6.</p><p><strong>Table 7: CMS Defined Parameters- Control PE-6</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-6</td><td><p>The organization: </p><p>b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and </p></td><td><p>The organization: </p><p>b. Reviews physical access logs weekly and upon occurrence of security incidents or indications of potential events involving physical security; and </p></td></tr></tbody></table><p>CMS monitors physical access to the facility where the information system resides to detect and respond to physical security incidents. Security staff provides real-time monitoring, 24 hours per day, 7 days a week, and 365 days a year, for potential security breaches or disturbances. Response plans, that outline the method for responding, are used for identified physical security incidents.</p><p>Information retained within CMS’s electronic security system is intended for security purposes only. There are instances when the information collected within these security systems could prove valuable in both criminal and administrative proceedings. Due to the sensitive nature of the information retained, it cannot be released to anyone without regards to the privacy of the individuals contained within. CMS applies the following rules for the release of security information:</p><ul><li>Criminal Evidence: Information that may be used as evidence in criminal proceedings will only be released upon the request of a duly authorized law enforcement entity. This information includes video of a traffic accident in a parking lot, record of entry into a controlled access location, and video of an altercation.</li><li>Administrative Evidence: Requests for information that may be used as evidence in administrative proceedings will only be considered from managers, as it applies to a member of their organization, or a member of the Division of Workforce Compliance. A member of the security team or individual entrusted with the retention of security information will review the system to meet the specific request. Only the specifically requested information will be provided. For example, if management wanted to determine if a specific employee reported to work over a particular weekend, the security official could review logs from the weekend and inform the manager that the employee did or did not sign in over the weekend and if so, what times. The security official is not to release all of the logs to the manager for the manager’s own review. </li></ul><h4>7.5.1 Intrusion Alarms/Surveillance Equipment (PE-6 (1))</h4><p>Intrusion alarms and surveillance equipment work in tandem with physical access controls to alert security personnel when unauthorized access is attempted. Monitoring of this equipment is useful for incident verification. CMS’s intrusion alarms and surveillance equipment are linked to the PAM system. CMS’s video surveillance systems maintain a 14 day recorded video capability.</p><h4>Monitoring Physical Access to Information Systems (PE-6 (4))</h4><p>Physical spaces within facilities that contain one or more information system components (e.g., server rooms, media storage areas, data centers, communications centers) requires additional physical access monitoring. The table below outlines the CMS defined parameters for PE-6(4).</p><p><strong>Table 8: CMS Defined Parameters-Control PE-6(4)</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-6(4)</td><td>The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system].</td><td>The organization monitors physical access to the information system, in addition to the physical access monitoring of the facility, at defined physical spaces (defined in the applicable security plan) containing a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers, etc.).</td></tr></tbody></table><p>CMS provides monitoring to defined physical spaces by the use of additional access card readers restricting access to only authorized personnel. Further measures can include the use of mantraps, which are a physical access control system comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens.</p><h3>Visitor Access Records (PE-8)</h3><p>Visitor access records include the recording and collection of visitor data, either manually or through electronic visitor management systems, or both. Visitor access records are not required for publicly accessible areas. The table below outlines the CMS defined parameters for PE-8.</p><p><strong>Table 9: CMS Defined Parameters- Control PE-8</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-8</td><td><p>The organization: </p><p>a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and </p><p>b. Reviews visitor access records [Assignment: organization-defined frequency].</p></td><td><p>The organization: </p><p>a. Maintains visitor access records to the facility where the information system resides for two (2) years; and</p><p>b. Reviews visitor access records no less often than monthly.</p></td></tr></tbody></table><p>CMS adheres to the retention schedule found in <a href="https://www.archives.gov/files/records-mgmt/grs/grs05-6.pdf">National Archives and Records Administration (NARA) General Records Schedule (GRS) 5.6: Security Records</a> for maintaining visitor access records at the facility for 2 years. In addition, visitor access records are reviewed every 30 days. Visitor access records consist of the following data:</p><ul><li>Name and organization of the person visiting;</li><li>Visitor’s signature;</li><li>Form of identification/Valid U.S. Government issued photo identification;</li><li>Date of access;</li><li>Time of entry and departure;</li><li>Purpose of visit; and</li><li>Name and organization of person visited.</li></ul><h4>Automated Records Maintenance/Review (PE-8 (1))</h4><p>Maintenance and review of visitor access records are enabled by automated mechanisms that aid in the capture and management of records. CMS uses PAM, which contains multiple modules to perform security tasks, including visitor management.</p><h3>Power Equipment and Cabling (PE-9)</h3><p>Organizations are responsible for determining the types of protection that are needed to protect power equipment and power cabling from damage and destruction. This protection occurs at different locations (both internal and external to organizational facilities) and environments of operation. Examples of power equipment and cabling include generators and power cabling outside of facilities, internal cabling and uninterruptable power sources within offices or data centers, and power sources for self-contained entities such as vehicles and satellites. CMS facilities adhere to the mandatory standards outlined in <a href="https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100- overview">GSA’s Facilities Standards for the Public Buildings Service (P100)</a>, as amended. Infrastructure assets are protected by restricting access and by the use of environmental detection devices. CMS permits only authorized personnel to access infrastructure assets, including power generators, heating, ventilation, and air conditioning (HVAC) systems, cabling, and wiring closets.</p><h3>Emergency Shutoff (PE-10)</h3><p>Emergency shutoff switches or devices provide the capability of shutting off power to the information system or individual system components in emergency situations. Placing these shutoff switches or devices in a location that will allow for personnel to approach the shutoff switch(es) safely permits easy access in emergency situations without risk to the individual and protects the emergency power shutoff capability from unauthorized or inadvertent activation. The table below outlines the CMS defined parameters for PE-10.</p><p><strong>Table 10: CMS Defined Parameters- Control PE-10</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-10</td><td><p>The organization:</p><p> b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; </p></td><td><p>The organization: </p><p>b. Places emergency shutoff switches or devices in a location that does not require personnel to approach the equipment to facilitate safe and easy access for personnel; </p></td></tr></tbody></table><p>CMS implements and maintains emergency shutoff switches or emergency power off (EPO) buttons as a safety mechanism that can be used to shut power off from the information system or from individual system components in an emergency. These clearly marked shutoff devices are installed at the exit doors.</p><h3>Emergency Power (PE-11)</h3><p>Emergency power, using a short-term, uninterruptible power supply (UPS) permits an orderly shutdown of the information system and/or transition of the information system to a long-term alternate power supply in the event of a primary power source loss. CMS facilities adhere to the mandatory standards outlined in <a href="https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100- overview">GSA’s Facilities Standards for the Public Buildings Service (P100)</a>, as amended. The table below outlines the CMS defined parameters for PE-11.</p><p><strong>Table 11: CMS Defined Parameters- Control PE-11</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-11</td><td>The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss</td><td>The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system and/or transition of the information system to a long-term alternate power source in the event of a primary power source loss.</td></tr></tbody></table><p>CMS provides a short-term UPS that provides emergency power when the input power source or main power fails. The UPS provides near-instantaneous protection from input power interruptions, by supplying energy stored in batteries. CMS uses a web-based data center monitoring system that allows monitoring of critical support equipment. This provides centralized oversight and features include real-time monitoring and event management.</p><h4>Long-Term Alternate Power Supply - Minimal Operational Capability (PE-11 (1))</h4><p>Long-term alternate power supply for the information system provides the capability of maintaining minimally required operational capability in the event of an extended loss of the primary power source. CMS facilities adhere to the mandatory standards outlined in <a href="https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-overview">GSA’s Facilities Standards for the Public Buildings Service (P100)</a>, as amended. CMS has on-site, diesel-powered generators that are capable of providing a long-term alternate power supply. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.</p><h3>Emergency Lighting (PE-12)</h3><p>Automatic emergency lighting that activates and covers emergency exits and evacuation routes is crucial to ensure adequate illumination in the event of a power outage or disruption. CMS facilities adhere to the mandatory standards outlined in <a href="https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-overview">GSA’s Facilities Standards for the Public Buildings Service (P100)</a>, as amended. CMS employs and maintains emergency lighting, that activates in the event of a power outage or disruption, and that covers emergency exits and evacuation routes within the facility. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment. </p><h3>Fire Protection (PE-13)</h3><p>Fire protection includes devices and systems that are effective in detecting, extinguishing, or controlling a fire event. Preventing fires or limiting damage can ensure work operations continue without interruption. CMS facilities adhere to the mandatory standards outlined in <a href="https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-overview">GSA’s Facilities Standards for the Public Buildings Service (P100)</a>, as amended. CMS’s fire protection devices and systems, supported by independent energy sources, work to detect, notify and compartmentalize or suppress the unwanted effects of potentially destructive fires. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.</p><h4>Detection Devices/Systems (PE-13(1))</h4><p>Detection devices/systems automatically activate to notify personnel and emergency responders in the event of a fire. CMS facilities adhere to the mandatory standards outlined in <a href="https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-overview">GSA’s Facilities Standards for the Public Buildings Service (P100)</a>, as amended. The table below outlines the CMS defined parameters for PE-13(1).</p><p><strong>Table 10: CMS Defined Parameters-Control PE-13(1)</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-13(1)</td><td>The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organizationdefined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.</td><td>The organization employs fire detection devices/systems for the information system that activate automatically and notify defined personnel or roles (defined in the applicable security plan) and defined emergency responders (defined in the applicable security or safety plan) in the event of a fire</td></tr></tbody></table><p>CMS’s detection system is comprised of a networked series of fire alarm panels, annunciator panels, addressable audible and visual alarms and initiating devices including smoke detectors, heat detectors, and pull stations.</p><h4>Suppression Devices/Systems (PE-13(2))</h4><p>Fire suppression devices/systems provide automatic activation notification to specific personnel, roles, and emergency responders. CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100)17, as amended. The table below outlines the CMS defined parameters for PE-13(2).</p><p><strong>Table 11: CMS Defined Parameters- Control PE-13(2)</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-13(2)</td><td>The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders].</td><td>The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to defined personnel (or roles) and defined emergency responders (defined in the applicable security or safety plan)</td></tr></tbody></table><p>CMS employs a monitored fire alarm system that notifies critical parties (e.g., CMS’s Network Command Center (NCC), designated personnel, emergency services/local fire department) as soon as detection devices or systems have been activated.</p><h4>Automatic Fire Suppression (PE-13(3))</h4><p>Automatic fire suppression systems have the capability to control and extinguish fires without human intervention. Options for automatic suppression systems include:</p><ul><li>Aqueous systems (e.g., wet-pipe sprinkler system); and</li><li>Gaseous systems (e.g., clean agent system) CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100)18, as amended.</li></ul><p>Wet-pipe sprinkler systems are installed at CMS facilities. The sprinkler system is heat-activated and responds with water suppression only in the area(s) where heat is detected.</p><h3>Temperature and Humidity Controls (PE-14)</h3><p>Environmental conditions can pose a threat to the hardware of the network. Maintaining recommended temperature and humidity levels in the data center can reduce unplanned downtime caused by environmental conditions. Maintaining and monitoring levels of temperature and humidity where the information system resources (e.g., data centers, server rooms) reside is critical to system reliability. High temperatures can cause equipment to overheat and malfunction. If the relative humidity levels are too high, water condensation can occur which results in hardware corrosion and early system and component failure. If the relative humidity is too low, computer equipment becomes susceptible to electrostatic discharge (ESD) which can cause damage to sensitive components. The table below outlines the CMS defined parameters for PE-14.</p><p><strong>Table 14: CMS Defined Parameters- Control PE-14</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-14</td><td><p>The organization: </p><p>a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and </p><p>b. Monitors temperature and humidity levels [Assignment: organization defined frequency].</p></td><td><p>The organization: </p><p>a. Maintains temperature and humidity levels within the facility where the information system resides within acceptable vendor-specified levels; </p><p>b. Monitors temperature and humidity levels within the defined frequency (defined in the applicable security plan);</p></td></tr></tbody></table><p>Temperature and humidity levels are maintained within the vendor-specified levels for optimal system reliability. Zone temperature sensors and humidity sensors are used for continuous monitoring. CMS uses a web-based data center monitoring system that allows monitoring of critical support equipment. This provides centralized oversight and features include real-time monitoring and event management. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.</p><h4>Water Damage Protection (PE-15)</h4><p>Shut-off valves help prevent water damage by closing off the water supply. Main shut-off or isolation valves can be used to protect the information system resources from damage resulting from water leakage. Isolation valves are used to shut off water supplies at a specific location, usually for maintenance or safety purposes, and can be employed in addition to or in lieu of main shutoff valves. CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100)19, as amended. CMS protects the information system resources from water damage resulting from broken plumbing lines or other sources of water leakage by providing main shut-off valves or isolation valves that are accessible, functional, and known to key personnel. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.</p><h4>Automation Support (PE-15 (1))</h4><p>Automated mechanisms (e.g., water detection sensors, alarms and notification systems) are used to detect and provide an alert to the presence of water near the information system. The table below outlines the CMS defined parameters for PE-15(1).</p><p><strong>Table 12: CMS Defined Parameters-Control PE-15(1)</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-15(1)</td><td>The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles].</td><td>The organization employs automated mechanisms to detect the presence of water near the information system and alerts defined personnel or roles (defined in the applicable security plan)</td></tr></tbody></table><p>CMS uses water detection sensors to detect water from environmental events (e.g., floods), as well as from equipment failure, leaks and broken pipes. CMS uses a web-based data center monitoring system that allows monitoring of critical support equipment. This provides centralized oversight and features include real-time monitoring and event management. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.</p><h3>Delivery and Removal (PE-16)</h3><p>Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. The table below outlines the CMS defined parameters for PE-16.</p><p><strong>Table 17: CMS Defined Parameters- Control PE-16</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-16</td><td>The organization authorizes, monitors, and controls [Assignment: organization defined types of information system components] entering and exiting the facility and maintains records of those items.</td><td>The organization authorizes, monitors, and controls the flow of all information system-related components entering and exiting the facility and maintains records of those items</td></tr></tbody></table><p>CMS authorizes, monitors and controls the flow of information system-related components entering and exiting the facility through the use of procedures which include controlled access to the facility, secure storage and the maintenance of entry/exit records.</p><h3>Alternate Work Site (PE-17)</h3><p>Alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. There is a direct relationship between an agency’s Continuity of Operations (COOP) plan and telework. Both programs, telework and COOP, share a basic objective: to perform and maintain agency functions from an alternative location. Telework can help ensure that essential Federal functions continue through hazardous weather, pandemic, physical attacks, or any other event that would result in the closure of Government facilities. The <a href="https://www.govinfo.gov/content/pkg/BILLS-111hr1722enr/pdf/BILLS-111hr1722enr.pdf">Telework Enhancement Act of 2010</a> provides a framework for agencies to better leverage technology and to maximize the use of flexible work arrangements, including those involving emergency situations. The table below outlines the CMS defined parameters for PE-17.</p><p><strong>Table 18: CMS Defined Parameters- Control PE-17</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-17</td><td><p>The organization: </p><p>a. Employs [Assignment: organization defined security controls] at alternate work sites;</p></td><td><p>The organization: </p><p>a. Employs appropriate security controls at alternate work sites to include, but not to be limited to, requiring the use of laptop cable locks, recording serial numbers and other identification information about laptops, and disconnecting modems at alternate work sites;</p></td></tr></tbody></table><p>The CMS telework program is a valuable tool to meet mission objectives. CMS’s policy that governs telework is located in the <a href="https://cmsintranet.share.cms.gov/ER/Documents/2017Master-Labor-Agreement.pdf">Master Labor Agreement (MLA), Article 29: Telecommuting Programs</a>.</p><p>Participation in the CMS telework program is voluntary. A completed telework agreement between the employee and CMS is required for participation. Employees with a valid telework agreement may be required by CMS to telecommute at an approved ADS in the instances of: a full day building closure; an early building closure for non-weather related reasons; or a delayed opening (e.g., inclement weather or in other emergencies). CMS may also require telework employees to work at an ADS when a COOP is in effect. Per <a href="https://www.opm.gov/faq/telework/Can-Federal-contractors-telework.ashx">Office of Personnel Management (OPM)</a>, there is no Federal statute or regulation that specifically prohibits Federal contractors from teleworking. The decision to allow a contractor to telework would be made by the contractor’s supervisor and/or in conjunction with CMS. CMS employs appropriate security controls at alternate work sites. Security controls include technology-enforced protection such as Virtual Private Network (VPN) technology, multi-factor authentication, anti-virus software, and encryption. In addition, procedures, including the <a href="https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/rules-of-behavior-for-use-of-hhs-informationresources/index.html">HHS RoB</a>, which applies to remote use of HHS information (in both electronic and physical forms) and information systems, rely on users to follow rules or perform certain steps that are not necessarily enforced by technical means For security incidents, contact the CMS IT Service Desk by calling (410) 786-2580 or (800) 562- 1963; or by sending an email to cms_it_service_desk@cms.hhs.gov to open a ticket.</p><h3>Location of Information System Components (PE-18)</h3><p>Positioning the information system components within the facility is critical to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. The location of physical entry points should be considered where unauthorized individuals, while not being granted access, might be in close proximity to information systems. This increases the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). The table below outlines the CMS defined parameters for PE-18.</p><p><strong>Table 19: CMS Defined Parameters- Control PE-18</strong></p><table><tbody><tr><td><strong>Control </strong></td><td><strong>Control Requirement </strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>PE-18</td><td>The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access.</td><td>The organization positions information system components within the facility to minimize potential damage from physical and environmental hazards, and to minimize the opportunity for unauthorized access.</td></tr></tbody></table><p>CMS positions the information system components to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. Considerations when positioning information system components include: </p><ul><li>Security: layered security consists of access card readers, mantraps, video surveillance and/or security staff </li><li>Fire protection: fire protection systems, as well as implementation of fire prevention programs in operations </li><li>Electrical power: proven and reliable power grid with backup power that consists of one or more UPS, in addition to battery banks and generators. </li><li>Geographic location: probability and frequency of natural disasters, extreme weather, and seismic activity to occur at a specific location. </li><li>Structural design: techniques that can be used to make the actual data center resistant to physical attacks (e.g., reinforced with steel and concrete) </li></ul><p>In addition, the raised floor space, air conditioning support, UPS, generators, and related support equipment must be coordinated with the other areas of the facility and properly positioned within the facility’s perimeter in order to improve their interaction. </p><h2>Applicable Laws and Guidance </h2><p>The Applicable Laws and Guidance appendix provides references to both authoritative and guidance documentation supporting the “document.” Subsections are organized to “level of authority” (e.g., Statutes take precedence over Federal Directives and Policies). </p><h3>Statutes </h3><p><a href="http://www.hhs.gov/hipaa">Health Insurance Portability and Accountability Act of 1996 (HIPAA) </a></p><h3>Federal Directives and Policies </h3><p><a href="https://www.fedramp.gov/files/2015/03/FedRAMP-Control-Quick-Guide-Rev4-FINAL01052015.pdf">FedRAMP Rev. 4 Baseline </a></p><p><a href="https://www.dhs.gov/homeland-security-presidential-directive-12">Homeland Security Presidential Directive 12 </a></p><p><a href="https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilitiesstandards-p100-overview">U.S. General Services Administration: Facilities Standards for Public Buildings Service (P100) </a></p><p><a href="https://www.archives.gov/files/records-mgmt/grs/grs05-6.pdf">National Archives and Records Administration (NARA) schedule GRS 5.6: Security Records </a></p><h3>OMB Policy and Memoranda </h3><p><a href="https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130trans4.pdf">OMB Circular A-130, Management of Federal Information Resources </a></p><p><a href="https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2011/m11-27.pdf">OMB Memo: M-11-27, Implementing the Telework Enhancement Act of 2010: Security Guidelines </a></p><h3>NIST Guidance and Federal Information Processing Standards </h3><p><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf">FIPS-201-2 Personal Identity Verification (PIV) of Federal Employees and Contractors </a></p><p><a href="https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.200.pdf">FIPS-200 Minimum Security Requirements for Federal Information and Information Systems </a></p><p><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations </a></p><p><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-116r1.pdf">NIST SP 800-116, Guidelines for the Use of PIV Credentials in Facility Access </a></p><p><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf">NIST SP 800-46, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security </a></p><p><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf">NIST SP 800 73, Interfaces for Personal Identity Verification – Part 1: PIV Card Application Namespace, Data Model and Representation </a></p><p><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-76-2.pdf">NIST SP 800 76, Biometric Specifications for Personal Identity Verification </a></p><p><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-78-4.pdf">8 NIST SP 800 78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification </a></p><h3>HHS Policy </h3><p>HHS-OCIO-2014-0001 HHS Information System Security and Privacy Policy (HHS IS2P)– 2014 Edition. </p><p>To obtain a copy of this document, email fisma@hhs.gov </p><p><a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-InformationTechnology/InformationSecurity/Downloads/IS2P2.pdf">Rules of Behavior for Use of Health and Human Services Information Resources (HHS RoB) </a></p><h3>Associated CMS Resources </h3><p><a href="https://cmsintranet.share.cms.gov/ER/Documents/2017Master-LaborAgreement.pdf">Master Labor Agreement </a></p><p><a href="https://cmsintranet.share.cms.gov/WR/Documents/CMSPhysicalSecurityProgramHandbook.pdf#search=physical%20security%20handbook">Physical Security Handbook</a></p></div></section></div></div></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare & Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"risk-management-handbook-chapter-11-physical-environmental-protection\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"policy-guidance\",\"risk-management-handbook-chapter-11-physical-environmental-protection\"],\"initialTree\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"risk-management-handbook-chapter-11-physical-environmental-protection\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"risk-management-handbook-chapter-11-physical-environmental-protection\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[3055,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"907\",\"static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js\"],\"default\"]\n18:Td513,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eIntroduction\u003c/h2\u003e\u003cp\u003eThis Handbook outlines procedures to help CMS staff and contractors implement the Physical and Environmental Protection family of controls taken from the National Institute of Standards and Technology (NIST) Special Publication 800-53 and tailored to the CMS environment in the CMS Acceptable Risk Safeguards (ARS). For more guidance on implementing CMS policies and standards across many cybersecurity topics, see the CMS Security and Privacy Handbooks.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe controls listed in this chapter focus on how the organization must: ensure that information systems are protected by limiting physical access to information systems, equipment, and the respective operating environments to only authorized individuals; protect the physical plant and support infrastructure for information systems; provide supporting utilities for information systems; protect information systems against environmental hazards; and provide appropriate environmental controls in facilities containing information systems. Procedures in this chapter describe requirements for physical access, access control, records management, emergency protections, and physical locations of systems, with regard to physical and environmental protection.\u003c/p\u003e\u003ch2\u003ePhysical and Environmental Protection\u003c/h2\u003e\u003ch3\u003ePhysical Access Authorizations (PE-2)\u003c/h3\u003e\u003cp\u003eThe Physical Access Authorizations control includes employees, contractors, and others with permanent physical access authorization credentials; this control does not apply to visitors or areas within facilities that have been designated as publicly accessible. Access authorization credentials include badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials required consistent with federal standards, policies, and procedures. \u003ca href=\"https://www.dhs.gov/homeland-security-presidential-directive-12\"\u003eHomeland Security Presidential Directive 12 (HSPD-12)\u003c/a\u003e is a strategic initiative intended to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy. HSPD-12 requires development and agency implementation of a mandatory, governmentwide standard for secure and reliable forms of identification for federal employees and contractors requiring physical access to federally controlled facilities and logical access to federally controlled information systems.\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eGuidance for systems processing, storing, or transmitting PHI:\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cp\u003eUnder the HIPAA Security Rule, this is an addressable implementation specification. HIPAA covered entities must conduct an analysis as described at 45 C.F.R. § 164.306 (Security standards: General rules) part (d) (Implementation specifications) to determine how it must be applied within the organization. Maintaining a current list of personnel that are authorized to access facilities where sensitive information is located protects the information from unauthorized access. For the purposes of this control, “sensitive information” includes personally identifiable information (PII) and protected health information (PHI). The table below outlines the CMS defined parameters for PE-2.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 3: CMS Defined Parameters- Control PE-2\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-2\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003e\u0026nbsp;c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency];\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ec. Reviews the access list detailing authorized facility access by individuals every (90 High, 180 Moderate, 365 Low) days;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; issues authorization credentials for facility access; reviews the access list detailing authorized facility access by individuals; and removes individuals from the facility access list when access is no longer required. Federal regulations require that the Physical Access Control System (PACS) utilize the HSPD-12 credential, commonly referred to as Personal Identity Verification (PIV), to control physical access. PIV credentials at CMS are maintained through the use of PACS. PACS enables an authority to control physical access to areas and resources in a given physical facility. PIV credentials for physical access are valid for no more than 5 years and 9 months but must be surrendered or canceled when access is no longer officially required. There is no requirement for a periodic reinvestigation to maintain a PIV credential.\u003c/p\u003e\u003cp\u003eIn accordance with \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf \"\u003eFederal Information Processing Standards (FIPS)-201-26\u003c/a\u003e Personal Identity Verification (PIV) of Federal Employees and Contractors, these permissions must be removed from the credential within 18 hours of a change in cardholder status, resulting in loss of the access privilege. For physical access authorization to controlled areas, PACS Central within the Physical Access Management (PAM) system is to be used to submit a request. The request is then routed to the Access Authority of that area for authorization. The Access Authority for each area maintains the list of individuals with authorized access, performing reviews every 90 days. \u0026nbsp;\u003c/p\u003e\u003ch3\u003ePhysical Access Control (PE-3)\u003c/h3\u003e\u003cp\u003ePhysical Access Control applies to organizational employees and visitors without permanent physical access-authorization credentials. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Identity, credential, and access management (ICAM) comprises the tools, policies and systems that allow an organization to manage, monitor and secure access to protected resources. The Federal ICAM (FICAM) program, managed by General Services Administration (GSA) Office of Information Integrity and Access, provides collaboration opportunities and guidance on IT policy, standards, implementation and architecture, to help federal agencies implement ICAM. The table below outlines the CMS defined parameters for PE-3.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 4: CMS Defined Parameters- Control PE-3\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-3\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;\u0026nbsp;\u003c/p\u003e\u003cp\u003e2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];\u0026nbsp;\u003c/p\u003e\u003cp\u003ec. Provides [Assignment: organization defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;\u0026nbsp;\u003c/p\u003e\u003cp\u003ed. Escorts visitors and monitors visitor activity [Assignment: organization defined circumstances requiring visitor escorts and monitoring];\u0026nbsp;\u003c/p\u003e\u003cp\u003ef. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and\u0026nbsp;\u003c/p\u003e\u003cp\u003eg. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Enforces physical access authorizations at defined entry/exit points to the facility (defined in the applicable security plan) where the information system resides by;\u0026nbsp;\u003c/p\u003e\u003cp\u003e2. Controlling ingress/egress to the facility using guards and/or defined physical access control systems/devices (defined in the applicable security plan).\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Maintains physical access audit logs for defined entry/exit points (defined in the applicable security plan);\u0026nbsp;\u003c/p\u003e\u003cp\u003ec. Provides defined security safeguards (defined in the applicable security plan) to control access to areas within the facility officially designated as publicly accessible;\u0026nbsp;\u003c/p\u003e\u003cp\u003ed. Escorts visitors and monitors visitor activity in defined circumstances requiring visitor escorts and monitoring (defined in the applicable security plan);\u0026nbsp;\u003c/p\u003e\u003cp\u003ef. Inventories defined physical access devices (defined in the applicable security plan) no less often than every (90 High, 90 Moderate, or 180 Low) days; and\u0026nbsp;\u003c/p\u003e\u003cp\u003eg. Changes combinations and keys for defined high-risk entry/exit points (defined in the applicable security plan) within every 365 days, and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS enforces physical access control by promoting a secure location, protected with appropriate security structures and entry controls. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both.\u003c/p\u003e\u003cp\u003eSafeguards include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerifying individual access authorizations before granting access to the facility;\u003c/li\u003e\u003cli\u003eControlling ingress/egress to the facility using guards and/or defined physical access control systems/devices; and\u0026nbsp;\u003c/li\u003e\u003cli\u003eMaintaining physical access audit logs for defined entry/exit points. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSafeguards include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProviding defined security safeguards to control access to areas within the facility officially designated as publicly accessible; and\u003c/li\u003e\u003cli\u003eEscorting visitors and monitoring visitor activity in defined circumstances requiring visitor escorts and monitoring. A CMS employee or authorized contractor (i.e., contractor with escort privileges) who is in possession of a valid, CMS issued badge assumes responsibility for a visitor to CMS facilities.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eNote: All foreign national visits require prior approval and will be assigned a “host” who will be responsible for ensuring that the visit is in full compliance with applicable policies and procedures. Physical access control devices can include keys, locks, combinations, and card readers.\u003c/p\u003e\u003cp\u003eSafeguards include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecuring keys, combinations, and other physical access devices; changing combinations and keys for defined high-risk entry/exit points as required, and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated; and\u003c/li\u003e\u003cli\u003eMaintaining inventory of defined physical access devices, as required.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eInformation System Access (PE-3(1))\u003c/h4\u003e\u003cp\u003ePhysical access authorizations are enforced, in addition to physical access controls, for those secure areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, data and communication centers). The table below outlines the CMS defined parameters for PE-3(1).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 5: CMS Defined Parameters-Control PE-3(1)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-3(1)\u003c/td\u003e\u003ctd\u003eThe organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system].\u003c/td\u003e\u003ctd\u003eThe organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at defined physical spaces (defined in the applicable security plan) containing a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers, etc.).\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS enforces physical access authorizations at physical spaces that contain information system components to provide an adequate level of security to protect CMS data and information systems from unauthorized access. Physical access authorizations include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControlling access by the use of door and window locks and security personnel or physical authentication devices, such as biometrics and/or smart card/PIN combination; and\u003c/li\u003e\u003cli\u003eStoring and operating information system components in physically secure environments with access limited to authorized personnel.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAt CMS, personnel are required to obtain an upgraded background investigation and approval by Department of Public Safety (DPS) for authorization.\u003c/p\u003e\u003ch3\u003eAccess Control for Transmission Medium (PE-4)\u003c/h3\u003e\u003cp\u003eA transmission medium is the means through which data is sent from one place to another, using cables or electromagnetic signals to transmit data. Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. These applied safeguards also help to prevent eavesdropping or unauthorized transit modification of unencrypted transmissions. The table below outlines the CMS-defined parameters for PE-4.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 6: CMS Defined Parameters- Control PE-4\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-4\u003c/td\u003e\u003ctd\u003eThe organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].\u003c/td\u003e\u003ctd\u003eThe organization controls physical access to telephone closets and information system distribution and transmission lines within organizational facilities using defined security safeguards (defined in the applicable security plan).\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS implements security safeguards to control physical access to information system distribution and transmission lines. Safeguards include:\u0026nbsp;\u003c/p\u003e\u003cp\u003eStoring information system distribution and transmission lines in authorized access areas. Access is limited to authorized personnel to prevent theft, vandalism and undocumented changes. Contact based card readers, pins, and/or security guards control physical access.\u003c/p\u003e\u003cp\u003eEncasing transmission lines by metal conduit, which is capable of shielding sensitive circuits from electromagnetic interference, in an effort to prevent accidental damage, eavesdropping and disruption.\u003c/p\u003e\u003cp\u003eDisabling unused physical ports is a method used to help secure the network from unauthorized access.\u003c/p\u003e\u003ch3\u003eAccess Control for Output Devices (PE-5)\u003c/h3\u003e\u003cp\u003eControlling physical access by placing output devices in secured areas, allowing access to authorized individuals, and placing output devices in monitored locations prevents unauthorized individuals from obtaining the output. Printers, copiers, scanners and monitors are examples of information system output devices.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePrinters\u003c/strong\u003e:\u003c/p\u003e\u003cp\u003eCMS provides personal printers to support individual users and network printers that are accessible by network connection. Each CMS employee, with an assigned office or cubicle, is issued a personal printer for use. This printer can only be used when the laptop is in the computer docking station. Network printers are shared output devices used amongst CMS employees and Contractors that have CMS issued laptops. Safeguards include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSetting up devices to automatically print cover pages, also known as separator pages, with each print job. These cover pages contain useful information, such as the 4-character CMS user identification (ID), which can be used to identify the originator of the print job.\u003c/li\u003e\u003cli\u003eConfiguring devices to ensure data is not saved or stored within the device once the print job is cleared out of the print queue.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ePrint at home capabilities are available for CMS employees who have a need to print documents while at an Alternative Duty Station (ADS). Completion and submission of the \u003ca href=\"https://cmsintranet.share.cms.gov/CT/_layouts/15/WopiFrame2.aspx?sourcedoc=/CT/Documents/Print-at-HomeAgreement.docx\u0026amp;action=default\u0026amp;DefaultItemOpen=1 \"\u003ePrint at Home Agreement \u003c/a\u003eallows the employee to connect his or her personally owned Universal Serial Bus (USB) printer (parallel cables and wireless printers are not supported) to the CMS issued laptop and install the printer drivers and print documents. By signing this agreement, CMS employees are attesting to: • Ensure that CMS information is protected from unauthorized access, use, disclosure, duplication, modification, diversion, or destruction—whether accidental or intentional – in order to maintain confidentiality, integrity, and availability; • Implement proper physical security measures to be used to secure hardcopy documents, containing confidential, sensitive or proprietary information used by CMS to fulfill its mission;\u0026nbsp; \u0026nbsp;\u003c/p\u003e\u003cp\u003eMaintain all information and/or media containing confidential data such as paper and files in a secure location or locked cabinet when not in use. CMS documents containing protected health information (PHI), personally identifiable information (PII) or other sensitive data may not be printed using your home printer; and\u003c/p\u003e\u003cp\u003eSecurely store any documents printed at home and to return documents to CMS for proper disposition (e.g., filing, shredding). (RMH Chapter 10: Media Protection provides additional information on media sanitization.)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCopier/Scanner devices:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eLocated in designated rooms throughout CMS, copier/scanner devices allow a full range of capabilities necessary to manage internal documents. Safeguards include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRequiring the use of PIV Credentials for copying and scan-to-email capabilities. Devicebased login is an effective way to control who can access and use the device and to manage and limit user access according to job responsibilities.\u0026nbsp;\u003c/li\u003e\u003cli\u003eConfiguring devices to ensure data is not saved or stored within the device beyond the completion of the copier/scanner action.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eMonitors:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCMS complies with the \u003ca href=\"https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/rules-of-behavior-for-use-of-hhs-informationresources/index.html \"\u003eRules of Behavior for Use of Health and Human Services Information Resources (HHS RoB)\u003c/a\u003e which includes the general security practice of locking workstations and removing PIV cards from laptops when leaving them unattended. All new users of HHS information resources must read the HHS RoB and sign the accompanying acknowledgement form before accessing data or other information, systems, and/or networks. This acknowledgement, affirming their knowledge of and agreement to the HHS RoB, must be completed annually thereafter. CMS users are offered two primary methods to lock the laptop:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUse the Ctrl + Alt + Delete command and select “Lock”; or\u003c/li\u003e\u003cli\u003eUse the “Lock Computer” shortcut. This shortcut is installed on the Desktop of CMS issued laptops.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS issued laptops are configured to automatically lock after 20 minutes of inactivity; in screen lock settings, this “Wait” time cannot be changed by the user.\u003c/p\u003e\u003ch3\u003eMonitoring Physical Access (PE-6)\u003c/h3\u003e\u003cp\u003ePhysical access monitoring includes investigations of and responses to detected physical security incidents. Physical security incidents include security violations or suspicious physical access activities such as accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses. The table below outlines the CMS defined parameters for PE-6.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 7: CMS Defined Parameters- Control PE-6\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-6\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Reviews physical access logs weekly and upon occurrence of security incidents or indications of potential events involving physical security; and\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS monitors physical access to the facility where the information system resides to detect and respond to physical security incidents. Security staff provides real-time monitoring, 24 hours per day, 7 days a week, and 365 days a year, for potential security breaches or disturbances. Response plans, that outline the method for responding, are used for identified physical security incidents.\u003c/p\u003e\u003cp\u003eInformation retained within CMS’s electronic security system is intended for security purposes only. There are instances when the information collected within these security systems could prove valuable in both criminal and administrative proceedings. Due to the sensitive nature of the information retained, it cannot be released to anyone without regards to the privacy of the individuals contained within. CMS applies the following rules for the release of security information:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCriminal Evidence: Information that may be used as evidence in criminal proceedings will only be released upon the request of a duly authorized law enforcement entity. This information includes video of a traffic accident in a parking lot, record of entry into a controlled access location, and video of an altercation.\u003c/li\u003e\u003cli\u003eAdministrative Evidence: Requests for information that may be used as evidence in administrative proceedings will only be considered from managers, as it applies to a member of their organization, or a member of the Division of Workforce Compliance. A member of the security team or individual entrusted with the retention of security information will review the system to meet the specific request. Only the specifically requested information will be provided. For example, if management wanted to determine if a specific employee reported to work over a particular weekend, the security official could review logs from the weekend and inform the manager that the employee did or did not sign in over the weekend and if so, what times. The security official is not to release all of the logs to the manager for the manager’s own review.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e7.5.1 Intrusion Alarms/Surveillance Equipment (PE-6 (1))\u003c/h4\u003e\u003cp\u003eIntrusion alarms and surveillance equipment work in tandem with physical access controls to alert security personnel when unauthorized access is attempted. Monitoring of this equipment is useful for incident verification. CMS’s intrusion alarms and surveillance equipment are linked to the PAM system. CMS’s video surveillance systems maintain a 14 day recorded video capability.\u003c/p\u003e\u003ch4\u003eMonitoring Physical Access to Information Systems (PE-6 (4))\u003c/h4\u003e\u003cp\u003ePhysical spaces within facilities that contain one or more information system components (e.g., server rooms, media storage areas, data centers, communications centers) requires additional physical access monitoring. The table below outlines the CMS defined parameters for PE-6(4).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 8: CMS Defined Parameters-Control PE-6(4)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-6(4)\u003c/td\u003e\u003ctd\u003eThe organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system].\u003c/td\u003e\u003ctd\u003eThe organization monitors physical access to the information system, in addition to the physical access monitoring of the facility, at defined physical spaces (defined in the applicable security plan) containing a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers, etc.).\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS provides monitoring to defined physical spaces by the use of additional access card readers restricting access to only authorized personnel. Further measures can include the use of mantraps, which are a physical access control system comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens.\u003c/p\u003e\u003ch3\u003eVisitor Access Records (PE-8)\u003c/h3\u003e\u003cp\u003eVisitor access records include the recording and collection of visitor data, either manually or through electronic visitor management systems, or both. Visitor access records are not required for publicly accessible areas. The table below outlines the CMS defined parameters for PE-8.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 9: CMS Defined Parameters- Control PE-8\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-8\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Reviews visitor access records [Assignment: organization-defined frequency].\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Maintains visitor access records to the facility where the information system resides for two (2) years; and\u003c/p\u003e\u003cp\u003eb. Reviews visitor access records no less often than monthly.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS adheres to the retention schedule found in \u003ca href=\"https://www.archives.gov/files/records-mgmt/grs/grs05-6.pdf \"\u003eNational Archives and Records Administration (NARA) General Records Schedule (GRS) 5.6: Security Records\u003c/a\u003e for maintaining visitor access records at the facility for 2 years. In addition, visitor access records are reviewed every 30 days. Visitor access records consist of the following data:\u003c/p\u003e\u003cul\u003e\u003cli\u003eName and organization of the person visiting;\u003c/li\u003e\u003cli\u003eVisitor’s signature;\u003c/li\u003e\u003cli\u003eForm of identification/Valid U.S. Government issued photo identification;\u003c/li\u003e\u003cli\u003eDate of access;\u003c/li\u003e\u003cli\u003eTime of entry and departure;\u003c/li\u003e\u003cli\u003ePurpose of visit; and\u003c/li\u003e\u003cli\u003eName and organization of person visited.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eAutomated Records Maintenance/Review (PE-8 (1))\u003c/h4\u003e\u003cp\u003eMaintenance and review of visitor access records are enabled by automated mechanisms that aid in the capture and management of records. CMS uses PAM, which contains multiple modules to perform security tasks, including visitor management.\u003c/p\u003e\u003ch3\u003ePower Equipment and Cabling (PE-9)\u003c/h3\u003e\u003cp\u003eOrganizations are responsible for determining the types of protection that are needed to protect power equipment and power cabling from damage and destruction. This protection occurs at different locations (both internal and external to organizational facilities) and environments of operation. Examples of power equipment and cabling include generators and power cabling outside of facilities, internal cabling and uninterruptable power sources within offices or data centers, and power sources for self-contained entities such as vehicles and satellites. CMS facilities adhere to the mandatory standards outlined in \u003ca href=\"https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100- overview\"\u003eGSA’s Facilities Standards for the Public Buildings Service (P100)\u003c/a\u003e, as amended. Infrastructure assets are protected by restricting access and by the use of environmental detection devices. CMS permits only authorized personnel to access infrastructure assets, including power generators, heating, ventilation, and air conditioning (HVAC) systems, cabling, and wiring closets.\u003c/p\u003e\u003ch3\u003eEmergency Shutoff (PE-10)\u003c/h3\u003e\u003cp\u003eEmergency shutoff switches or devices provide the capability of shutting off power to the information system or individual system components in emergency situations. Placing these shutoff switches or devices in a location that will allow for personnel to approach the shutoff switch(es) safely permits easy access in emergency situations without risk to the individual and protects the emergency power shutoff capability from unauthorized or inadvertent activation. The table below outlines the CMS defined parameters for PE-10.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 10: CMS Defined Parameters- Control PE-10\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-10\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003e\u0026nbsp;b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel;\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Places emergency shutoff switches or devices in a location that does not require personnel to approach the equipment to facilitate safe and easy access for personnel;\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS implements and maintains emergency shutoff switches or emergency power off (EPO) buttons as a safety mechanism that can be used to shut power off from the information system or from individual system components in an emergency. These clearly marked shutoff devices are installed at the exit doors.\u003c/p\u003e\u003ch3\u003eEmergency Power (PE-11)\u003c/h3\u003e\u003cp\u003eEmergency power, using a short-term, uninterruptible power supply (UPS) permits an orderly shutdown of the information system and/or transition of the information system to a long-term alternate power supply in the event of a primary power source loss. CMS facilities adhere to the mandatory standards outlined in \u003ca href=\"https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100- overview\"\u003eGSA’s Facilities Standards for the Public Buildings Service (P100)\u003c/a\u003e, as amended. The table below outlines the CMS defined parameters for PE-11.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 11: CMS Defined Parameters- Control PE-11\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-11\u003c/td\u003e\u003ctd\u003eThe organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss\u003c/td\u003e\u003ctd\u003eThe organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system and/or transition of the information system to a long-term alternate power source in the event of a primary power source loss.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS provides a short-term UPS that provides emergency power when the input power source or main power fails. The UPS provides near-instantaneous protection from input power interruptions, by supplying energy stored in batteries. CMS uses a web-based data center monitoring system that allows monitoring of critical support equipment. This provides centralized oversight and features include real-time monitoring and event management.\u003c/p\u003e\u003ch4\u003eLong-Term Alternate Power Supply - Minimal Operational Capability (PE-11 (1))\u003c/h4\u003e\u003cp\u003eLong-term alternate power supply for the information system provides the capability of maintaining minimally required operational capability in the event of an extended loss of the primary power source. CMS facilities adhere to the mandatory standards outlined in \u003ca href=\"https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-overview\"\u003eGSA’s Facilities Standards for the Public Buildings Service (P100)\u003c/a\u003e, as amended. CMS has on-site, diesel-powered generators that are capable of providing a long-term alternate power supply. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.\u003c/p\u003e\u003ch3\u003eEmergency Lighting (PE-12)\u003c/h3\u003e\u003cp\u003eAutomatic emergency lighting that activates and covers emergency exits and evacuation routes is crucial to ensure adequate illumination in the event of a power outage or disruption. CMS facilities adhere to the mandatory standards outlined in \u003ca href=\"https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-overview\"\u003eGSA’s Facilities Standards for the Public Buildings Service (P100)\u003c/a\u003e, as amended. CMS employs and maintains emergency lighting, that activates in the event of a power outage or disruption, and that covers emergency exits and evacuation routes within the facility. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.\u0026nbsp;\u003c/p\u003e\u003ch3\u003eFire Protection (PE-13)\u003c/h3\u003e\u003cp\u003eFire protection includes devices and systems that are effective in detecting, extinguishing, or controlling a fire event. Preventing fires or limiting damage can ensure work operations continue without interruption. CMS facilities adhere to the mandatory standards outlined in \u003ca href=\"https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-overview \"\u003eGSA’s Facilities Standards for the Public Buildings Service (P100)\u003c/a\u003e, as amended. CMS’s fire protection devices and systems, supported by independent energy sources, work to detect, notify and compartmentalize or suppress the unwanted effects of potentially destructive fires. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.\u003c/p\u003e\u003ch4\u003eDetection Devices/Systems (PE-13(1))\u003c/h4\u003e\u003cp\u003eDetection devices/systems automatically activate to notify personnel and emergency responders in the event of a fire. CMS facilities adhere to the mandatory standards outlined in \u003ca href=\"https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-overview\"\u003eGSA’s Facilities Standards for the Public Buildings Service (P100)\u003c/a\u003e, as amended. The table below outlines the CMS defined parameters for PE-13(1).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 10: CMS Defined Parameters-Control PE-13(1)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-13(1)\u003c/td\u003e\u003ctd\u003eThe organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organizationdefined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.\u003c/td\u003e\u003ctd\u003eThe organization employs fire detection devices/systems for the information system that activate automatically and notify defined personnel or roles (defined in the applicable security plan) and defined emergency responders (defined in the applicable security or safety plan) in the event of a fire\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS’s detection system is comprised of a networked series of fire alarm panels, annunciator panels, addressable audible and visual alarms and initiating devices including smoke detectors, heat detectors, and pull stations.\u003c/p\u003e\u003ch4\u003eSuppression Devices/Systems (PE-13(2))\u003c/h4\u003e\u003cp\u003eFire suppression devices/systems provide automatic activation notification to specific personnel, roles, and emergency responders. CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100)17, as amended. The table below outlines the CMS defined parameters for PE-13(2).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 11: CMS Defined Parameters- Control PE-13(2)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-13(2)\u003c/td\u003e\u003ctd\u003eThe organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders].\u003c/td\u003e\u003ctd\u003eThe organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to defined personnel (or roles) and defined emergency responders (defined in the applicable security or safety plan)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS employs a monitored fire alarm system that notifies critical parties (e.g., CMS’s Network Command Center (NCC), designated personnel, emergency services/local fire department) as soon as detection devices or systems have been activated.\u003c/p\u003e\u003ch4\u003eAutomatic Fire Suppression (PE-13(3))\u003c/h4\u003e\u003cp\u003eAutomatic fire suppression systems have the capability to control and extinguish fires without human intervention. Options for automatic suppression systems include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAqueous systems (e.g., wet-pipe sprinkler system); and\u003c/li\u003e\u003cli\u003eGaseous systems (e.g., clean agent system) CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100)18, as amended.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWet-pipe sprinkler systems are installed at CMS facilities. The sprinkler system is heat-activated and responds with water suppression only in the area(s) where heat is detected.\u003c/p\u003e\u003ch3\u003eTemperature and Humidity Controls (PE-14)\u003c/h3\u003e\u003cp\u003eEnvironmental conditions can pose a threat to the hardware of the network. Maintaining recommended temperature and humidity levels in the data center can reduce unplanned downtime caused by environmental conditions. Maintaining and monitoring levels of temperature and humidity where the information system resources (e.g., data centers, server rooms) reside is critical to system reliability. High temperatures can cause equipment to overheat and malfunction. If the relative humidity levels are too high, water condensation can occur which results in hardware corrosion and early system and component failure. If the relative humidity is too low, computer equipment becomes susceptible to electrostatic discharge (ESD) which can cause damage to sensitive components. The table below outlines the CMS defined parameters for PE-14.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 14: CMS Defined Parameters- Control PE-14\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-14\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Monitors temperature and humidity levels [Assignment: organization defined frequency].\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Maintains temperature and humidity levels within the facility where the information system resides within acceptable vendor-specified levels;\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Monitors temperature and humidity levels within the defined frequency (defined in the applicable security plan);\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eTemperature and humidity levels are maintained within the vendor-specified levels for optimal system reliability. Zone temperature sensors and humidity sensors are used for continuous monitoring. CMS uses a web-based data center monitoring system that allows monitoring of critical support equipment. This provides centralized oversight and features include real-time monitoring and event management. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.\u003c/p\u003e\u003ch4\u003eWater Damage Protection (PE-15)\u003c/h4\u003e\u003cp\u003eShut-off valves help prevent water damage by closing off the water supply. Main shut-off or isolation valves can be used to protect the information system resources from damage resulting from water leakage. Isolation valves are used to shut off water supplies at a specific location, usually for maintenance or safety purposes, and can be employed in addition to or in lieu of main shutoff valves. CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100)19, as amended. CMS protects the information system resources from water damage resulting from broken plumbing lines or other sources of water leakage by providing main shut-off valves or isolation valves that are accessible, functional, and known to key personnel. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.\u003c/p\u003e\u003ch4\u003eAutomation Support (PE-15 (1))\u003c/h4\u003e\u003cp\u003eAutomated mechanisms (e.g., water detection sensors, alarms and notification systems) are used to detect and provide an alert to the presence of water near the information system. The table below outlines the CMS defined parameters for PE-15(1).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 12: CMS Defined Parameters-Control PE-15(1)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-15(1)\u003c/td\u003e\u003ctd\u003eThe organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles].\u003c/td\u003e\u003ctd\u003eThe organization employs automated mechanisms to detect the presence of water near the information system and alerts defined personnel or roles (defined in the applicable security plan)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS uses water detection sensors to detect water from environmental events (e.g., floods), as well as from equipment failure, leaks and broken pipes. CMS uses a web-based data center monitoring system that allows monitoring of critical support equipment. This provides centralized oversight and features include real-time monitoring and event management. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.\u003c/p\u003e\u003ch3\u003eDelivery and Removal (PE-16)\u003c/h3\u003e\u003cp\u003eEffectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. The table below outlines the CMS defined parameters for PE-16.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 17: CMS Defined Parameters- Control PE-16\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-16\u003c/td\u003e\u003ctd\u003eThe organization authorizes, monitors, and controls [Assignment: organization defined types of information system components] entering and exiting the facility and maintains records of those items.\u003c/td\u003e\u003ctd\u003eThe organization authorizes, monitors, and controls the flow of all information system-related components entering and exiting the facility and maintains records of those items\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS authorizes, monitors and controls the flow of information system-related components entering and exiting the facility through the use of procedures which include controlled access to the facility, secure storage and the maintenance of entry/exit records.\u003c/p\u003e\u003ch3\u003eAlternate Work Site (PE-17)\u003c/h3\u003e\u003cp\u003eAlternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. There is a direct relationship between an agency’s Continuity of Operations (COOP) plan and telework. Both programs, telework and COOP, share a basic objective: to perform and maintain agency functions from an alternative location. Telework can help ensure that essential Federal functions continue through hazardous weather, pandemic, physical attacks, or any other event that would result in the closure of Government facilities. The \u003ca href=\"https://www.govinfo.gov/content/pkg/BILLS-111hr1722enr/pdf/BILLS-111hr1722enr.pdf \"\u003eTelework Enhancement Act of 2010\u003c/a\u003e\u0026nbsp;provides a framework for agencies to better leverage technology and to maximize the use of flexible work arrangements, including those involving emergency situations. The table below outlines the CMS defined parameters for PE-17.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 18: CMS Defined Parameters- Control PE-17\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-17\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Employs [Assignment: organization defined security controls] at alternate work sites;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Employs appropriate security controls at alternate work sites to include, but not to be limited to, requiring the use of laptop cable locks, recording serial numbers and other identification information about laptops, and disconnecting modems at alternate work sites;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe CMS telework program is a valuable tool to meet mission objectives. CMS’s policy that governs telework is located in the \u003ca href=\"https://cmsintranet.share.cms.gov/ER/Documents/2017Master-Labor-Agreement.pdf\"\u003eMaster Labor Agreement (MLA), Article 29: Telecommuting Programs\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eParticipation in the CMS telework program is voluntary. A completed telework agreement between the employee and CMS is required for participation. Employees with a valid telework agreement may be required by CMS to telecommute at an approved ADS in the instances of: a full day building closure; an early building closure for non-weather related reasons; or a delayed opening (e.g., inclement weather or in other emergencies). CMS may also require telework employees to work at an ADS when a COOP is in effect. Per \u003ca href=\"https://www.opm.gov/faq/telework/Can-Federal-contractors-telework.ashx \"\u003eOffice of Personnel Management (OPM)\u003c/a\u003e, there is no Federal statute or regulation that specifically prohibits Federal contractors from teleworking. The decision to allow a contractor to telework would be made by the contractor’s supervisor and/or in conjunction with CMS. CMS employs appropriate security controls at alternate work sites. Security controls include technology-enforced protection such as Virtual Private Network (VPN) technology, multi-factor authentication, anti-virus software, and encryption. In addition, procedures, including the \u003ca href=\"https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/rules-of-behavior-for-use-of-hhs-informationresources/index.html \"\u003eHHS RoB\u003c/a\u003e, which applies to remote use of HHS information (in both electronic and physical forms) and information systems, rely on users to follow rules or perform certain steps that are not necessarily enforced by technical means For security incidents, contact the CMS IT Service Desk by calling (410) 786-2580 or (800) 562- 1963; or by sending an email to cms_it_service_desk@cms.hhs.gov to open a ticket.\u003c/p\u003e\u003ch3\u003eLocation of Information System Components (PE-18)\u003c/h3\u003e\u003cp\u003ePositioning the information system components within the facility is critical to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. The location of physical entry points should be considered where unauthorized individuals, while not being granted access, might be in close proximity to information systems. This increases the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). The table below outlines the CMS defined parameters for PE-18.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 19: CMS Defined Parameters- Control PE-18\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-18\u003c/td\u003e\u003ctd\u003eThe organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access.\u003c/td\u003e\u003ctd\u003eThe organization positions information system components within the facility to minimize potential damage from physical and environmental hazards, and to minimize the opportunity for unauthorized access.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS positions the information system components to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. Considerations when positioning information system components include:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity: layered security consists of access card readers, mantraps, video surveillance and/or security staff\u0026nbsp;\u003c/li\u003e\u003cli\u003eFire protection: fire protection systems, as well as implementation of fire prevention programs in operations\u0026nbsp;\u003c/li\u003e\u003cli\u003eElectrical power: proven and reliable power grid with backup power that consists of one or more UPS, in addition to battery banks and generators.\u0026nbsp;\u003c/li\u003e\u003cli\u003eGeographic location: probability and frequency of natural disasters, extreme weather, and seismic activity to occur at a specific location.\u0026nbsp;\u003c/li\u003e\u003cli\u003eStructural design: techniques that can be used to make the actual data center resistant to physical attacks (e.g., reinforced with steel and concrete)\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIn addition, the raised floor space, air conditioning support, UPS, generators, and related support equipment must be coordinated with the other areas of the facility and properly positioned within the facility’s perimeter in order to improve their interaction.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eApplicable Laws and Guidance\u0026nbsp;\u003c/h2\u003e\u003cp\u003eThe Applicable Laws and Guidance appendix provides references to both authoritative and guidance documentation supporting the “document.” Subsections are organized to “level of authority” (e.g., Statutes take precedence over Federal Directives and Policies).\u0026nbsp;\u003c/p\u003e\u003ch3\u003eStatutes\u0026nbsp;\u003c/h3\u003e\u003cp\u003e\u003ca href=\"http://www.hhs.gov/hipaa\"\u003eHealth Insurance Portability and Accountability Act of 1996 (HIPAA)\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eFederal Directives and Policies\u0026nbsp;\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://www.fedramp.gov/files/2015/03/FedRAMP-Control-Quick-Guide-Rev4-FINAL01052015.pdf\"\u003eFedRAMP Rev. 4 Baseline\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.dhs.gov/homeland-security-presidential-directive-12\"\u003eHomeland Security Presidential Directive 12\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilitiesstandards-p100-overview\"\u003eU.S. General Services Administration: Facilities Standards for Public Buildings Service (P100)\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.archives.gov/files/records-mgmt/grs/grs05-6.pdf\"\u003eNational Archives and Records Administration (NARA) schedule GRS 5.6: Security Records\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eOMB Policy and Memoranda\u0026nbsp;\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130trans4.pdf\"\u003eOMB Circular A-130, Management of Federal Information Resources\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2011/m11-27.pdf\"\u003eOMB Memo: M-11-27, Implementing the Telework Enhancement Act of 2010: Security Guidelines\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eNIST Guidance and Federal Information Processing Standards\u0026nbsp;\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf\"\u003eFIPS-201-2 Personal Identity Verification (PIV) of Federal Employees and Contractors\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.200.pdf\"\u003eFIPS-200 Minimum Security Requirements for Federal Information and Information Systems\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\u003eNIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-116r1.pdf\"\u003eNIST SP 800-116, Guidelines for the Use of PIV Credentials in Facility Access\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf\"\u003eNIST SP 800-46, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf\"\u003eNIST SP 800 73, Interfaces for Personal Identity Verification – Part 1: PIV Card Application Namespace, Data Model and Representation\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-76-2.pdf\"\u003eNIST SP 800 76, Biometric Specifications for Personal Identity Verification\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-78-4.pdf\"\u003e8 NIST SP 800 78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eHHS Policy\u0026nbsp;\u003c/h3\u003e\u003cp\u003eHHS-OCIO-2014-0001 HHS Information System Security and Privacy Policy (HHS IS2P)– 2014 Edition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eTo obtain a copy of this document, email fisma@hhs.gov\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-InformationTechnology/InformationSecurity/Downloads/IS2P2.pdf\"\u003eRules of Behavior for Use of Health and Human Services Information Resources (HHS RoB)\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eAssociated CMS Resources\u0026nbsp;\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://cmsintranet.share.cms.gov/ER/Documents/2017Master-LaborAgreement.pdf\"\u003eMaster Labor Agreement\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cmsintranet.share.cms.gov/WR/Documents/CMSPhysicalSecurityProgramHandbook.pdf#search=physical%20security%20handbook\"\u003ePhysical Security Handbook\u003c/a\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:Td513,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eIntroduction\u003c/h2\u003e\u003cp\u003eThis Handbook outlines procedures to help CMS staff and contractors implement the Physical and Environmental Protection family of controls taken from the National Institute of Standards and Technology (NIST) Special Publication 800-53 and tailored to the CMS environment in the CMS Acceptable Risk Safeguards (ARS). For more guidance on implementing CMS policies and standards across many cybersecurity topics, see the CMS Security and Privacy Handbooks.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe controls listed in this chapter focus on how the organization must: ensure that information systems are protected by limiting physical access to information systems, equipment, and the respective operating environments to only authorized individuals; protect the physical plant and support infrastructure for information systems; provide supporting utilities for information systems; protect information systems against environmental hazards; and provide appropriate environmental controls in facilities containing information systems. Procedures in this chapter describe requirements for physical access, access control, records management, emergency protections, and physical locations of systems, with regard to physical and environmental protection.\u003c/p\u003e\u003ch2\u003ePhysical and Environmental Protection\u003c/h2\u003e\u003ch3\u003ePhysical Access Authorizations (PE-2)\u003c/h3\u003e\u003cp\u003eThe Physical Access Authorizations control includes employees, contractors, and others with permanent physical access authorization credentials; this control does not apply to visitors or areas within facilities that have been designated as publicly accessible. Access authorization credentials include badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials required consistent with federal standards, policies, and procedures. \u003ca href=\"https://www.dhs.gov/homeland-security-presidential-directive-12\"\u003eHomeland Security Presidential Directive 12 (HSPD-12)\u003c/a\u003e is a strategic initiative intended to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy. HSPD-12 requires development and agency implementation of a mandatory, governmentwide standard for secure and reliable forms of identification for federal employees and contractors requiring physical access to federally controlled facilities and logical access to federally controlled information systems.\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eGuidance for systems processing, storing, or transmitting PHI:\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cp\u003eUnder the HIPAA Security Rule, this is an addressable implementation specification. HIPAA covered entities must conduct an analysis as described at 45 C.F.R. § 164.306 (Security standards: General rules) part (d) (Implementation specifications) to determine how it must be applied within the organization. Maintaining a current list of personnel that are authorized to access facilities where sensitive information is located protects the information from unauthorized access. For the purposes of this control, “sensitive information” includes personally identifiable information (PII) and protected health information (PHI). The table below outlines the CMS defined parameters for PE-2.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 3: CMS Defined Parameters- Control PE-2\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-2\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003e\u0026nbsp;c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency];\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ec. Reviews the access list detailing authorized facility access by individuals every (90 High, 180 Moderate, 365 Low) days;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; issues authorization credentials for facility access; reviews the access list detailing authorized facility access by individuals; and removes individuals from the facility access list when access is no longer required. Federal regulations require that the Physical Access Control System (PACS) utilize the HSPD-12 credential, commonly referred to as Personal Identity Verification (PIV), to control physical access. PIV credentials at CMS are maintained through the use of PACS. PACS enables an authority to control physical access to areas and resources in a given physical facility. PIV credentials for physical access are valid for no more than 5 years and 9 months but must be surrendered or canceled when access is no longer officially required. There is no requirement for a periodic reinvestigation to maintain a PIV credential.\u003c/p\u003e\u003cp\u003eIn accordance with \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf \"\u003eFederal Information Processing Standards (FIPS)-201-26\u003c/a\u003e Personal Identity Verification (PIV) of Federal Employees and Contractors, these permissions must be removed from the credential within 18 hours of a change in cardholder status, resulting in loss of the access privilege. For physical access authorization to controlled areas, PACS Central within the Physical Access Management (PAM) system is to be used to submit a request. The request is then routed to the Access Authority of that area for authorization. The Access Authority for each area maintains the list of individuals with authorized access, performing reviews every 90 days. \u0026nbsp;\u003c/p\u003e\u003ch3\u003ePhysical Access Control (PE-3)\u003c/h3\u003e\u003cp\u003ePhysical Access Control applies to organizational employees and visitors without permanent physical access-authorization credentials. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Identity, credential, and access management (ICAM) comprises the tools, policies and systems that allow an organization to manage, monitor and secure access to protected resources. The Federal ICAM (FICAM) program, managed by General Services Administration (GSA) Office of Information Integrity and Access, provides collaboration opportunities and guidance on IT policy, standards, implementation and architecture, to help federal agencies implement ICAM. The table below outlines the CMS defined parameters for PE-3.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 4: CMS Defined Parameters- Control PE-3\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-3\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;\u0026nbsp;\u003c/p\u003e\u003cp\u003e2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];\u0026nbsp;\u003c/p\u003e\u003cp\u003ec. Provides [Assignment: organization defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;\u0026nbsp;\u003c/p\u003e\u003cp\u003ed. Escorts visitors and monitors visitor activity [Assignment: organization defined circumstances requiring visitor escorts and monitoring];\u0026nbsp;\u003c/p\u003e\u003cp\u003ef. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and\u0026nbsp;\u003c/p\u003e\u003cp\u003eg. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Enforces physical access authorizations at defined entry/exit points to the facility (defined in the applicable security plan) where the information system resides by;\u0026nbsp;\u003c/p\u003e\u003cp\u003e2. Controlling ingress/egress to the facility using guards and/or defined physical access control systems/devices (defined in the applicable security plan).\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Maintains physical access audit logs for defined entry/exit points (defined in the applicable security plan);\u0026nbsp;\u003c/p\u003e\u003cp\u003ec. Provides defined security safeguards (defined in the applicable security plan) to control access to areas within the facility officially designated as publicly accessible;\u0026nbsp;\u003c/p\u003e\u003cp\u003ed. Escorts visitors and monitors visitor activity in defined circumstances requiring visitor escorts and monitoring (defined in the applicable security plan);\u0026nbsp;\u003c/p\u003e\u003cp\u003ef. Inventories defined physical access devices (defined in the applicable security plan) no less often than every (90 High, 90 Moderate, or 180 Low) days; and\u0026nbsp;\u003c/p\u003e\u003cp\u003eg. Changes combinations and keys for defined high-risk entry/exit points (defined in the applicable security plan) within every 365 days, and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS enforces physical access control by promoting a secure location, protected with appropriate security structures and entry controls. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both.\u003c/p\u003e\u003cp\u003eSafeguards include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerifying individual access authorizations before granting access to the facility;\u003c/li\u003e\u003cli\u003eControlling ingress/egress to the facility using guards and/or defined physical access control systems/devices; and\u0026nbsp;\u003c/li\u003e\u003cli\u003eMaintaining physical access audit logs for defined entry/exit points. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSafeguards include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProviding defined security safeguards to control access to areas within the facility officially designated as publicly accessible; and\u003c/li\u003e\u003cli\u003eEscorting visitors and monitoring visitor activity in defined circumstances requiring visitor escorts and monitoring. A CMS employee or authorized contractor (i.e., contractor with escort privileges) who is in possession of a valid, CMS issued badge assumes responsibility for a visitor to CMS facilities.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eNote: All foreign national visits require prior approval and will be assigned a “host” who will be responsible for ensuring that the visit is in full compliance with applicable policies and procedures. Physical access control devices can include keys, locks, combinations, and card readers.\u003c/p\u003e\u003cp\u003eSafeguards include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecuring keys, combinations, and other physical access devices; changing combinations and keys for defined high-risk entry/exit points as required, and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated; and\u003c/li\u003e\u003cli\u003eMaintaining inventory of defined physical access devices, as required.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eInformation System Access (PE-3(1))\u003c/h4\u003e\u003cp\u003ePhysical access authorizations are enforced, in addition to physical access controls, for those secure areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, data and communication centers). The table below outlines the CMS defined parameters for PE-3(1).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 5: CMS Defined Parameters-Control PE-3(1)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-3(1)\u003c/td\u003e\u003ctd\u003eThe organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system].\u003c/td\u003e\u003ctd\u003eThe organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at defined physical spaces (defined in the applicable security plan) containing a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers, etc.).\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS enforces physical access authorizations at physical spaces that contain information system components to provide an adequate level of security to protect CMS data and information systems from unauthorized access. Physical access authorizations include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControlling access by the use of door and window locks and security personnel or physical authentication devices, such as biometrics and/or smart card/PIN combination; and\u003c/li\u003e\u003cli\u003eStoring and operating information system components in physically secure environments with access limited to authorized personnel.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAt CMS, personnel are required to obtain an upgraded background investigation and approval by Department of Public Safety (DPS) for authorization.\u003c/p\u003e\u003ch3\u003eAccess Control for Transmission Medium (PE-4)\u003c/h3\u003e\u003cp\u003eA transmission medium is the means through which data is sent from one place to another, using cables or electromagnetic signals to transmit data. Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. These applied safeguards also help to prevent eavesdropping or unauthorized transit modification of unencrypted transmissions. The table below outlines the CMS-defined parameters for PE-4.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 6: CMS Defined Parameters- Control PE-4\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-4\u003c/td\u003e\u003ctd\u003eThe organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].\u003c/td\u003e\u003ctd\u003eThe organization controls physical access to telephone closets and information system distribution and transmission lines within organizational facilities using defined security safeguards (defined in the applicable security plan).\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS implements security safeguards to control physical access to information system distribution and transmission lines. Safeguards include:\u0026nbsp;\u003c/p\u003e\u003cp\u003eStoring information system distribution and transmission lines in authorized access areas. Access is limited to authorized personnel to prevent theft, vandalism and undocumented changes. Contact based card readers, pins, and/or security guards control physical access.\u003c/p\u003e\u003cp\u003eEncasing transmission lines by metal conduit, which is capable of shielding sensitive circuits from electromagnetic interference, in an effort to prevent accidental damage, eavesdropping and disruption.\u003c/p\u003e\u003cp\u003eDisabling unused physical ports is a method used to help secure the network from unauthorized access.\u003c/p\u003e\u003ch3\u003eAccess Control for Output Devices (PE-5)\u003c/h3\u003e\u003cp\u003eControlling physical access by placing output devices in secured areas, allowing access to authorized individuals, and placing output devices in monitored locations prevents unauthorized individuals from obtaining the output. Printers, copiers, scanners and monitors are examples of information system output devices.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePrinters\u003c/strong\u003e:\u003c/p\u003e\u003cp\u003eCMS provides personal printers to support individual users and network printers that are accessible by network connection. Each CMS employee, with an assigned office or cubicle, is issued a personal printer for use. This printer can only be used when the laptop is in the computer docking station. Network printers are shared output devices used amongst CMS employees and Contractors that have CMS issued laptops. Safeguards include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSetting up devices to automatically print cover pages, also known as separator pages, with each print job. These cover pages contain useful information, such as the 4-character CMS user identification (ID), which can be used to identify the originator of the print job.\u003c/li\u003e\u003cli\u003eConfiguring devices to ensure data is not saved or stored within the device once the print job is cleared out of the print queue.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ePrint at home capabilities are available for CMS employees who have a need to print documents while at an Alternative Duty Station (ADS). Completion and submission of the \u003ca href=\"https://cmsintranet.share.cms.gov/CT/_layouts/15/WopiFrame2.aspx?sourcedoc=/CT/Documents/Print-at-HomeAgreement.docx\u0026amp;action=default\u0026amp;DefaultItemOpen=1 \"\u003ePrint at Home Agreement \u003c/a\u003eallows the employee to connect his or her personally owned Universal Serial Bus (USB) printer (parallel cables and wireless printers are not supported) to the CMS issued laptop and install the printer drivers and print documents. By signing this agreement, CMS employees are attesting to: • Ensure that CMS information is protected from unauthorized access, use, disclosure, duplication, modification, diversion, or destruction—whether accidental or intentional – in order to maintain confidentiality, integrity, and availability; • Implement proper physical security measures to be used to secure hardcopy documents, containing confidential, sensitive or proprietary information used by CMS to fulfill its mission;\u0026nbsp; \u0026nbsp;\u003c/p\u003e\u003cp\u003eMaintain all information and/or media containing confidential data such as paper and files in a secure location or locked cabinet when not in use. CMS documents containing protected health information (PHI), personally identifiable information (PII) or other sensitive data may not be printed using your home printer; and\u003c/p\u003e\u003cp\u003eSecurely store any documents printed at home and to return documents to CMS for proper disposition (e.g., filing, shredding). (RMH Chapter 10: Media Protection provides additional information on media sanitization.)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCopier/Scanner devices:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eLocated in designated rooms throughout CMS, copier/scanner devices allow a full range of capabilities necessary to manage internal documents. Safeguards include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRequiring the use of PIV Credentials for copying and scan-to-email capabilities. Devicebased login is an effective way to control who can access and use the device and to manage and limit user access according to job responsibilities.\u0026nbsp;\u003c/li\u003e\u003cli\u003eConfiguring devices to ensure data is not saved or stored within the device beyond the completion of the copier/scanner action.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eMonitors:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCMS complies with the \u003ca href=\"https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/rules-of-behavior-for-use-of-hhs-informationresources/index.html \"\u003eRules of Behavior for Use of Health and Human Services Information Resources (HHS RoB)\u003c/a\u003e which includes the general security practice of locking workstations and removing PIV cards from laptops when leaving them unattended. All new users of HHS information resources must read the HHS RoB and sign the accompanying acknowledgement form before accessing data or other information, systems, and/or networks. This acknowledgement, affirming their knowledge of and agreement to the HHS RoB, must be completed annually thereafter. CMS users are offered two primary methods to lock the laptop:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUse the Ctrl + Alt + Delete command and select “Lock”; or\u003c/li\u003e\u003cli\u003eUse the “Lock Computer” shortcut. This shortcut is installed on the Desktop of CMS issued laptops.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS issued laptops are configured to automatically lock after 20 minutes of inactivity; in screen lock settings, this “Wait” time cannot be changed by the user.\u003c/p\u003e\u003ch3\u003eMonitoring Physical Access (PE-6)\u003c/h3\u003e\u003cp\u003ePhysical access monitoring includes investigations of and responses to detected physical security incidents. Physical security incidents include security violations or suspicious physical access activities such as accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses. The table below outlines the CMS defined parameters for PE-6.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 7: CMS Defined Parameters- Control PE-6\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-6\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Reviews physical access logs weekly and upon occurrence of security incidents or indications of potential events involving physical security; and\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS monitors physical access to the facility where the information system resides to detect and respond to physical security incidents. Security staff provides real-time monitoring, 24 hours per day, 7 days a week, and 365 days a year, for potential security breaches or disturbances. Response plans, that outline the method for responding, are used for identified physical security incidents.\u003c/p\u003e\u003cp\u003eInformation retained within CMS’s electronic security system is intended for security purposes only. There are instances when the information collected within these security systems could prove valuable in both criminal and administrative proceedings. Due to the sensitive nature of the information retained, it cannot be released to anyone without regards to the privacy of the individuals contained within. CMS applies the following rules for the release of security information:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCriminal Evidence: Information that may be used as evidence in criminal proceedings will only be released upon the request of a duly authorized law enforcement entity. This information includes video of a traffic accident in a parking lot, record of entry into a controlled access location, and video of an altercation.\u003c/li\u003e\u003cli\u003eAdministrative Evidence: Requests for information that may be used as evidence in administrative proceedings will only be considered from managers, as it applies to a member of their organization, or a member of the Division of Workforce Compliance. A member of the security team or individual entrusted with the retention of security information will review the system to meet the specific request. Only the specifically requested information will be provided. For example, if management wanted to determine if a specific employee reported to work over a particular weekend, the security official could review logs from the weekend and inform the manager that the employee did or did not sign in over the weekend and if so, what times. The security official is not to release all of the logs to the manager for the manager’s own review.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e7.5.1 Intrusion Alarms/Surveillance Equipment (PE-6 (1))\u003c/h4\u003e\u003cp\u003eIntrusion alarms and surveillance equipment work in tandem with physical access controls to alert security personnel when unauthorized access is attempted. Monitoring of this equipment is useful for incident verification. CMS’s intrusion alarms and surveillance equipment are linked to the PAM system. CMS’s video surveillance systems maintain a 14 day recorded video capability.\u003c/p\u003e\u003ch4\u003eMonitoring Physical Access to Information Systems (PE-6 (4))\u003c/h4\u003e\u003cp\u003ePhysical spaces within facilities that contain one or more information system components (e.g., server rooms, media storage areas, data centers, communications centers) requires additional physical access monitoring. The table below outlines the CMS defined parameters for PE-6(4).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 8: CMS Defined Parameters-Control PE-6(4)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-6(4)\u003c/td\u003e\u003ctd\u003eThe organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system].\u003c/td\u003e\u003ctd\u003eThe organization monitors physical access to the information system, in addition to the physical access monitoring of the facility, at defined physical spaces (defined in the applicable security plan) containing a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers, etc.).\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS provides monitoring to defined physical spaces by the use of additional access card readers restricting access to only authorized personnel. Further measures can include the use of mantraps, which are a physical access control system comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens.\u003c/p\u003e\u003ch3\u003eVisitor Access Records (PE-8)\u003c/h3\u003e\u003cp\u003eVisitor access records include the recording and collection of visitor data, either manually or through electronic visitor management systems, or both. Visitor access records are not required for publicly accessible areas. The table below outlines the CMS defined parameters for PE-8.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 9: CMS Defined Parameters- Control PE-8\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-8\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Reviews visitor access records [Assignment: organization-defined frequency].\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Maintains visitor access records to the facility where the information system resides for two (2) years; and\u003c/p\u003e\u003cp\u003eb. Reviews visitor access records no less often than monthly.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS adheres to the retention schedule found in \u003ca href=\"https://www.archives.gov/files/records-mgmt/grs/grs05-6.pdf \"\u003eNational Archives and Records Administration (NARA) General Records Schedule (GRS) 5.6: Security Records\u003c/a\u003e for maintaining visitor access records at the facility for 2 years. In addition, visitor access records are reviewed every 30 days. Visitor access records consist of the following data:\u003c/p\u003e\u003cul\u003e\u003cli\u003eName and organization of the person visiting;\u003c/li\u003e\u003cli\u003eVisitor’s signature;\u003c/li\u003e\u003cli\u003eForm of identification/Valid U.S. Government issued photo identification;\u003c/li\u003e\u003cli\u003eDate of access;\u003c/li\u003e\u003cli\u003eTime of entry and departure;\u003c/li\u003e\u003cli\u003ePurpose of visit; and\u003c/li\u003e\u003cli\u003eName and organization of person visited.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eAutomated Records Maintenance/Review (PE-8 (1))\u003c/h4\u003e\u003cp\u003eMaintenance and review of visitor access records are enabled by automated mechanisms that aid in the capture and management of records. CMS uses PAM, which contains multiple modules to perform security tasks, including visitor management.\u003c/p\u003e\u003ch3\u003ePower Equipment and Cabling (PE-9)\u003c/h3\u003e\u003cp\u003eOrganizations are responsible for determining the types of protection that are needed to protect power equipment and power cabling from damage and destruction. This protection occurs at different locations (both internal and external to organizational facilities) and environments of operation. Examples of power equipment and cabling include generators and power cabling outside of facilities, internal cabling and uninterruptable power sources within offices or data centers, and power sources for self-contained entities such as vehicles and satellites. CMS facilities adhere to the mandatory standards outlined in \u003ca href=\"https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100- overview\"\u003eGSA’s Facilities Standards for the Public Buildings Service (P100)\u003c/a\u003e, as amended. Infrastructure assets are protected by restricting access and by the use of environmental detection devices. CMS permits only authorized personnel to access infrastructure assets, including power generators, heating, ventilation, and air conditioning (HVAC) systems, cabling, and wiring closets.\u003c/p\u003e\u003ch3\u003eEmergency Shutoff (PE-10)\u003c/h3\u003e\u003cp\u003eEmergency shutoff switches or devices provide the capability of shutting off power to the information system or individual system components in emergency situations. Placing these shutoff switches or devices in a location that will allow for personnel to approach the shutoff switch(es) safely permits easy access in emergency situations without risk to the individual and protects the emergency power shutoff capability from unauthorized or inadvertent activation. The table below outlines the CMS defined parameters for PE-10.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 10: CMS Defined Parameters- Control PE-10\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-10\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003e\u0026nbsp;b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel;\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Places emergency shutoff switches or devices in a location that does not require personnel to approach the equipment to facilitate safe and easy access for personnel;\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS implements and maintains emergency shutoff switches or emergency power off (EPO) buttons as a safety mechanism that can be used to shut power off from the information system or from individual system components in an emergency. These clearly marked shutoff devices are installed at the exit doors.\u003c/p\u003e\u003ch3\u003eEmergency Power (PE-11)\u003c/h3\u003e\u003cp\u003eEmergency power, using a short-term, uninterruptible power supply (UPS) permits an orderly shutdown of the information system and/or transition of the information system to a long-term alternate power supply in the event of a primary power source loss. CMS facilities adhere to the mandatory standards outlined in \u003ca href=\"https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100- overview\"\u003eGSA’s Facilities Standards for the Public Buildings Service (P100)\u003c/a\u003e, as amended. The table below outlines the CMS defined parameters for PE-11.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 11: CMS Defined Parameters- Control PE-11\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-11\u003c/td\u003e\u003ctd\u003eThe organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss\u003c/td\u003e\u003ctd\u003eThe organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system and/or transition of the information system to a long-term alternate power source in the event of a primary power source loss.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS provides a short-term UPS that provides emergency power when the input power source or main power fails. The UPS provides near-instantaneous protection from input power interruptions, by supplying energy stored in batteries. CMS uses a web-based data center monitoring system that allows monitoring of critical support equipment. This provides centralized oversight and features include real-time monitoring and event management.\u003c/p\u003e\u003ch4\u003eLong-Term Alternate Power Supply - Minimal Operational Capability (PE-11 (1))\u003c/h4\u003e\u003cp\u003eLong-term alternate power supply for the information system provides the capability of maintaining minimally required operational capability in the event of an extended loss of the primary power source. CMS facilities adhere to the mandatory standards outlined in \u003ca href=\"https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-overview\"\u003eGSA’s Facilities Standards for the Public Buildings Service (P100)\u003c/a\u003e, as amended. CMS has on-site, diesel-powered generators that are capable of providing a long-term alternate power supply. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.\u003c/p\u003e\u003ch3\u003eEmergency Lighting (PE-12)\u003c/h3\u003e\u003cp\u003eAutomatic emergency lighting that activates and covers emergency exits and evacuation routes is crucial to ensure adequate illumination in the event of a power outage or disruption. CMS facilities adhere to the mandatory standards outlined in \u003ca href=\"https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-overview\"\u003eGSA’s Facilities Standards for the Public Buildings Service (P100)\u003c/a\u003e, as amended. CMS employs and maintains emergency lighting, that activates in the event of a power outage or disruption, and that covers emergency exits and evacuation routes within the facility. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.\u0026nbsp;\u003c/p\u003e\u003ch3\u003eFire Protection (PE-13)\u003c/h3\u003e\u003cp\u003eFire protection includes devices and systems that are effective in detecting, extinguishing, or controlling a fire event. Preventing fires or limiting damage can ensure work operations continue without interruption. CMS facilities adhere to the mandatory standards outlined in \u003ca href=\"https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-overview \"\u003eGSA’s Facilities Standards for the Public Buildings Service (P100)\u003c/a\u003e, as amended. CMS’s fire protection devices and systems, supported by independent energy sources, work to detect, notify and compartmentalize or suppress the unwanted effects of potentially destructive fires. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.\u003c/p\u003e\u003ch4\u003eDetection Devices/Systems (PE-13(1))\u003c/h4\u003e\u003cp\u003eDetection devices/systems automatically activate to notify personnel and emergency responders in the event of a fire. CMS facilities adhere to the mandatory standards outlined in \u003ca href=\"https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-overview\"\u003eGSA’s Facilities Standards for the Public Buildings Service (P100)\u003c/a\u003e, as amended. The table below outlines the CMS defined parameters for PE-13(1).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 10: CMS Defined Parameters-Control PE-13(1)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-13(1)\u003c/td\u003e\u003ctd\u003eThe organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organizationdefined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.\u003c/td\u003e\u003ctd\u003eThe organization employs fire detection devices/systems for the information system that activate automatically and notify defined personnel or roles (defined in the applicable security plan) and defined emergency responders (defined in the applicable security or safety plan) in the event of a fire\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS’s detection system is comprised of a networked series of fire alarm panels, annunciator panels, addressable audible and visual alarms and initiating devices including smoke detectors, heat detectors, and pull stations.\u003c/p\u003e\u003ch4\u003eSuppression Devices/Systems (PE-13(2))\u003c/h4\u003e\u003cp\u003eFire suppression devices/systems provide automatic activation notification to specific personnel, roles, and emergency responders. CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100)17, as amended. The table below outlines the CMS defined parameters for PE-13(2).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 11: CMS Defined Parameters- Control PE-13(2)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-13(2)\u003c/td\u003e\u003ctd\u003eThe organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders].\u003c/td\u003e\u003ctd\u003eThe organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to defined personnel (or roles) and defined emergency responders (defined in the applicable security or safety plan)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS employs a monitored fire alarm system that notifies critical parties (e.g., CMS’s Network Command Center (NCC), designated personnel, emergency services/local fire department) as soon as detection devices or systems have been activated.\u003c/p\u003e\u003ch4\u003eAutomatic Fire Suppression (PE-13(3))\u003c/h4\u003e\u003cp\u003eAutomatic fire suppression systems have the capability to control and extinguish fires without human intervention. Options for automatic suppression systems include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAqueous systems (e.g., wet-pipe sprinkler system); and\u003c/li\u003e\u003cli\u003eGaseous systems (e.g., clean agent system) CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100)18, as amended.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWet-pipe sprinkler systems are installed at CMS facilities. The sprinkler system is heat-activated and responds with water suppression only in the area(s) where heat is detected.\u003c/p\u003e\u003ch3\u003eTemperature and Humidity Controls (PE-14)\u003c/h3\u003e\u003cp\u003eEnvironmental conditions can pose a threat to the hardware of the network. Maintaining recommended temperature and humidity levels in the data center can reduce unplanned downtime caused by environmental conditions. Maintaining and monitoring levels of temperature and humidity where the information system resources (e.g., data centers, server rooms) reside is critical to system reliability. High temperatures can cause equipment to overheat and malfunction. If the relative humidity levels are too high, water condensation can occur which results in hardware corrosion and early system and component failure. If the relative humidity is too low, computer equipment becomes susceptible to electrostatic discharge (ESD) which can cause damage to sensitive components. The table below outlines the CMS defined parameters for PE-14.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 14: CMS Defined Parameters- Control PE-14\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-14\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Monitors temperature and humidity levels [Assignment: organization defined frequency].\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Maintains temperature and humidity levels within the facility where the information system resides within acceptable vendor-specified levels;\u0026nbsp;\u003c/p\u003e\u003cp\u003eb. Monitors temperature and humidity levels within the defined frequency (defined in the applicable security plan);\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eTemperature and humidity levels are maintained within the vendor-specified levels for optimal system reliability. Zone temperature sensors and humidity sensors are used for continuous monitoring. CMS uses a web-based data center monitoring system that allows monitoring of critical support equipment. This provides centralized oversight and features include real-time monitoring and event management. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.\u003c/p\u003e\u003ch4\u003eWater Damage Protection (PE-15)\u003c/h4\u003e\u003cp\u003eShut-off valves help prevent water damage by closing off the water supply. Main shut-off or isolation valves can be used to protect the information system resources from damage resulting from water leakage. Isolation valves are used to shut off water supplies at a specific location, usually for maintenance or safety purposes, and can be employed in addition to or in lieu of main shutoff valves. CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100)19, as amended. CMS protects the information system resources from water damage resulting from broken plumbing lines or other sources of water leakage by providing main shut-off valves or isolation valves that are accessible, functional, and known to key personnel. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.\u003c/p\u003e\u003ch4\u003eAutomation Support (PE-15 (1))\u003c/h4\u003e\u003cp\u003eAutomated mechanisms (e.g., water detection sensors, alarms and notification systems) are used to detect and provide an alert to the presence of water near the information system. The table below outlines the CMS defined parameters for PE-15(1).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 12: CMS Defined Parameters-Control PE-15(1)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-15(1)\u003c/td\u003e\u003ctd\u003eThe organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles].\u003c/td\u003e\u003ctd\u003eThe organization employs automated mechanisms to detect the presence of water near the information system and alerts defined personnel or roles (defined in the applicable security plan)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS uses water detection sensors to detect water from environmental events (e.g., floods), as well as from equipment failure, leaks and broken pipes. CMS uses a web-based data center monitoring system that allows monitoring of critical support equipment. This provides centralized oversight and features include real-time monitoring and event management. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.\u003c/p\u003e\u003ch3\u003eDelivery and Removal (PE-16)\u003c/h3\u003e\u003cp\u003eEffectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. The table below outlines the CMS defined parameters for PE-16.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 17: CMS Defined Parameters- Control PE-16\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-16\u003c/td\u003e\u003ctd\u003eThe organization authorizes, monitors, and controls [Assignment: organization defined types of information system components] entering and exiting the facility and maintains records of those items.\u003c/td\u003e\u003ctd\u003eThe organization authorizes, monitors, and controls the flow of all information system-related components entering and exiting the facility and maintains records of those items\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS authorizes, monitors and controls the flow of information system-related components entering and exiting the facility through the use of procedures which include controlled access to the facility, secure storage and the maintenance of entry/exit records.\u003c/p\u003e\u003ch3\u003eAlternate Work Site (PE-17)\u003c/h3\u003e\u003cp\u003eAlternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. There is a direct relationship between an agency’s Continuity of Operations (COOP) plan and telework. Both programs, telework and COOP, share a basic objective: to perform and maintain agency functions from an alternative location. Telework can help ensure that essential Federal functions continue through hazardous weather, pandemic, physical attacks, or any other event that would result in the closure of Government facilities. The \u003ca href=\"https://www.govinfo.gov/content/pkg/BILLS-111hr1722enr/pdf/BILLS-111hr1722enr.pdf \"\u003eTelework Enhancement Act of 2010\u003c/a\u003e\u0026nbsp;provides a framework for agencies to better leverage technology and to maximize the use of flexible work arrangements, including those involving emergency situations. The table below outlines the CMS defined parameters for PE-17.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 18: CMS Defined Parameters- Control PE-17\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-17\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Employs [Assignment: organization defined security controls] at alternate work sites;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Employs appropriate security controls at alternate work sites to include, but not to be limited to, requiring the use of laptop cable locks, recording serial numbers and other identification information about laptops, and disconnecting modems at alternate work sites;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe CMS telework program is a valuable tool to meet mission objectives. CMS’s policy that governs telework is located in the \u003ca href=\"https://cmsintranet.share.cms.gov/ER/Documents/2017Master-Labor-Agreement.pdf\"\u003eMaster Labor Agreement (MLA), Article 29: Telecommuting Programs\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eParticipation in the CMS telework program is voluntary. A completed telework agreement between the employee and CMS is required for participation. Employees with a valid telework agreement may be required by CMS to telecommute at an approved ADS in the instances of: a full day building closure; an early building closure for non-weather related reasons; or a delayed opening (e.g., inclement weather or in other emergencies). CMS may also require telework employees to work at an ADS when a COOP is in effect. Per \u003ca href=\"https://www.opm.gov/faq/telework/Can-Federal-contractors-telework.ashx \"\u003eOffice of Personnel Management (OPM)\u003c/a\u003e, there is no Federal statute or regulation that specifically prohibits Federal contractors from teleworking. The decision to allow a contractor to telework would be made by the contractor’s supervisor and/or in conjunction with CMS. CMS employs appropriate security controls at alternate work sites. Security controls include technology-enforced protection such as Virtual Private Network (VPN) technology, multi-factor authentication, anti-virus software, and encryption. In addition, procedures, including the \u003ca href=\"https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/rules-of-behavior-for-use-of-hhs-informationresources/index.html \"\u003eHHS RoB\u003c/a\u003e, which applies to remote use of HHS information (in both electronic and physical forms) and information systems, rely on users to follow rules or perform certain steps that are not necessarily enforced by technical means For security incidents, contact the CMS IT Service Desk by calling (410) 786-2580 or (800) 562- 1963; or by sending an email to cms_it_service_desk@cms.hhs.gov to open a ticket.\u003c/p\u003e\u003ch3\u003eLocation of Information System Components (PE-18)\u003c/h3\u003e\u003cp\u003ePositioning the information system components within the facility is critical to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. The location of physical entry points should be considered where unauthorized individuals, while not being granted access, might be in close proximity to information systems. This increases the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). The table below outlines the CMS defined parameters for PE-18.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 19: CMS Defined Parameters- Control PE-18\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePE-18\u003c/td\u003e\u003ctd\u003eThe organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access.\u003c/td\u003e\u003ctd\u003eThe organization positions information system components within the facility to minimize potential damage from physical and environmental hazards, and to minimize the opportunity for unauthorized access.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS positions the information system components to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. Considerations when positioning information system components include:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eSecurity: layered security consists of access card readers, mantraps, video surveillance and/or security staff\u0026nbsp;\u003c/li\u003e\u003cli\u003eFire protection: fire protection systems, as well as implementation of fire prevention programs in operations\u0026nbsp;\u003c/li\u003e\u003cli\u003eElectrical power: proven and reliable power grid with backup power that consists of one or more UPS, in addition to battery banks and generators.\u0026nbsp;\u003c/li\u003e\u003cli\u003eGeographic location: probability and frequency of natural disasters, extreme weather, and seismic activity to occur at a specific location.\u0026nbsp;\u003c/li\u003e\u003cli\u003eStructural design: techniques that can be used to make the actual data center resistant to physical attacks (e.g., reinforced with steel and concrete)\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIn addition, the raised floor space, air conditioning support, UPS, generators, and related support equipment must be coordinated with the other areas of the facility and properly positioned within the facility’s perimeter in order to improve their interaction.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eApplicable Laws and Guidance\u0026nbsp;\u003c/h2\u003e\u003cp\u003eThe Applicable Laws and Guidance appendix provides references to both authoritative and guidance documentation supporting the “document.” Subsections are organized to “level of authority” (e.g., Statutes take precedence over Federal Directives and Policies).\u0026nbsp;\u003c/p\u003e\u003ch3\u003eStatutes\u0026nbsp;\u003c/h3\u003e\u003cp\u003e\u003ca href=\"http://www.hhs.gov/hipaa\"\u003eHealth Insurance Portability and Accountability Act of 1996 (HIPAA)\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eFederal Directives and Policies\u0026nbsp;\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://www.fedramp.gov/files/2015/03/FedRAMP-Control-Quick-Guide-Rev4-FINAL01052015.pdf\"\u003eFedRAMP Rev. 4 Baseline\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.dhs.gov/homeland-security-presidential-directive-12\"\u003eHomeland Security Presidential Directive 12\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilitiesstandards-p100-overview\"\u003eU.S. General Services Administration: Facilities Standards for Public Buildings Service (P100)\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.archives.gov/files/records-mgmt/grs/grs05-6.pdf\"\u003eNational Archives and Records Administration (NARA) schedule GRS 5.6: Security Records\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eOMB Policy and Memoranda\u0026nbsp;\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130trans4.pdf\"\u003eOMB Circular A-130, Management of Federal Information Resources\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2011/m11-27.pdf\"\u003eOMB Memo: M-11-27, Implementing the Telework Enhancement Act of 2010: Security Guidelines\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eNIST Guidance and Federal Information Processing Standards\u0026nbsp;\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf\"\u003eFIPS-201-2 Personal Identity Verification (PIV) of Federal Employees and Contractors\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.200.pdf\"\u003eFIPS-200 Minimum Security Requirements for Federal Information and Information Systems\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\u003eNIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-116r1.pdf\"\u003eNIST SP 800-116, Guidelines for the Use of PIV Credentials in Facility Access\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf\"\u003eNIST SP 800-46, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf\"\u003eNIST SP 800 73, Interfaces for Personal Identity Verification – Part 1: PIV Card Application Namespace, Data Model and Representation\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-76-2.pdf\"\u003eNIST SP 800 76, Biometric Specifications for Personal Identity Verification\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-78-4.pdf\"\u003e8 NIST SP 800 78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eHHS Policy\u0026nbsp;\u003c/h3\u003e\u003cp\u003eHHS-OCIO-2014-0001 HHS Information System Security and Privacy Policy (HHS IS2P)– 2014 Edition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eTo obtain a copy of this document, email fisma@hhs.gov\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-InformationTechnology/InformationSecurity/Downloads/IS2P2.pdf\"\u003eRules of Behavior for Use of Health and Human Services Information Resources (HHS RoB)\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eAssociated CMS Resources\u0026nbsp;\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://cmsintranet.share.cms.gov/ER/Documents/2017Master-LaborAgreement.pdf\"\u003eMaster Labor Agreement\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cmsintranet.share.cms.gov/WR/Documents/CMSPhysicalSecurityProgramHandbook.pdf#search=physical%20security%20handbook\"\u003ePhysical Security Handbook\u003c/a\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}\n1b:{\"self\":\"$1c\"}\n1f:[\"menu_ui\",\"scheduler\"]\n1e:{\"module\":\"$1f\"}\n22:[]\n21:{\"available_menus\":\"$22\",\"parent\":\"\"}\n23:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n20:{\"menu_ui\":\"$21\",\"scheduler\":\"$23\"}\n1d:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$1e\",\"third_party_settings\":\"$20\",\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1a:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":\"$1b\",\"attributes\":\"$1d\"}\n26:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}\n25:{\"self\":\"$26\"}\n27:{\"display_name\":\"mburgess\"}\n24:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":\"$25\",\"attributes\":\"$27\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"meg - retired\"}\n28:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}\n2d:{\"self\":\"$2e\"}\n30:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n2f:{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":tr"])</script><script>self.__next_f.push([1,"ue,\"path\":\"$30\"}\n34:{\"drupal_internal__target_id\":\"resource_type\"}\n33:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$34\"}\n36:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"}\n37:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}\n35:{\"related\":\"$36\",\"self\":\"$37\"}\n32:{\"data\":\"$33\",\"links\":\"$35\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n38:{\"data\":null,\"links\":\"$39\"}\n42:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n41:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$42\"}\n40:{\"help\":\"$41\"}\n3f:{\"links\":\"$40\"}\n3e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$3f\"}\n3d:[\"$3e\"]\n44:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"}\n45:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}\n43:{\"related\":\"$44\",\"self\":\"$45\"}\n3c:{\"data\":\"$3d\",\"links\":\"$43\"}\n31:{\"vid\":\"$32\",\"revision_user\":\"$38\",\"parent\":\"$3c\"}\n2c:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":\"$2d\",\"attributes\":\"$2f\",\"relationships\":\"$31\"}\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n47:{\"self\":\"$48\"}\n4a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n49:{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"rev"])</script><script>self.__next_f.push([1,"ision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4a\"}\n4e:{\"drupal_internal__target_id\":\"roles\"}\n4d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$4e\"}\n50:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n51:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n4f:{\"related\":\"$50\",\"self\":\"$51\"}\n4c:{\"data\":\"$4d\",\"links\":\"$4f\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n52:{\"data\":null,\"links\":\"$53\"}\n5c:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5b:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5c\"}\n5a:{\"help\":\"$5b\"}\n59:{\"links\":\"$5a\"}\n58:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$59\"}\n57:[\"$58\"]\n5e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n5f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n5d:{\"related\":\"$5e\",\"self\":\"$5f\"}\n56:{\"data\":\"$57\",\"links\":\"$5d\"}\n4b:{\"vid\":\"$4c\",\"revision_user\":\"$52\",\"parent\":\"$56\"}\n46:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$47\",\"attributes\":\"$49\",\"relationships\":\"$4b\"}\n62:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26?resourceVersion=id%3A81\"}\n61"])</script><script>self.__next_f.push([1,":{\"self\":\"$62\"}\n64:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n63:{\"drupal_internal__tid\":81,\"drupal_internal__revision_id\":81,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:09:11+00:00\",\"status\":true,\"name\":\"Data Guardian\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:09:11+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$64\"}\n68:{\"drupal_internal__target_id\":\"roles\"}\n67:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$68\"}\n6a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/vid?resourceVersion=id%3A81\"}\n6b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/vid?resourceVersion=id%3A81\"}\n69:{\"related\":\"$6a\",\"self\":\"$6b\"}\n66:{\"data\":\"$67\",\"links\":\"$69\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/revision_user?resourceVersion=id%3A81\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/revision_user?resourceVersion=id%3A81\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6c:{\"data\":null,\"links\":\"$6d\"}\n76:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n75:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$76\"}\n74:{\"help\":\"$75\"}\n73:{\"links\":\"$74\"}\n72:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$73\"}\n71:[\"$72\"]\n78:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/parent?resourceVersion=id%3A81\"}\n79:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/parent?resourceVersion=id%3A81\"}\n77:{\"related\":\"$78\",\"self\":\"$79\"}\n70:{\"data\":\"$71\",\"links\":\"$77\"}\n65:{\"vid\":\"$66\",\"revision_user\":\"$6c\",\"parent\":\"$70\"}\n60:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"links\":\"$61\",\"attributes\":\"$63\",\"relationships\":\"$65"])</script><script>self.__next_f.push([1,"\"}\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n7b:{\"self\":\"$7c\"}\n7e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7d:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$7e\"}\n82:{\"drupal_internal__target_id\":\"roles\"}\n81:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$82\"}\n84:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n85:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n83:{\"related\":\"$84\",\"self\":\"$85\"}\n80:{\"data\":\"$81\",\"links\":\"$83\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n86:{\"data\":null,\"links\":\"$87\"}\n90:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n8f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$90\"}\n8e:{\"help\":\"$8f\"}\n8d:{\"links\":\"$8e\"}\n8c:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$8d\"}\n8b:[\"$8c\"]\n92:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n93:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n91:{\"related\":\"$92\",\"self\":\"$93\"}\n8a:{\"data\":\"$8b\",\"links\":\"$91\"}\n7f:{\"vid\":\"$80\",\"revis"])</script><script>self.__next_f.push([1,"ion_user\":\"$86\",\"parent\":\"$8a\"}\n7a:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$7b\",\"attributes\":\"$7d\",\"relationships\":\"$7f\"}\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n95:{\"self\":\"$96\"}\n98:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n97:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$98\"}\n9c:{\"drupal_internal__target_id\":\"roles\"}\n9b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$9c\"}\n9e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n9f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n9d:{\"related\":\"$9e\",\"self\":\"$9f\"}\n9a:{\"data\":\"$9b\",\"links\":\"$9d\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\na0:{\"data\":null,\"links\":\"$a1\"}\naa:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\na9:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$aa\"}\na8:{\"help\":\"$a9\"}\na7:{\"links\":\"$a8\"}\na6:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$a7\"}\na5:[\"$a6\"]\nac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\nad:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998"])</script><script>self.__next_f.push([1,"a3329f34/relationships/parent?resourceVersion=id%3A76\"}\nab:{\"related\":\"$ac\",\"self\":\"$ad\"}\na4:{\"data\":\"$a5\",\"links\":\"$ab\"}\n99:{\"vid\":\"$9a\",\"revision_user\":\"$a0\",\"parent\":\"$a4\"}\n94:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$95\",\"attributes\":\"$97\",\"relationships\":\"$99\"}\nb0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\naf:{\"self\":\"$b0\"}\nb2:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb1:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b2\"}\nb6:{\"drupal_internal__target_id\":\"roles\"}\nb5:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$b6\"}\nb8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\nb9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\nb7:{\"related\":\"$b8\",\"self\":\"$b9\"}\nb4:{\"data\":\"$b5\",\"links\":\"$b7\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\nbd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\nbb:{\"related\":\"$bc\",\"self\":\"$bd\"}\nba:{\"data\":null,\"links\":\"$bb\"}\nc4:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc3:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c4\"}\nc2:{\"help\":\"$c3\"}\nc1:{\"links\":\"$c2\"}\nc0:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$c1\"}\nbf:[\"$c0\"]\nc6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c"])</script><script>self.__next_f.push([1,"5056e/parent?resourceVersion=id%3A71\"}\nc7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\nc5:{\"related\":\"$c6\",\"self\":\"$c7\"}\nbe:{\"data\":\"$bf\",\"links\":\"$c5\"}\nb3:{\"vid\":\"$b4\",\"revision_user\":\"$ba\",\"parent\":\"$be\"}\nae:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$af\",\"attributes\":\"$b1\",\"relationships\":\"$b3\"}\nca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}\nc9:{\"self\":\"$ca\"}\ncc:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\ncb:{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$cc\"}\nd0:{\"drupal_internal__target_id\":\"topics\"}\ncf:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$d0\"}\nd2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"}\nd3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}\nd1:{\"related\":\"$d2\",\"self\":\"$d3\"}\nce:{\"data\":\"$cf\",\"links\":\"$d1\"}\nd6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"}\nd7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}\nd5:{\"related\":\"$d6\",\"self\":\"$d7\"}\nd4:{\"data\":null,\"links\":\"$d5\"}\nde:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\ndd:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$de\"}\ndc:{\"help\":\"$dd\"}\ndb:{\"links\":\"$dc\"}\nda:{\"type\":\"taxonomy_te"])</script><script>self.__next_f.push([1,"rm--topics\",\"id\":\"virtual\",\"meta\":\"$db\"}\nd9:[\"$da\"]\ne0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"}\ne1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}\ndf:{\"related\":\"$e0\",\"self\":\"$e1\"}\nd8:{\"data\":\"$d9\",\"links\":\"$df\"}\ncd:{\"vid\":\"$ce\",\"revision_user\":\"$d4\",\"parent\":\"$d8\"}\nc8:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":\"$c9\",\"attributes\":\"$cb\",\"relationships\":\"$cd\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--library\",\"id\":\"cc171666-6b3c-4a22-9879-55a441990c90\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cc171666-6b3c-4a22-9879-55a441990c90?resourceVersion=id%3A5940\"}},\"attributes\":{\"drupal_internal__nid\":486,\"drupal_internal__vid\":5940,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-14T18:02:00+00:00\",\"status\":true,\"title\":\"RMH Chapter 11: Physical \u0026 Environmental Protection\",\"created\":\"2022-08-29T17:59:15+00:00\",\"changed\":\"2024-10-14T18:02:00+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/risk-management-handbook-chapter-11-physical-environmental-protection\",\"pid\":476,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2021-03-23\",\"field_related_resources\":[{\"uri\":\"entity:node/631\",\"title\":\"CMS Acceptable Risk Safeguards (ARS) \",\"options\":[],\"url\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"},{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2)\",\"options\":[],\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"},{\"uri\":\"entity:node/326\",\"title\":\"Federal Risk and Authorization Management Program (fedRAMP) \",\"options\":[],\"url\":\"/learn/fedramp\"}],\"field_short_description\":{\"value\":\"RMH Chapter 11 provides information about the Physical and Environmental Protection (PE) control family that supports system lifecycles\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eRMH Chapter 11 provides information about the Physical and Environmental Protection (PE) control family that supports system lifecycles\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cc171666-6b3c-4a22-9879-55a441990c90/node_type?resourceVersion=id%3A5940\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cc171666-6b3c-4a22-9879-55a441990c90/relationships/node_type?resourceVersion=id%3A5940\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cc171666-6b3c-4a22-9879-55a441990c90/revision_uid?resourceVersion=id%3A5940\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cc171666-6b3c-4a22-9879-55a441990c90/relationships/revision_uid?resourceVersion=id%3A5940\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cc171666-6b3c-4a22-9879-55a441990c90/uid?resourceVersion=id%3A5940\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cc171666-6b3c-4a22-9879-55a441990c90/relationships/uid?resourceVersion=id%3A5940\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cc171666-6b3c-4a22-9879-55a441990c90/field_resource_type?resourceVersion=id%3A5940\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cc171666-6b3c-4a22-9879-55a441990c90/relationships/field_resource_type?resourceVersion=id%3A5940\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cc171666-6b3c-4a22-9879-55a441990c90/field_roles?resourceVersion=id%3A5940\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cc171666-6b3c-4a22-9879-55a441990c90/relationships/field_roles?resourceVersion=id%3A5940\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cc171666-6b3c-4a22-9879-55a441990c90/field_topics?resourceVersion=id%3A5940\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/cc171666-6b3c-4a22-9879-55a441990c90/relationships/field_topics?resourceVersion=id%3A5940\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}},\"attributes\":{\"display_name\":\"mburgess\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}},\"attributes\":{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26?resourceVersion=id%3A81\"}},\"attributes\":{\"drupal_internal__tid\":81,\"drupal_internal__revision_id\":81,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:09:11+00:00\",\"status\":true,\"name\":\"Data Guardian\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:09:11+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/vid?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/vid?resourceVersion=id%3A81\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/revision_user?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/revision_user?resourceVersion=id%3A81\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/parent?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/parent?resourceVersion=id%3A81\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}},\"attributes\":{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}}}}}],\"includedMap\":{\"ab4b0312-f678-40b9-ae06-79025f52ff43\":\"$1a\",\"e352e203-fe9c-47ba-af75-2c7f8302fca8\":\"$24\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$28\",\"e3394b9a-cbff-4bad-b68e-c6fad326132e\":\"$2c\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$46\",\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\":\"$60\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$7a\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$94\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$ae\",\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\":\"$c8\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"RMH Chapter 11: Physical \u0026 Environmental Protection | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"RMH Chapter 11 provides information about the Physical and Environmental Protection (PE) control family that supports system lifecycles\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-11-physical-environmental-protection\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"RMH Chapter 11: Physical \u0026 Environmental Protection | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"RMH Chapter 11 provides information about the Physical and Environmental Protection (PE) control family that supports system lifecycles\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-11-physical-environmental-protection\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-11-physical-environmental-protection/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"RMH Chapter 11: Physical \u0026 Environmental Protection | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"RMH Chapter 11 provides information about the Physical and Environmental Protection (PE) control family that supports system lifecycles\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-11-physical-environmental-protection/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html> |