publicdata/cms-gov
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/policy-guidance/risk-management-handbook-chapter-9-maintenance-ma
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
213 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>Risk Management Handbook Chapter 9: Maintenance (MA) | CMS Information Security &amp; Privacy Group</title><meta name="description" content="RMH Chapter 9 provides information about the Maintenance family of controls that provide rules for the maintenance of CMS systems"/><link rel="canonical" href="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-9-maintenance-ma"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="Risk Management Handbook Chapter 9: Maintenance (MA) | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="RMH Chapter 9 provides information about the Maintenance family of controls that provide rules for the maintenance of CMS systems"/><meta property="og:url" content="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-9-maintenance-ma"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-9-maintenance-ma/opengraph-image.jpg?a856d5522b751df7"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Risk Management Handbook Chapter 9: Maintenance (MA) | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="RMH Chapter 9 provides information about the Maintenance family of controls that provide rules for the maintenance of CMS systems"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-9-maintenance-ma/opengraph-image.jpg?a856d5522b751df7"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-library undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">Risk Management Handbook Chapter 9: Maintenance (MA)</h1><p class="hero__description">RMH Chapter 9 provides information about the Maintenance family of controls that provide rules for the maintenance of CMS systems</p><p class="font-sans-2xs line-height-sans-5 margin-bottom-0">Last reviewed<!-- -->: <!-- -->4/7/2020</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8"><section class="resource-collection radius-md padding-y-2 padding-x-3 bg-base-lightest"><h1 class="resource-collection__header h3 margin-top-0 margin-bottom-2">Related Resources</h1><div class="grid-row grid-gap-4"><div class="tablet:grid-col-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS) </a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2">CMS Information Systems Security and Privacy Policy (IS2P2)</a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/learn/cms-security-and-privacy-handbooks">CMS Security and Privacy Handbooks (all)</a></div></div></section><section><div class="text-block text-block--theme-library"><h2>Introduction</h2><p>This Handbook outlines procedures to help CMS staff and contractors implement the Maintenance family of controls taken from the National Institute of Standards and Technology (NIST) Special Publication 800-53 and tailored to the CMS environment in the CMS Acceptable Risk Safeguards (ARS). For more guidance on how to implement CMS policies and standards across many cybersecurity topics, see the CMS Security and Privacy Handbooks.&nbsp;</p><p>RMH Chapter 09 provides processes and procedures to assist with the consistent implementation of the MA family of controls for any system that stores, processes, or transmits CMS information on behalf of CMS. This chapter identifies the policies, minimum standards, and procedures for the effective implementation of selected security and privacy controls and control enhancements in the MA family.</p><h2>Maintenance controls</h2><h3>Controlled Maintenance (MA-2)</h3><p>This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers.</p><p>The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations must consider supply chain issues associated with replacement components for information systems</p><p>Guidance for systems processing, storing, or transmitting PHI:</p><p>HIPAA requires organizations to apply reasonable and appropriate safeguards for the protection of PHI, including implementing policies and procedures to document repairs and modifications to the facility which are related to security.</p><p>The table below outlines the CMS defined parameters for MA-2.</p><p><strong>Table 4: CMS Defined Parameters-Control MA-2</strong></p><table><tbody><tr><td><strong>Control</strong></td><td><strong>Control Requirement</strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>MA-2</td><td><p>The organization:</p><p>c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;</p></td><td><p>The organization:</p><p>c. Requires that the applicable Business Owner (or an official designated in the applicable security plan) explicitly approves the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;</p></td></tr></tbody></table><p>CMS reviews and updates the baseline configuration5 of its information systems at a regularly defined frequency, when special circumstances arise (e.g., critical security patches), or when an information system component is installed or upgraded. Automation assists in documenting changes and ensures the proper workflow. CMS uses automated means to document system changes for submission and to notify the authorizing personnel, defined in the System Security and Privacy Plan (SSPP), who are designated to approve changes, whenever changes are proposed. Automating these processes also increases the traceability of changes for many systems at once.</p><p>CMS addresses the information security aspects of the information system maintenance program and applies it to hardware and software maintenance. Information necessary for creating effective maintenance records includes, at a minimum, the following information:</p><ul><li>Date and time of maintenance;</li><li>Name of individuals or group performing the maintenance;</li><li>Name of the authorized escort (if necessary);</li><li>A description of the maintenance performed;</li><li>A list of the information system components/equipment removed and/or replaced.</li></ul><p>NOTE: The removal of the information system or components from CMS facilities requires the explicit approval from the Business Owner (BO). Prior to off-site maintenance or repairs, the equipment is sanitized, using approved CMS sanitization methods, for the removal of information from associated media.</p><h3>Maintenance Tools (MA-3)</h3><p>This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and organizational information systems. Maintenance tools can include hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance yet are considered an integral part of the system. CMS approves, controls, and monitors information system maintenance tools used to repair or conduct diagnostics on information systems and their components. After completion of the maintenance, all maintenance equipment, with the capability of retaining information, is checked to ensure that information is not saved on the equipment and that the equipment is appropriately sanitized, using approved CMS sanitization methods, before the release from the CMS facility.</p><h4>Inspect Tools (MA-3(1))</h4><p>This control enhancement provides that maintenance tools, transported by maintenance personnel into facilities, are inspected for unauthorized modifications. CMS inspects maintenance tools for obvious signs of improper or unauthorized modifications. Tools that are found to be modified in an improper or unauthorized manner must be reported per the CMS incident handling procedure that is located in RMH Chapter 08 Incident Response.</p><h4>Inspect Media (MA-3(2))</h4><p>Inspecting media that contains diagnostic and test programs for malicious code before the media are used in the information system is the purpose of this control enhancement.</p><p>CMS checks and scans all diagnostic tools and test programs for malicious code before being used in the information system. Media that are found to contain malicious code must be reported per the CMS incident handling procedure that is located in RMH Chapter 08 Incident Response.</p><h4>Prevent Unauthorized Removal (MA-3(3))</h4><p>Preventing the unauthorized removal of maintenance equipment containing organizational information is the purpose of this control enhancement. The table below outlines the CMS defined parameters for MA-3(3).</p><p><strong>Table 5: CMS Defined Parameters-Control MA-3(3)</strong></p><table><thead><tr><th>Control</th><th>Control Requirement</th><th>CMS Parameter</th></tr></thead><tbody><tr><td>MA-3(3)</td><td><p>The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:</p><p>d. Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility</p></td><td><p>The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:</p><p>d. Obtaining an exemption, in writing, from the CMS CIO or his/her designated representative explicitly authorizing removal of the equipment from the facility.</p></td></tr></tbody></table><p>CMS prevents the unauthorized removal of maintenance equipment containing organizational information by:</p><ul><li>Verifying that CMS information is not contained on the equipment when the equipment has the capability of retaining information;</li><li>Sanitizing or destroying the equipment, using CMS approved sanitization or destruction techniques/methods</li><li>Retaining or storing the equipment securely within the facility;</li><li>Obtaining a written exemption from the CMS Chief Information Officer (CIO), or his/her designated representative, explicitly authorizing removal of the equipment from the facility.</li></ul><h3>Nonlocal Maintenance (MA-4)</h3><p>Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment&nbsp;of nonlocal maintenance and diagnostic sessions reflect the network access requirements in Identification and Authentication (Organizational Users) (IA-2).</p><p>Written authorization from the CMS CIO is required for nonlocal or remote maintenance and diagnostic activities to be performed on an information system. CMS monitors and controls nonlocal maintenance and diagnostic activities and allows the use of maintenance and diagnostic tools in accordance with organizational policy. Appropriate identification and authentication techniques are employed in the establishment of remote sessions in accordance with IA-2, and all such sessions are terminated after the completion of the maintenance.</p><h4>Auditing and Review (MA-4(1))</h4><p>The purpose of this control enhancement is to ensure that auditing and reviews of nonlocal maintenance and diagnostic sessions are performed.</p><p><strong>Table 6: CMS Defined Parameters-Control MA-4(1)</strong></p><table><tbody><tr><td><strong>Control&nbsp;</strong></td><td><strong>Control Requirement</strong></td><td><strong>CMS Parameter</strong></td></tr><tr><td>MA-4(1)</td><td><p>The organization:&nbsp;</p><p>a) Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events];</p></td><td><p>The organization:&nbsp;</p><p>a. Audits nonlocal maintenance and diagnostic sessions using available audit events;</p></td></tr></tbody></table><p>CMS audits nonlocal maintenance and diagnostic sessions using available audit events. Maintenance and diagnostic records consist of audit events that are a defined selection based on all events for which the information system is capable of generating records. CMS reviews these records on a continuous basis.&nbsp;</p><h4>Document Nonlocal Maintenance (MA-4(2))&nbsp;</h4><p>Information systems that require nonlocal maintenance must document the policies and procedures used for establishing and using nonlocal maintenance activities to include testing and diagnostic connection. CMS requires that maintenance activity, including the authentication mechanism for granting remote access and the capture of maintenance information, is recorded in the applicable SSPP.&nbsp;</p><h4>Comparable Security/Sanitization (MA-4(3))&nbsp;</h4><p>Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced. CMS requires that nonlocal maintenance and diagnostic services are performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced. Prior to nonlocal maintenance or diagnostic services, CMS requires the removal of the component to be serviced from the information system and sanitization of information from the component. After the service is performed and before reconnecting the component to the information system, CMS provides for inspection and sanitization of the component for potentially malicious software.&nbsp;</p><h3>Maintenance Personnel (MA-5)&nbsp;</h3><p>This control applies to individuals performing hardware or software maintenance on organizational information systems, while Physical Access Authorizations (PE-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Guidance for systems processing, storing, or transmitting PII (to include PHI): If maintenance personnel are contractors, then the organizations personnel responsible for contracting (such as the contracting officer, contracting officers representative, or contracting officers technical representative or the program manager must ensure that contractors having access to records (i.e., files or data) from a system of records are contractually bound to be covered by the Privacy Act of 1974. CMS maintains documentation of authorized maintenance personnel that perform hardware or software maintenance on information systems. The System Developer and Maintainer implements approved software maintenance while the Government Task Lead (GTL) of the data center maintains a list of authorized maintenance personnel that perform hardware maintenance. Maintenance personnel performing hardware maintenance are required to have authorized physical access to the data center. RMH Chapter 11 Physical and Environmental Protection provides additional information on requesting physical access to controlled areas.&nbsp;</p><h4>Individuals Without Appropriate Access (MA-5(1))&nbsp;</h4><p>This control enhancement denies visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems to individuals who do not possess the required level of security clearances or who are not U.S. citizens. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to CMS information systems when required to conduct maintenance activities with little or no notice. Maintenance personnel without the necessary access authorizations, clearances or formal approvals are properly escorted and supervised by an authorized CMS employee or an authorized contractor with technical competence of supervising individuals relating to the maintenance being performed on the information system.&nbsp;</p><h3>Timely Maintenance (MA-6)&nbsp;</h3><p>Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the&nbsp;functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place.&nbsp;</p><p>The table below outlines the CMS-defined parameters for MA-6.&nbsp;</p><p><strong>Table 7: CMS Defined Parameters-Control MA-6&nbsp;</strong></p><table><tbody><tr><td><strong>Control</strong></td><td><strong>Control Requirement</strong></td><td><strong>CMS Parameter&nbsp;</strong></td></tr><tr><td>MA-6</td><td>The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure.&nbsp;</td><td>The organization obtains maintenance support and/or spare parts for defined key information system components (defined in the applicable security plan) within the applicable RTO specified in the contingency plan.&nbsp;</td></tr></tbody></table><p>CMS requires the alignment of hardware maintenance and support services with the information systems recovery time objective (RTO). Timely maintenance requirements are met through service agreements that provide 24/7 coverage and/or through on-site storage of replacement parts. CSPs must define a list of security-critical information system components and/or key information technology components. The list of components is approved and accepted by the Joint Authorization Board (JAB). The time period to obtain maintenance and spare parts is defined in accordance with the contingency plan for the information system and business impact analysis. The time period is approved and accepted by the JAB.</p><h2>Applicable Laws and Guidance&nbsp;</h2><p>The Applicable Laws and Guidance appendix provides references to both authoritative and guidance documentation supporting this document.</p><h4>Statutes&nbsp;</h4><p><a href="http://www.hhs.gov/hipaa">Health Insurance Portability and Accountability Act of 1996 (HIPAA)&nbsp;</a></p><h4>Federal Directives and Policies&nbsp;</h4><p><a href="https://www.fedramp.gov/files/2015/03/FedRAMP-Control-Quick-Guide-Rev4-FINAL01052015.pdf">FedRAMP Rev. 4 Baseline&nbsp;</a></p><h4>NIST Guidance and Federal Information Processing Standards FIPS Pub: 140-2, 197, 201&nbsp;</h4><p><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf">FIPS-140-2 Security Requirements for Cryptographic Modules&nbsp;</a></p><p><a href="https://csrc.nist.gov/csrc/media/publications/fips/197/final/documents/fips-197.pdf">FIPS-197, Advanced Encryption Standard&nbsp;</a></p><p><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf">FIPS-201-2, Personal Identity Verification (PIV) for Federal Employees and Contractors&nbsp;</a></p><p><a href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-88.pdf">NIST SP 800-88, Guidelines for Media Sanitization&nbsp;</a></p><p><a href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-100.pdf">NIST SP 800 100, Information Security Handbook: A Guide for Managers&nbsp;</a></p><p><a href="https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final">NIST SP 800 12 rev.1 An Introduction to Information Security&nbsp;</a></p></div></section></div></div></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"risk-management-handbook-chapter-9-maintenance-ma\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"policy-guidance\",\"risk-management-handbook-chapter-9-maintenance-ma\"],\"initialTree\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"risk-management-handbook-chapter-9-maintenance-ma\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"risk-management-handbook-chapter-9-maintenance-ma\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[3055,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"907\",\"static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js\"],\"default\"]\n18:T45d8,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eIntroduction\u003c/h2\u003e\u003cp\u003eThis Handbook outlines procedures to help CMS staff and contractors implement the Maintenance family of controls taken from the National Institute of Standards and Technology (NIST) Special Publication 800-53 and tailored to the CMS environment in the CMS Acceptable Risk Safeguards (ARS). For more guidance on how to implement CMS policies and standards across many cybersecurity topics, see the CMS Security and Privacy Handbooks.\u0026nbsp;\u003c/p\u003e\u003cp\u003eRMH Chapter 09 provides processes and procedures to assist with the consistent implementation of the MA family of controls for any system that stores, processes, or transmits CMS information on behalf of CMS. This chapter identifies the policies, minimum standards, and procedures for the effective implementation of selected security and privacy controls and control enhancements in the MA family.\u003c/p\u003e\u003ch2\u003eMaintenance controls\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eControlled Maintenance (MA-2)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers.\u003c/p\u003e\u003cp\u003eThe level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations must consider supply chain issues associated with replacement components for information systems\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PHI:\u003c/p\u003e\u003cp\u003eHIPAA requires organizations to apply reasonable and appropriate safeguards for the protection of PHI, including implementing policies and procedures to document repairs and modifications to the facility which are related to security.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS defined parameters for MA-2.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 4: CMS Defined Parameters-Control MA-2\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMA-2\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003ec. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003ec. Requires that the applicable Business Owner (or an official designated in the applicable security plan) explicitly approves the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS reviews and updates the baseline configuration5 of its information systems at a regularly defined frequency, when special circumstances arise (e.g., critical security patches), or when an information system component is installed or upgraded. Automation assists in documenting changes and ensures the proper workflow. CMS uses automated means to document system changes for submission and to notify the authorizing personnel, defined in the System Security and Privacy Plan (SSPP), who are designated to approve changes, whenever changes are proposed. Automating these processes also increases the traceability of changes for many systems at once.\u003c/p\u003e\u003cp\u003eCMS addresses the information security aspects of the information system maintenance program and applies it to hardware and software maintenance. Information necessary for creating effective maintenance records includes, at a minimum, the following information:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDate and time of maintenance;\u003c/li\u003e\u003cli\u003eName of individuals or group performing the maintenance;\u003c/li\u003e\u003cli\u003eName of the authorized escort (if necessary);\u003c/li\u003e\u003cli\u003eA description of the maintenance performed;\u003c/li\u003e\u003cli\u003eA list of the information system components/equipment removed and/or replaced.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eNOTE: The removal of the information system or components from CMS facilities requires the explicit approval from the Business Owner (BO). Prior to off-site maintenance or repairs, the equipment is sanitized, using approved CMS sanitization methods, for the removal of information from associated media.\u003c/p\u003e\u003ch3\u003eMaintenance Tools (MA-3)\u003c/h3\u003e\u003cp\u003eThis control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and organizational information systems. Maintenance tools can include hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance yet are considered an integral part of the system. CMS approves, controls, and monitors information system maintenance tools used to repair or conduct diagnostics on information systems and their components. After completion of the maintenance, all maintenance equipment, with the capability of retaining information, is checked to ensure that information is not saved on the equipment and that the equipment is appropriately sanitized, using approved CMS sanitization methods, before the release from the CMS facility.\u003c/p\u003e\u003ch4\u003eInspect Tools (MA-3(1))\u003c/h4\u003e\u003cp\u003eThis control enhancement provides that maintenance tools, transported by maintenance personnel into facilities, are inspected for unauthorized modifications. CMS inspects maintenance tools for obvious signs of improper or unauthorized modifications. Tools that are found to be modified in an improper or unauthorized manner must be reported per the CMS incident handling procedure that is located in RMH Chapter 08 Incident Response.\u003c/p\u003e\u003ch4\u003eInspect Media (MA-3(2))\u003c/h4\u003e\u003cp\u003eInspecting media that contains diagnostic and test programs for malicious code before the media are used in the information system is the purpose of this control enhancement.\u003c/p\u003e\u003cp\u003eCMS checks and scans all diagnostic tools and test programs for malicious code before being used in the information system. Media that are found to contain malicious code must be reported per the CMS incident handling procedure that is located in RMH Chapter 08 Incident Response.\u003c/p\u003e\u003ch4\u003ePrevent Unauthorized Removal (MA-3(3))\u003c/h4\u003e\u003cp\u003ePreventing the unauthorized removal of maintenance equipment containing organizational information is the purpose of this control enhancement. The table below outlines the CMS defined parameters for MA-3(3).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 5: CMS Defined Parameters-Control MA-3(3)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eControl Requirement\u003c/th\u003e\u003cth\u003eCMS Parameter\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMA-3(3)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization prevents the unauthorized removal of maintenance equipment containing organizational information by:\u003c/p\u003e\u003cp\u003ed. Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization prevents the unauthorized removal of maintenance equipment containing organizational information by:\u003c/p\u003e\u003cp\u003ed. Obtaining an exemption, in writing, from the CMS CIO or his/her designated representative explicitly authorizing removal of the equipment from the facility.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS prevents the unauthorized removal of maintenance equipment containing organizational information by:\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerifying that CMS information is not contained on the equipment when the equipment has the capability of retaining information;\u003c/li\u003e\u003cli\u003eSanitizing or destroying the equipment, using CMS approved sanitization or destruction techniques/methods\u003c/li\u003e\u003cli\u003eRetaining or storing the equipment securely within the facility;\u003c/li\u003e\u003cli\u003eObtaining a written exemption from the CMS Chief Information Officer (CIO), or his/her designated representative, explicitly authorizing removal of the equipment from the facility.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eNonlocal Maintenance (MA-4)\u003c/h3\u003e\u003cp\u003eNonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment\u0026nbsp;of nonlocal maintenance and diagnostic sessions reflect the network access requirements in Identification and Authentication (Organizational Users) (IA-2).\u003c/p\u003e\u003cp\u003eWritten authorization from the CMS CIO is required for nonlocal or remote maintenance and diagnostic activities to be performed on an information system. CMS monitors and controls nonlocal maintenance and diagnostic activities and allows the use of maintenance and diagnostic tools in accordance with organizational policy. Appropriate identification and authentication techniques are employed in the establishment of remote sessions in accordance with IA-2, and all such sessions are terminated after the completion of the maintenance.\u003c/p\u003e\u003ch4\u003eAuditing and Review (MA-4(1))\u003c/h4\u003e\u003cp\u003eThe purpose of this control enhancement is to ensure that auditing and reviews of nonlocal maintenance and diagnostic sessions are performed.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 6: CMS Defined Parameters-Control MA-4(1)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMA-4(1)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea) Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events];\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Audits nonlocal maintenance and diagnostic sessions using available audit events;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS audits nonlocal maintenance and diagnostic sessions using available audit events. Maintenance and diagnostic records consist of audit events that are a defined selection based on all events for which the information system is capable of generating records. CMS reviews these records on a continuous basis.\u0026nbsp;\u003c/p\u003e\u003ch4\u003eDocument Nonlocal Maintenance (MA-4(2))\u0026nbsp;\u003c/h4\u003e\u003cp\u003eInformation systems that require nonlocal maintenance must document the policies and procedures used for establishing and using nonlocal maintenance activities to include testing and diagnostic connection. CMS requires that maintenance activity, including the authentication mechanism for granting remote access and the capture of maintenance information, is recorded in the applicable SSPP.\u0026nbsp;\u003c/p\u003e\u003ch4\u003eComparable Security/Sanitization (MA-4(3))\u0026nbsp;\u003c/h4\u003e\u003cp\u003eComparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced. CMS requires that nonlocal maintenance and diagnostic services are performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced. Prior to nonlocal maintenance or diagnostic services, CMS requires the removal of the component to be serviced from the information system and sanitization of information from the component. After the service is performed and before reconnecting the component to the information system, CMS provides for inspection and sanitization of the component for potentially malicious software.\u0026nbsp;\u003c/p\u003e\u003ch3\u003eMaintenance Personnel (MA-5)\u0026nbsp;\u003c/h3\u003e\u003cp\u003eThis control applies to individuals performing hardware or software maintenance on organizational information systems, while Physical Access Authorizations (PE-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Guidance for systems processing, storing, or transmitting PII (to include PHI): If maintenance personnel are contractors, then the organizations personnel responsible for contracting (such as the contracting officer, contracting officers representative, or contracting officers technical representative or the program manager must ensure that contractors having access to records (i.e., files or data) from a system of records are contractually bound to be covered by the Privacy Act of 1974. CMS maintains documentation of authorized maintenance personnel that perform hardware or software maintenance on information systems. The System Developer and Maintainer implements approved software maintenance while the Government Task Lead (GTL) of the data center maintains a list of authorized maintenance personnel that perform hardware maintenance. Maintenance personnel performing hardware maintenance are required to have authorized physical access to the data center. RMH Chapter 11 Physical and Environmental Protection provides additional information on requesting physical access to controlled areas.\u0026nbsp;\u003c/p\u003e\u003ch4\u003eIndividuals Without Appropriate Access (MA-5(1))\u0026nbsp;\u003c/h4\u003e\u003cp\u003eThis control enhancement denies visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems to individuals who do not possess the required level of security clearances or who are not U.S. citizens. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to CMS information systems when required to conduct maintenance activities with little or no notice. Maintenance personnel without the necessary access authorizations, clearances or formal approvals are properly escorted and supervised by an authorized CMS employee or an authorized contractor with technical competence of supervising individuals relating to the maintenance being performed on the information system.\u0026nbsp;\u003c/p\u003e\u003ch3\u003eTimely Maintenance (MA-6)\u0026nbsp;\u003c/h3\u003e\u003cp\u003eOrganizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the\u0026nbsp;functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS-defined parameters for MA-6.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 7: CMS Defined Parameters-Control MA-6\u0026nbsp;\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMA-6\u003c/td\u003e\u003ctd\u003eThe organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe organization obtains maintenance support and/or spare parts for defined key information system components (defined in the applicable security plan) within the applicable RTO specified in the contingency plan.\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS requires the alignment of hardware maintenance and support services with the information systems recovery time objective (RTO). Timely maintenance requirements are met through service agreements that provide 24/7 coverage and/or through on-site storage of replacement parts. CSPs must define a list of security-critical information system components and/or key information technology components. The list of components is approved and accepted by the Joint Authorization Board (JAB). The time period to obtain maintenance and spare parts is defined in accordance with the contingency plan for the information system and business impact analysis. The time period is approved and accepted by the JAB.\u003c/p\u003e\u003ch2\u003eApplicable Laws and Guidance\u0026nbsp;\u003c/h2\u003e\u003cp\u003eThe Applicable Laws and Guidance appendix provides references to both authoritative and guidance documentation supporting this document.\u003c/p\u003e\u003ch4\u003eStatutes\u0026nbsp;\u003c/h4\u003e\u003cp\u003e\u003ca href=\"http://www.hhs.gov/hipaa\"\u003eHealth Insurance Portability and Accountability Act of 1996 (HIPAA)\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003ch4\u003eFederal Directives and Policies\u0026nbsp;\u003c/h4\u003e\u003cp\u003e\u003ca href=\"https://www.fedramp.gov/files/2015/03/FedRAMP-Control-Quick-Guide-Rev4-FINAL01052015.pdf\"\u003eFedRAMP Rev. 4 Baseline\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003ch4\u003eNIST Guidance and Federal Information Processing Standards FIPS Pub: 140-2, 197, 201\u0026nbsp;\u003c/h4\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf\"\u003eFIPS-140-2 Security Requirements for Cryptographic Modules\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://csrc.nist.gov/csrc/media/publications/fips/197/final/documents/fips-197.pdf\"\u003eFIPS-197, Advanced Encryption Standard\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf\"\u003eFIPS-201-2, Personal Identity Verification (PIV) for Federal Employees and Contractors\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-88.pdf\"\u003eNIST SP 800-88, Guidelines for Media Sanitization\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-100.pdf\"\u003eNIST SP 800 100, Information Security Handbook: A Guide for Managers\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final\"\u003eNIST SP 800 12 rev.1 An Introduction to Information Security\u0026nbsp;\u003c/a\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:T45d8,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eIntroduction\u003c/h2\u003e\u003cp\u003eThis Handbook outlines procedures to help CMS staff and contractors implement the Maintenance family of controls taken from the National Institute of Standards and Technology (NIST) Special Publication 800-53 and tailored to the CMS environment in the CMS Acceptable Risk Safeguards (ARS). For more guidance on how to implement CMS policies and standards across many cybersecurity topics, see the CMS Security and Privacy Handbooks.\u0026nbsp;\u003c/p\u003e\u003cp\u003eRMH Chapter 09 provides processes and procedures to assist with the consistent implementation of the MA family of controls for any system that stores, processes, or transmits CMS information on behalf of CMS. This chapter identifies the policies, minimum standards, and procedures for the effective implementation of selected security and privacy controls and control enhancements in the MA family.\u003c/p\u003e\u003ch2\u003eMaintenance controls\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eControlled Maintenance (MA-2)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers.\u003c/p\u003e\u003cp\u003eThe level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations must consider supply chain issues associated with replacement components for information systems\u003c/p\u003e\u003cp\u003eGuidance for systems processing, storing, or transmitting PHI:\u003c/p\u003e\u003cp\u003eHIPAA requires organizations to apply reasonable and appropriate safeguards for the protection of PHI, including implementing policies and procedures to document repairs and modifications to the facility which are related to security.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS defined parameters for MA-2.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 4: CMS Defined Parameters-Control MA-2\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMA-2\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003ec. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003ec. Requires that the applicable Business Owner (or an official designated in the applicable security plan) explicitly approves the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS reviews and updates the baseline configuration5 of its information systems at a regularly defined frequency, when special circumstances arise (e.g., critical security patches), or when an information system component is installed or upgraded. Automation assists in documenting changes and ensures the proper workflow. CMS uses automated means to document system changes for submission and to notify the authorizing personnel, defined in the System Security and Privacy Plan (SSPP), who are designated to approve changes, whenever changes are proposed. Automating these processes also increases the traceability of changes for many systems at once.\u003c/p\u003e\u003cp\u003eCMS addresses the information security aspects of the information system maintenance program and applies it to hardware and software maintenance. Information necessary for creating effective maintenance records includes, at a minimum, the following information:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDate and time of maintenance;\u003c/li\u003e\u003cli\u003eName of individuals or group performing the maintenance;\u003c/li\u003e\u003cli\u003eName of the authorized escort (if necessary);\u003c/li\u003e\u003cli\u003eA description of the maintenance performed;\u003c/li\u003e\u003cli\u003eA list of the information system components/equipment removed and/or replaced.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eNOTE: The removal of the information system or components from CMS facilities requires the explicit approval from the Business Owner (BO). Prior to off-site maintenance or repairs, the equipment is sanitized, using approved CMS sanitization methods, for the removal of information from associated media.\u003c/p\u003e\u003ch3\u003eMaintenance Tools (MA-3)\u003c/h3\u003e\u003cp\u003eThis control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and organizational information systems. Maintenance tools can include hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance yet are considered an integral part of the system. CMS approves, controls, and monitors information system maintenance tools used to repair or conduct diagnostics on information systems and their components. After completion of the maintenance, all maintenance equipment, with the capability of retaining information, is checked to ensure that information is not saved on the equipment and that the equipment is appropriately sanitized, using approved CMS sanitization methods, before the release from the CMS facility.\u003c/p\u003e\u003ch4\u003eInspect Tools (MA-3(1))\u003c/h4\u003e\u003cp\u003eThis control enhancement provides that maintenance tools, transported by maintenance personnel into facilities, are inspected for unauthorized modifications. CMS inspects maintenance tools for obvious signs of improper or unauthorized modifications. Tools that are found to be modified in an improper or unauthorized manner must be reported per the CMS incident handling procedure that is located in RMH Chapter 08 Incident Response.\u003c/p\u003e\u003ch4\u003eInspect Media (MA-3(2))\u003c/h4\u003e\u003cp\u003eInspecting media that contains diagnostic and test programs for malicious code before the media are used in the information system is the purpose of this control enhancement.\u003c/p\u003e\u003cp\u003eCMS checks and scans all diagnostic tools and test programs for malicious code before being used in the information system. Media that are found to contain malicious code must be reported per the CMS incident handling procedure that is located in RMH Chapter 08 Incident Response.\u003c/p\u003e\u003ch4\u003ePrevent Unauthorized Removal (MA-3(3))\u003c/h4\u003e\u003cp\u003ePreventing the unauthorized removal of maintenance equipment containing organizational information is the purpose of this control enhancement. The table below outlines the CMS defined parameters for MA-3(3).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 5: CMS Defined Parameters-Control MA-3(3)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eControl Requirement\u003c/th\u003e\u003cth\u003eCMS Parameter\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMA-3(3)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization prevents the unauthorized removal of maintenance equipment containing organizational information by:\u003c/p\u003e\u003cp\u003ed. Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization prevents the unauthorized removal of maintenance equipment containing organizational information by:\u003c/p\u003e\u003cp\u003ed. Obtaining an exemption, in writing, from the CMS CIO or his/her designated representative explicitly authorizing removal of the equipment from the facility.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS prevents the unauthorized removal of maintenance equipment containing organizational information by:\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerifying that CMS information is not contained on the equipment when the equipment has the capability of retaining information;\u003c/li\u003e\u003cli\u003eSanitizing or destroying the equipment, using CMS approved sanitization or destruction techniques/methods\u003c/li\u003e\u003cli\u003eRetaining or storing the equipment securely within the facility;\u003c/li\u003e\u003cli\u003eObtaining a written exemption from the CMS Chief Information Officer (CIO), or his/her designated representative, explicitly authorizing removal of the equipment from the facility.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eNonlocal Maintenance (MA-4)\u003c/h3\u003e\u003cp\u003eNonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment\u0026nbsp;of nonlocal maintenance and diagnostic sessions reflect the network access requirements in Identification and Authentication (Organizational Users) (IA-2).\u003c/p\u003e\u003cp\u003eWritten authorization from the CMS CIO is required for nonlocal or remote maintenance and diagnostic activities to be performed on an information system. CMS monitors and controls nonlocal maintenance and diagnostic activities and allows the use of maintenance and diagnostic tools in accordance with organizational policy. Appropriate identification and authentication techniques are employed in the establishment of remote sessions in accordance with IA-2, and all such sessions are terminated after the completion of the maintenance.\u003c/p\u003e\u003ch4\u003eAuditing and Review (MA-4(1))\u003c/h4\u003e\u003cp\u003eThe purpose of this control enhancement is to ensure that auditing and reviews of nonlocal maintenance and diagnostic sessions are performed.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 6: CMS Defined Parameters-Control MA-4(1)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMA-4(1)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea) Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events];\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u0026nbsp;\u003c/p\u003e\u003cp\u003ea. Audits nonlocal maintenance and diagnostic sessions using available audit events;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS audits nonlocal maintenance and diagnostic sessions using available audit events. Maintenance and diagnostic records consist of audit events that are a defined selection based on all events for which the information system is capable of generating records. CMS reviews these records on a continuous basis.\u0026nbsp;\u003c/p\u003e\u003ch4\u003eDocument Nonlocal Maintenance (MA-4(2))\u0026nbsp;\u003c/h4\u003e\u003cp\u003eInformation systems that require nonlocal maintenance must document the policies and procedures used for establishing and using nonlocal maintenance activities to include testing and diagnostic connection. CMS requires that maintenance activity, including the authentication mechanism for granting remote access and the capture of maintenance information, is recorded in the applicable SSPP.\u0026nbsp;\u003c/p\u003e\u003ch4\u003eComparable Security/Sanitization (MA-4(3))\u0026nbsp;\u003c/h4\u003e\u003cp\u003eComparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced. CMS requires that nonlocal maintenance and diagnostic services are performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced. Prior to nonlocal maintenance or diagnostic services, CMS requires the removal of the component to be serviced from the information system and sanitization of information from the component. After the service is performed and before reconnecting the component to the information system, CMS provides for inspection and sanitization of the component for potentially malicious software.\u0026nbsp;\u003c/p\u003e\u003ch3\u003eMaintenance Personnel (MA-5)\u0026nbsp;\u003c/h3\u003e\u003cp\u003eThis control applies to individuals performing hardware or software maintenance on organizational information systems, while Physical Access Authorizations (PE-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Guidance for systems processing, storing, or transmitting PII (to include PHI): If maintenance personnel are contractors, then the organizations personnel responsible for contracting (such as the contracting officer, contracting officers representative, or contracting officers technical representative or the program manager must ensure that contractors having access to records (i.e., files or data) from a system of records are contractually bound to be covered by the Privacy Act of 1974. CMS maintains documentation of authorized maintenance personnel that perform hardware or software maintenance on information systems. The System Developer and Maintainer implements approved software maintenance while the Government Task Lead (GTL) of the data center maintains a list of authorized maintenance personnel that perform hardware maintenance. Maintenance personnel performing hardware maintenance are required to have authorized physical access to the data center. RMH Chapter 11 Physical and Environmental Protection provides additional information on requesting physical access to controlled areas.\u0026nbsp;\u003c/p\u003e\u003ch4\u003eIndividuals Without Appropriate Access (MA-5(1))\u0026nbsp;\u003c/h4\u003e\u003cp\u003eThis control enhancement denies visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems to individuals who do not possess the required level of security clearances or who are not U.S. citizens. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to CMS information systems when required to conduct maintenance activities with little or no notice. Maintenance personnel without the necessary access authorizations, clearances or formal approvals are properly escorted and supervised by an authorized CMS employee or an authorized contractor with technical competence of supervising individuals relating to the maintenance being performed on the information system.\u0026nbsp;\u003c/p\u003e\u003ch3\u003eTimely Maintenance (MA-6)\u0026nbsp;\u003c/h3\u003e\u003cp\u003eOrganizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the\u0026nbsp;functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS-defined parameters for MA-6.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 7: CMS Defined Parameters-Control MA-6\u0026nbsp;\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMA-6\u003c/td\u003e\u003ctd\u003eThe organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe organization obtains maintenance support and/or spare parts for defined key information system components (defined in the applicable security plan) within the applicable RTO specified in the contingency plan.\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS requires the alignment of hardware maintenance and support services with the information systems recovery time objective (RTO). Timely maintenance requirements are met through service agreements that provide 24/7 coverage and/or through on-site storage of replacement parts. CSPs must define a list of security-critical information system components and/or key information technology components. The list of components is approved and accepted by the Joint Authorization Board (JAB). The time period to obtain maintenance and spare parts is defined in accordance with the contingency plan for the information system and business impact analysis. The time period is approved and accepted by the JAB.\u003c/p\u003e\u003ch2\u003eApplicable Laws and Guidance\u0026nbsp;\u003c/h2\u003e\u003cp\u003eThe Applicable Laws and Guidance appendix provides references to both authoritative and guidance documentation supporting this document.\u003c/p\u003e\u003ch4\u003eStatutes\u0026nbsp;\u003c/h4\u003e\u003cp\u003e\u003ca href=\"http://www.hhs.gov/hipaa\"\u003eHealth Insurance Portability and Accountability Act of 1996 (HIPAA)\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003ch4\u003eFederal Directives and Policies\u0026nbsp;\u003c/h4\u003e\u003cp\u003e\u003ca href=\"https://www.fedramp.gov/files/2015/03/FedRAMP-Control-Quick-Guide-Rev4-FINAL01052015.pdf\"\u003eFedRAMP Rev. 4 Baseline\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003ch4\u003eNIST Guidance and Federal Information Processing Standards FIPS Pub: 140-2, 197, 201\u0026nbsp;\u003c/h4\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf\"\u003eFIPS-140-2 Security Requirements for Cryptographic Modules\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://csrc.nist.gov/csrc/media/publications/fips/197/final/documents/fips-197.pdf\"\u003eFIPS-197, Advanced Encryption Standard\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf\"\u003eFIPS-201-2, Personal Identity Verification (PIV) for Federal Employees and Contractors\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-88.pdf\"\u003eNIST SP 800-88, Guidelines for Media Sanitization\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-100.pdf\"\u003eNIST SP 800 100, Information Security Handbook: A Guide for Managers\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final\"\u003eNIST SP 800 12 rev.1 An Introduction to Information Security\u0026nbsp;\u003c/a\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}\n1b:{\"self\":\"$1c\"}\n1f:[\"menu_ui\",\"scheduler\"]\n1e:{\"module\":\"$1f\"}\n22:[]\n21:{\"available_menus\":\"$22\",\"parent\":\"\"}\n23:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n20:{\"menu_ui\":\"$21\",\"scheduler\":\"$23\"}\n1d:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$1e\",\"third_party_settings\":\"$20\",\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1a:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":\"$1b\",\"attributes\":\"$1d\"}\n26:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}\n25:{\"self\":\"$26\"}\n27:{\"display_name\":\"jcallan - retired\"}\n24:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":\"$25\",\"attributes\":\"$27\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"meg - retired\"}\n28:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}\n2d:{\"self\":\"$2e\"}\n30:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n2f:{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_aff"])</script><script>self.__next_f.push([1,"ected\":true,\"path\":\"$30\"}\n34:{\"drupal_internal__target_id\":\"resource_type\"}\n33:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$34\"}\n36:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"}\n37:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}\n35:{\"related\":\"$36\",\"self\":\"$37\"}\n32:{\"data\":\"$33\",\"links\":\"$35\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n38:{\"data\":null,\"links\":\"$39\"}\n42:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n41:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$42\"}\n40:{\"help\":\"$41\"}\n3f:{\"links\":\"$40\"}\n3e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$3f\"}\n3d:[\"$3e\"]\n44:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"}\n45:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}\n43:{\"related\":\"$44\",\"self\":\"$45\"}\n3c:{\"data\":\"$3d\",\"links\":\"$43\"}\n31:{\"vid\":\"$32\",\"revision_user\":\"$38\",\"parent\":\"$3c\"}\n2c:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":\"$2d\",\"attributes\":\"$2f\",\"relationships\":\"$31\"}\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n47:{\"self\":\"$48\"}\n4a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n49:{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":"])</script><script>self.__next_f.push([1,"\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4a\"}\n4e:{\"drupal_internal__target_id\":\"roles\"}\n4d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$4e\"}\n50:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n51:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n4f:{\"related\":\"$50\",\"self\":\"$51\"}\n4c:{\"data\":\"$4d\",\"links\":\"$4f\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n52:{\"data\":null,\"links\":\"$53\"}\n5c:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5b:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5c\"}\n5a:{\"help\":\"$5b\"}\n59:{\"links\":\"$5a\"}\n58:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$59\"}\n57:[\"$58\"]\n5e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n5f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n5d:{\"related\":\"$5e\",\"self\":\"$5f\"}\n56:{\"data\":\"$57\",\"links\":\"$5d\"}\n4b:{\"vid\":\"$4c\",\"revision_user\":\"$52\",\"parent\":\"$56\"}\n46:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$47\",\"attributes\":\"$49\",\"relationships\":\"$4b\"}\n62:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26?resourceVersion=id%"])</script><script>self.__next_f.push([1,"3A81\"}\n61:{\"self\":\"$62\"}\n64:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n63:{\"drupal_internal__tid\":81,\"drupal_internal__revision_id\":81,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:09:11+00:00\",\"status\":true,\"name\":\"Data Guardian\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:09:11+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$64\"}\n68:{\"drupal_internal__target_id\":\"roles\"}\n67:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$68\"}\n6a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/vid?resourceVersion=id%3A81\"}\n6b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/vid?resourceVersion=id%3A81\"}\n69:{\"related\":\"$6a\",\"self\":\"$6b\"}\n66:{\"data\":\"$67\",\"links\":\"$69\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/revision_user?resourceVersion=id%3A81\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/revision_user?resourceVersion=id%3A81\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6c:{\"data\":null,\"links\":\"$6d\"}\n76:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n75:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$76\"}\n74:{\"help\":\"$75\"}\n73:{\"links\":\"$74\"}\n72:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$73\"}\n71:[\"$72\"]\n78:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/parent?resourceVersion=id%3A81\"}\n79:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/parent?resourceVersion=id%3A81\"}\n77:{\"related\":\"$78\",\"self\":\"$79\"}\n70:{\"data\":\"$71\",\"links\":\"$77\"}\n65:{\"vid\":\"$66\",\"revision_user\":\"$6c\",\"parent\":\"$70\"}\n60:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"links\":\"$61\",\"attributes\":\"$63\",\"relationsh"])</script><script>self.__next_f.push([1,"ips\":\"$65\"}\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n7b:{\"self\":\"$7c\"}\n7e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7d:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$7e\"}\n82:{\"drupal_internal__target_id\":\"roles\"}\n81:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$82\"}\n84:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n85:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n83:{\"related\":\"$84\",\"self\":\"$85\"}\n80:{\"data\":\"$81\",\"links\":\"$83\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n86:{\"data\":null,\"links\":\"$87\"}\n90:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n8f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$90\"}\n8e:{\"help\":\"$8f\"}\n8d:{\"links\":\"$8e\"}\n8c:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$8d\"}\n8b:[\"$8c\"]\n92:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n93:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n91:{\"related\":\"$92\",\"self\":\"$93\"}\n8a:{\"data\":\"$8b\",\"links\":\"$91\"}\n7f:{\"vid\":\"$8"])</script><script>self.__next_f.push([1,"0\",\"revision_user\":\"$86\",\"parent\":\"$8a\"}\n7a:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$7b\",\"attributes\":\"$7d\",\"relationships\":\"$7f\"}\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n95:{\"self\":\"$96\"}\n98:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n97:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$98\"}\n9c:{\"drupal_internal__target_id\":\"roles\"}\n9b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$9c\"}\n9e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n9f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n9d:{\"related\":\"$9e\",\"self\":\"$9f\"}\n9a:{\"data\":\"$9b\",\"links\":\"$9d\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\na0:{\"data\":null,\"links\":\"$a1\"}\naa:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\na9:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$aa\"}\na8:{\"help\":\"$a9\"}\na7:{\"links\":\"$a8\"}\na6:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$a7\"}\na5:[\"$a6\"]\nac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\nad:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-"])</script><script>self.__next_f.push([1,"af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\nab:{\"related\":\"$ac\",\"self\":\"$ad\"}\na4:{\"data\":\"$a5\",\"links\":\"$ab\"}\n99:{\"vid\":\"$9a\",\"revision_user\":\"$a0\",\"parent\":\"$a4\"}\n94:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$95\",\"attributes\":\"$97\",\"relationships\":\"$99\"}\nb0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\naf:{\"self\":\"$b0\"}\nb2:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb1:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b2\"}\nb6:{\"drupal_internal__target_id\":\"roles\"}\nb5:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$b6\"}\nb8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\nb9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\nb7:{\"related\":\"$b8\",\"self\":\"$b9\"}\nb4:{\"data\":\"$b5\",\"links\":\"$b7\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\nbd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\nbb:{\"related\":\"$bc\",\"self\":\"$bd\"}\nba:{\"data\":null,\"links\":\"$bb\"}\nc4:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc3:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c4\"}\nc2:{\"help\":\"$c3\"}\nc1:{\"links\":\"$c2\"}\nc0:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$c1\"}\nbf:[\"$c0\"]\nc6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f"])</script><script>self.__next_f.push([1,"0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\nc7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\nc5:{\"related\":\"$c6\",\"self\":\"$c7\"}\nbe:{\"data\":\"$bf\",\"links\":\"$c5\"}\nb3:{\"vid\":\"$b4\",\"revision_user\":\"$ba\",\"parent\":\"$be\"}\nae:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$af\",\"attributes\":\"$b1\",\"relationships\":\"$b3\"}\nca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c?resourceVersion=id%3A41\"}\nc9:{\"self\":\"$ca\"}\ncc:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\ncb:{\"drupal_internal__tid\":41,\"drupal_internal__revision_id\":41,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:04+00:00\",\"status\":true,\"name\":\"Application Security\",\"description\":null,\"weight\":0,\"changed\":\"2022-09-28T21:04:30+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$cc\"}\nd0:{\"drupal_internal__target_id\":\"topics\"}\ncf:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$d0\"}\nd2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/vid?resourceVersion=id%3A41\"}\nd3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/vid?resourceVersion=id%3A41\"}\nd1:{\"related\":\"$d2\",\"self\":\"$d3\"}\nce:{\"data\":\"$cf\",\"links\":\"$d1\"}\nd6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/revision_user?resourceVersion=id%3A41\"}\nd7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/revision_user?resourceVersion=id%3A41\"}\nd5:{\"related\":\"$d6\",\"self\":\"$d7\"}\nd4:{\"data\":null,\"links\":\"$d5\"}\nde:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\ndd:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$de\"}\ndc:{\"help\":\"$dd\"}\ndb:{\"links\":\"$dc\"}\nda:{\"type\":\"tax"])</script><script>self.__next_f.push([1,"onomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$db\"}\nd9:[\"$da\"]\ne0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/parent?resourceVersion=id%3A41\"}\ne1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/parent?resourceVersion=id%3A41\"}\ndf:{\"related\":\"$e0\",\"self\":\"$e1\"}\nd8:{\"data\":\"$d9\",\"links\":\"$df\"}\ncd:{\"vid\":\"$ce\",\"revision_user\":\"$d4\",\"parent\":\"$d8\"}\nc8:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"links\":\"$c9\",\"attributes\":\"$cb\",\"relationships\":\"$cd\"}\ne4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}\ne3:{\"self\":\"$e4\"}\ne6:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\ne5:{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$e6\"}\nea:{\"drupal_internal__target_id\":\"topics\"}\ne9:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$ea\"}\nec:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"}\ned:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}\neb:{\"related\":\"$ec\",\"self\":\"$ed\"}\ne8:{\"data\":\"$e9\",\"links\":\"$eb\"}\nf0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"}\nf1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}\nef:{\"related\":\"$f0\",\"self\":\"$f1\"}\nee:{\"data\":null,\"links\":\"$ef\"}\nf8:{\"about\":\"Usage and meaning of the 'virtual' resource identifier"])</script><script>self.__next_f.push([1,".\"}\nf7:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$f8\"}\nf6:{\"help\":\"$f7\"}\nf5:{\"links\":\"$f6\"}\nf4:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$f5\"}\nf3:[\"$f4\"]\nfa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"}\nfb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}\nf9:{\"related\":\"$fa\",\"self\":\"$fb\"}\nf2:{\"data\":\"$f3\",\"links\":\"$f9\"}\ne7:{\"vid\":\"$e8\",\"revision_user\":\"$ee\",\"parent\":\"$f2\"}\ne2:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":\"$e3\",\"attributes\":\"$e5\",\"relationships\":\"$e7\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--library\",\"id\":\"c31a4b70-e63d-4581-98e2-5237f4fef5e3\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c31a4b70-e63d-4581-98e2-5237f4fef5e3?resourceVersion=id%3A5779\"}},\"attributes\":{\"drupal_internal__nid\":476,\"drupal_internal__vid\":5779,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T16:04:51+00:00\",\"status\":true,\"title\":\"Risk Management Handbook Chapter 9: Maintenance (MA)\",\"created\":\"2022-08-29T17:52:12+00:00\",\"changed\":\"2024-08-05T16:04:51+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/risk-management-handbook-chapter-9-maintenance-ma\",\"pid\":466,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2020-04-07\",\"field_related_resources\":[{\"uri\":\"entity:node/631\",\"title\":\"CMS Acceptable Risk Safeguards (ARS) \",\"options\":[],\"url\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"},{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2)\",\"options\":[],\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"},{\"uri\":\"entity:node/681\",\"title\":\"CMS Security and Privacy Handbooks (all)\",\"options\":[],\"url\":\"/learn/cms-security-and-privacy-handbooks\"}],\"field_short_description\":{\"value\":\"RMH Chapter 9 provides information about the Maintenance family of controls that provide rules for the maintenance of CMS systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eRMH Chapter 9 provides information about the Maintenance family of controls that provide rules for the maintenance of CMS systems\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c31a4b70-e63d-4581-98e2-5237f4fef5e3/node_type?resourceVersion=id%3A5779\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c31a4b70-e63d-4581-98e2-5237f4fef5e3/relationships/node_type?resourceVersion=id%3A5779\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c31a4b70-e63d-4581-98e2-5237f4fef5e3/revision_uid?resourceVersion=id%3A5779\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c31a4b70-e63d-4581-98e2-5237f4fef5e3/relationships/revision_uid?resourceVersion=id%3A5779\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c31a4b70-e63d-4581-98e2-5237f4fef5e3/uid?resourceVersion=id%3A5779\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c31a4b70-e63d-4581-98e2-5237f4fef5e3/relationships/uid?resourceVersion=id%3A5779\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c31a4b70-e63d-4581-98e2-5237f4fef5e3/field_resource_type?resourceVersion=id%3A5779\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c31a4b70-e63d-4581-98e2-5237f4fef5e3/relationships/field_resource_type?resourceVersion=id%3A5779\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c31a4b70-e63d-4581-98e2-5237f4fef5e3/field_roles?resourceVersion=id%3A5779\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c31a4b70-e63d-4581-98e2-5237f4fef5e3/relationships/field_roles?resourceVersion=id%3A5779\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c31a4b70-e63d-4581-98e2-5237f4fef5e3/field_topics?resourceVersion=id%3A5779\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c31a4b70-e63d-4581-98e2-5237f4fef5e3/relationships/field_topics?resourceVersion=id%3A5779\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}},\"attributes\":{\"display_name\":\"jcallan - retired\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e?resourceVersion=id%3A91\"}},\"attributes\":{\"drupal_internal__tid\":91,\"drupal_internal__revision_id\":91,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:10:37+00:00\",\"status\":true,\"name\":\"Handbooks\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/vid?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/vid?resourceVersion=id%3A91\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/revision_user?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/revision_user?resourceVersion=id%3A91\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/parent?resourceVersion=id%3A91\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/e3394b9a-cbff-4bad-b68e-c6fad326132e/relationships/parent?resourceVersion=id%3A91\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26?resourceVersion=id%3A81\"}},\"attributes\":{\"drupal_internal__tid\":81,\"drupal_internal__revision_id\":81,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:09:11+00:00\",\"status\":true,\"name\":\"Data Guardian\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:09:11+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/vid?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/vid?resourceVersion=id%3A81\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/revision_user?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/revision_user?resourceVersion=id%3A81\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/parent?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/parent?resourceVersion=id%3A81\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c?resourceVersion=id%3A41\"}},\"attributes\":{\"drupal_internal__tid\":41,\"drupal_internal__revision_id\":41,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:04+00:00\",\"status\":true,\"name\":\"Application Security\",\"description\":null,\"weight\":0,\"changed\":\"2022-09-28T21:04:30+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/vid?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/vid?resourceVersion=id%3A41\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/revision_user?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/revision_user?resourceVersion=id%3A41\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/parent?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/parent?resourceVersion=id%3A41\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}},\"attributes\":{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}}}}}],\"includedMap\":{\"ab4b0312-f678-40b9-ae06-79025f52ff43\":\"$1a\",\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\":\"$24\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$28\",\"e3394b9a-cbff-4bad-b68e-c6fad326132e\":\"$2c\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$46\",\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\":\"$60\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$7a\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$94\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$ae\",\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\":\"$c8\",\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\":\"$e2\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Risk Management Handbook Chapter 9: Maintenance (MA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"RMH Chapter 9 provides information about the Maintenance family of controls that provide rules for the maintenance of CMS systems\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-9-maintenance-ma\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"Risk Management Handbook Chapter 9: Maintenance (MA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"RMH Chapter 9 provides information about the Maintenance family of controls that provide rules for the maintenance of CMS systems\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-9-maintenance-ma\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-9-maintenance-ma/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"Risk Management Handbook Chapter 9: Maintenance (MA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"RMH Chapter 9 provides information about the Maintenance family of controls that provide rules for the maintenance of CMS systems\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-9-maintenance-ma/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink