CMS-10394 Qualified Entity Certification Program Data Security Rev

Application and Triennial Re-application to Be a Qualified Entity to Receive Medicare Data for Performance Measurement (ACA Section 10332) (CMS-10394)

3_QECP Data Security Review 2020 FINAL v1.1_508

OMB: 0938-1144

Document [pdf]
Download: pdf | pdf
Qualified Entity Certification Program
Data Security Review
(QECP DSR)
September 30, 2020

Final, Version 1.1
CMS Qualified Entity Certification Program

For CMS Use Only
Privacy Board Approval Date:

Introduction to the QECP DSR
The Centers for Medicare & Medicaid Services (CMS) Qualified Entity Certification Program (QECP) (also known
as the Medicare Data Sharing for Performance Measurement Program) enables organizations to receive Medicare
Parts A and B claims data and Part D prescription drug event data for use in evaluating provider performance.
Organizations approved as Qualified Entities (QEs) are required to use the Medicare data to produce and publicly
disseminate CMS-approved reports on provider performance. QEs are also permitted to create non-public analyses
and provide or sell such analyses to authorized users. In addition, QEs may provide or sell combined data, or provide
Medicare claims data alone at no cost, to certain authorized users.
Under the QECP, CMS certifies QEs to receive these data and monitors certified QEs. As part of the Data Security
Review, or Phase 2 of the overall certification process, the organization must complete the following attestation
review, titled as the QECP DSR (formerly known as the QECP Data Security Workbook).
The QECP DSR follows a tailored framework modeled after the CMS Acceptable Risk Safeguards (ARS) Version
3.1, and provides a roadmap to compliance to ensure that CMS data is adequately secured and appropriately protected.
In addition to completing the QECP DSR, please upload the following context documents into the secure QECP
Salesforce Portal:
• An updated Data Flow Diagram with annotations documenting the flow of CMS data within your proposed
environment, which includes flow between physical locations and partner environments. An example diagram
has been provided in the QECP Phase 2 Toolkit located at https://www.qemedicaredata.org/apex/Phase_2.
• If you are utilizing any vendor(s) (e.g. Cloud Service Provider (CSP), colocation facility, data management
vendor), an executed Business Associate Agreement (BAA) between your organization and the vendor(s) that
demonstrates an understanding of the nature of data being stored, processed, and transmitted to/from the
vendor(s).
• Policy and procedure documents as support for the following five families: Access Control (AC),
Identification and Authentication (IA), Media Protection (MP), System and Services Acquisition (SA),
System and Information Integrity (SI).
To complete the QECP DSR, the QE organization must:
1. Provide organizational details, key contacts, data storage information, and relevant data breach incidents in
Sections A, B, C, and D.
2. Complete Section E by attesting to each security/privacy control question by selecting “Yes,” “No,” or
“N/A.” Please provide a narrative statement justification in the rationale section for each “No” or “N/A”
answer.
3. Complete Section F attesting to the understanding of shared responsibility and completeness of information
within the DSR.
In preparation of completing the QECP DSR, it is recommended that the QE organization:
• Collaborate with their institutional information security and privacy officials (i.e. the Chief Information
Security Officer, Technology Officer, Privacy Officer, System Manager, et al.);
• Collect organizational policies that discuss or mimic ARS security control families (e.g. access control
policies, awareness and training policies, audit & accountability policies, etc.); and
• Collect any other organizational policies and/or procedural documents that outline relevant security and
privacy baselines.
For any questions on specific controls or protocols when completing the QECP DSR, please contact your
organization’s assigned QECP Program Manager.

QECP DSR

Page 1

QECP DSR
A. QE Organization Information
Directions: The Qualified Entity (QE) is the organization that has primary oversight of the research project. The QE may
or may not be the entity that stores the identifiable CMS data, but remains responsible for ensuring that controls are in
place and operating effectively for all parties, including data custodians and/or collaboration partners.
Please identify the organization(s) participating in the QECP application. Note which physical locations will store the
identifiable data, which organizations will access identifiable data, and if remote access to the data will be allowed.
*NOTE: CMS will allow only one entity to store identifiable CMS data. This section reflects this requirement by having
the data stored either with the QE or with a Data Custodian.
Store Identifiable Data ☐ Yes ☐ No

QE


Access Identifiable Data ☐ Yes ☐ No
Remote Access ☐ Yes ☐ No
Store Identifiable Data ☐ Yes ☐ No

Data
Custodian


Access Identifiable Data ☐ Yes ☐ No
Remote Access ☐ Yes ☐ No

Collaboration
Partner 1


Access Identifiable Data ☐ Yes ☐ No
Remote Access ☐ Yes ☐ No

Collaboration
Partner 1

Address
Collaboration
Partner 2


Access Identifiable Data ☐ Yes ☐ No
Remote Access ☐ Yes ☐ No

Collaboration
Partner 2

Address

QECP DSR

Page 2

B. Key Individuals
Directions: Please identify key individuals for the QE organization.
Program
Owner



Responsible for overall management
and oversight of the program. The
main point of contact for the QECP.

System
Security
Officer



Individual with overall security
responsibility for the data and
information systems used in the
project.

Privacy
Officer



Individual with overall privacy
responsibility for the information used
in the project.

C. Data Storage Location(s)
Directions: The following section refers to the physical locations under direct control of the QE or Data Custodian where
identifiable CMS data will be stored, processed, or accessed. It also includes the name(s) of the individual(s) responsible
for each site’s physical security. Consider Data Centers, Work Sites, and Offsite Storage Locations (e.g. records
management, offsite backup storage).
QE
QE Address




QE Physical Security
Contact(s)



Data Custodian



Data Custodian Address

Data Custodian Physical
Security Contact(s)



If Utilizing a Cloud
Service Provider (CSP)



Source (Internal or External)



Name of Organization Where Incident Occurred



Breached Data Type



Description of Incident



Number of Records/Individuals Affected



Description of Resolution



Resolution Date



E. Security and Privacy Controls
Directions: The following security and privacy controls are based on the CMS ARS Version 3.1. For each question,
please attest to whether or not your organization has implemented the listed control, focusing on the system(s) that will
contain CMS data. If “No” or “N/A” is selected, please provide rationale at the end of each sub-section.

1. Access Control (AC)
AC-1

Does your organization:
a. Have an Access Control policy (and subsequent procedures to
facilitate the implementation of that policy) that addresses the
purpose, scope, roles, responsibilities, management commitment,

QECP DSR

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

Page 4

coordination among organizational entities, and compliance for
all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?
AC-2
AC-2(2)
AC-2(3)

AC-3

Does your organization’s account management system:
a. Identify accounts for individuals, applications, groups, systems,
guests/anonymous, emergency, and temporary?
b. Assign an account manager?
c. Establish conditions for group and role membership?
d. Ensure unique user accounts?
e. Require approvals by defined personnel or roles for account
creation?
f. Audit records that track account changes (i.e. creating, enabling,
modifying, disabling, deleting)?
g. Monitor the use of accounts?
h. Review user accounts periodically?
i. Centralize and automate account management?
j. Disable emergency accounts within 24 hours and temporary
accounts within 60 days?
k. Automatically disable inactive accounts within 60 days?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A
f. ☐ Yes ☐ No ☐ N/A
g. ☐ Yes ☐ No ☐ N/A
h. ☐ Yes ☐ No ☐ N/A
i. ☐ Yes ☐ No ☐ N/A
j. ☐ Yes ☐ No ☐ N/A
k. ☐ Yes ☐ No ☐ N/A

Does your organization ensure the information system uses logical access
controls to restrict access to information (e.g. roles, groups, file
permissions)?

☐ Yes ☐ No ☐ N/A

AC-5

Does your organization ensure the information system separates the
duties of users?

☐ Yes ☐ No ☐ N/A

AC-6

Does your organization ensure that users have the fewest permissions
required to perform their job functions, to include:

a. ☐ Yes ☐ No ☐ N/A

AC-6(1)
AC-6(2)
AC-6(5)
AC-6(9)
AC-6(10)

a. Disabling non-essential functions and removable media devices?
b. Ensuring security functions are explicitly authorized?
c. Ensuring that users utilize their own account to access systems,
then escalate privileges to perform administrative functions?
d. Auditing of all privileged account usage activities?

b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A

AC-7

Does your organization ensure that the information system enforces the
automatic disabling/locking of accounts for 1 hour after 5 invalid login
attempts during a 120 minute time window?

☐ Yes ☐ No ☐ N/A

AC-8

Does your organization ensure that the information system displays a
notification or banner that provides appropriate privacy and security
notices before gaining access to the system?

☐ Yes ☐ No ☐ N/A

AC-11

Does your organization:

a. ☐ Yes ☐ No ☐ N/A

AC-11(1)

QECP DSR

b. ☐ Yes ☐ No ☐ N/A

Page 5

a. Ensure that user sessions lock after 15 minutes of inactivity
and/or are automatically disconnected under specified
circumstances?
b. Ensure that the information system conceals, via the session
lock, information previously visible on the display with a
publicly viewable image?
AC-12

Does your organization ensure that the information system automatically
terminates a user session after defined conditions or trigger events are
met?

☐ Yes ☐ No ☐ N/A

AC-14

Does your organization ensure that the information system defines what
actions can be taken on the system without authentication (e.g. viewing
certain webpages with public information)?

☐ Yes ☐ No ☐ N/A

AC-17
AC-17(1)
AC-17(2)
AC-17(3)

AC-18
AC-18(1)

Does your organization ensure that remote connections:
a. Control access to privileged functions?
b. Have automated monitoring enabled in order to detect
unauthorized connections or cyber-attacks?
c. Have connection requirements, such as cryptography, to ensure
confidentiality and integrity?
d. Are routed through a limited number of managed access control
points?
Does your organization ensure that the information system has usage
restrictions and implementation guidance (e.g. encryption, access points
in secure areas) for wireless access, if that type of access is authorized?

AC-19(5)

Does your organization ensure that the information system has usage
restrictions and implementation guidance (e.g. appropriate configuration,
device identification, updating operating system and antivirus software,
full device encryption, etc.) for mobile devices, if access by that means
is authorized?

AC-20

Does your organization:

AC-19

AC-20(1)
AC-20(2)

a. Ensure that the information system does not use systems outside
of the authorization boundary to store, transmit, or view system
information?
b. Permit authorized individuals to use an external information
system to access internal systems?
c. Restrict the use of organization-controlled portable storage
devices by authorized individuals on external information
systems?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A

☐ Yes ☐ No ☐ N/A

☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A

AC-21

Does your organization ensure that the information system has a process
for determining what is shared with external users?

☐ Yes ☐ No ☐ N/A

AC-22

Does your organization properly designate and train authorized
individuals to ensure that publicly accessible posted information does not
contain nonpublic information?

☐ Yes ☐ No ☐ N/A

QECP DSR

Page 6

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

AC-?

Click or tap here to enter text.

☐ No ☐ N/A

AC-?

Click or tap here to enter text.

☐ No ☐ N/A

Confirm Box Selected

As support for the answers above, please upload specific organizational policy and/or procedural document(s)
to the secure QECP Salesforce Portal. In addition, please specify the control(s) referenced, document title,
page/section reference, and last reviewed date to support future requests for evidence if required. Please add
rows as needed.
Control(s)
Referenced

Document Title, Page/Section Reference

AC-?

Click or tap here to enter text.

AC-?

Click or tap here to enter text.

Last Reviewed Date

2. Awareness and Training (AT)
AT-1

Does your organization:
a. Have an Awareness and Training policy (and subsequent
procedures to facilitate the implementation of that policy) that
addresses the purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and
compliance for all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?

AT-2

AT-2(2)
AT-3
AT-4

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

Does your organization ensure that the security training program is
administered and completed within 60 days of an individual assuming
the role and every 365 days thereafter?

☐ Yes ☐ No ☐ N/A

Does your organization ensure that the security training program includes
modules for security and privacy awareness, insider threat identification,
and role-based security?

☐ Yes ☐ No ☐ N/A

Does your organization retain individual security training records for a
minimum of 5 years after the individual completes each training?

☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

Confirm Box Selected

AT-?

Click or tap here to enter text.

☐ No ☐ N/A

QECP DSR

Page 7

AT-?

Click or tap here to enter text.

☐ No ☐ N/A

3. Audit and Accountability (AU)
AU-1

Does your organization:
a. Have an Audit and Accountability policy (and subsequent
procedures to facilitate the implementation of that policy) that
addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and
compliance for all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?

AU-2

Does your organization ensure that the information system can audit
events, to include:
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
m.
n.
o.
p.
q.
r.
s.

Server alerts and error messages?
User log-on and log-off (successful or unsuccessful)?
All system administration activities?
Modification of privileges and access?
Start up and shut down?
Application modifications?
Application alerts and error messages?
Configuration changes?
Account creation, modification, or deletion?
File creation and deletion?
Read access to sensitive information?
Modification to sensitive information?
Printing sensitive information?
Anomalous (i.e. non-attributable) activity?
Data as required for privacy monitoring privacy controls?
Concurrent log on from different work stations?
Override of access control mechanisms?
Process creation?
Attempts to create, read, write, modify, or delete files containing
PII?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes
b. ☐ Yes
c. ☐ Yes
d. ☐ Yes
e. ☐ Yes
f. ☐ Yes
g. ☐ Yes
h. ☐ Yes
i. ☐ Yes
j. ☐ Yes
k. ☐ Yes
l. ☐ Yes
m.☐ Yes
n. ☐ Yes
o. ☐ Yes
p. ☐ Yes
q. ☐ Yes
r. ☐ Yes
s. ☐ Yes

☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No

☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A

AU-2(3)

Does your organization review and updates the list of auditable events at
least every 365 days or when a significant change to the system occurs?

☐ Yes ☐ No ☐ N/A

AU-4

Does your organization ensure adequate storage capacity for 90 days of
audit records?

☐ Yes ☐ No ☐ N/A

AU-5

Does your organization:
a. Ensure the information system notifies administrators of audit
process failures?
b. Take appropriate actions in response to an audit failure or audit
storage capacity issue?

AU-6
QECP DSR

Does your organization:

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
Page 8

AU-6(1)
AU-6(3)

AU-8
AU-8(1)

AU-9
AU-9(4)

AU-11

a. Ensure that audit records are reviewed weekly for indications of
inappropriate or unusual activity?
b. Reports findings to defined personnel or roles?
c. Review key events (logons, errors, intrusion detection, network
traffic, etc.) at least every 24 hours?
d. Perform manual reviews of system audit records randomly on
demand but no less often than once every 30 days?
e. Employ automated mechanisms to integrate audit review,
analysis, and reporting processes to support organizational
processes for investigation and response to suspicious activities?
f. Analyze and correlate audit records across different repositories
to gain organization-wide situational awareness?
g. Ensure that audit records are searchable?

b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A
f. ☐ Yes ☐ No ☐ N/A
g. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Ensure the internal system clocks generate time stamps for audit
records?
b. Records time stamps for audit records that can be mapped to
UTC or Greenwich Mean Time (GMT)?
c. Synchronize the internal information system clocks to an
authoritative source, such as NIST Internet Time Servers, when
the time difference is greater than 100 milliseconds?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Ensure the audit records and tools are protected from
unauthorized access, modification, and deletion?
b. Authorize access to management of audit functionality only to
those individuals or roles who are not subject to audit by that
system?
Does your organization ensure that audit records are retained for 90 days
in “hot” storage and archive storage for 1 year (regular data) or 3 years
(PII/PHI data)?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

AU-?

Click or tap here to enter text.

☐ No ☐ N/A

AU-?

Click or tap here to enter text.

☐ No ☐ N/A

Confirm Box Selected

4. Security Assessment and Authorization (CA)
CA-1

Does your organization:
a. Have a Security Assessment and Authorization policy (and
subsequent procedures to facilitate the implementation of that
policy) that addresses purpose, scope, roles, responsibilities,

QECP DSR

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
Page 9

management commitment, coordination among organizational
entities, and compliance for all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?
CA-2
CA-2(1)

CA-3
CA-3(5)

Does your organization:
a. Develop an information security and privacy control assessment
plan that describes the scope of the assessment and contains the
security and privacy controls under assessment, assessment
procedures to determine control effectiveness, the assessment
environment/team/roles and responsibilities?
b. Conducts the security and privacy controls assessment within
every 365 days?
c. Produces an assessment report that documents the results of the
assessment?
d. Provides the written results of the assessment within 30 days
after its completion to the Business Owner responsible for the
system to facilitate review and necessary system documentation
changes?
e. Employ independent assessors or assessment teams to conduct
the security control assessments?
Does your organization ensure that external and internal interconnections
have:
a. An Interconnection Security Agreement (ISA), or other
comparable agreement such as MOU/MOA, SLA?
b. Documented interfaces, security requirements, and types of
information exchanged?
c. ISAs updated once per year or after a significant changes?
d. A deny-all, permit-by-exception policy for all defined
connections?

CA-5

CA-6

CA-7

CA-8

QECP DSR

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A

Does your organization develop a Plan of Action and Milestones
(POAM) within 30 days of the submission of final results for every
internal/external audit/review or test in order to facilitate addressing
findings and validating completion of related tasks?

☐ Yes ☐ No ☐ N/A

Does your organization have an Authorizing Official (AO) that
authorizes the information system for processing prior to commencing
any operations within every 3 years or after a significant change occurs?

☐ Yes ☐ No ☐ N/A

Does your organization ensure the information system has a continuous
monitoring program to evaluate:

a. ☐ Yes ☐ No ☐ N/A

a. Metrics related to identified vulnerabilities and remediation?
b. Ongoing security assessments?

b. ☐ Yes ☐ No ☐ N/A

Does your organization conduct both internal and external penetration
testing, within every 365 days, on identified systems?

☐ Yes ☐ No ☐ N/A

Page 10

CA-9

Does your organization authorize and document connections of defined
internal systems, including the types of personally owned equipment that
may be internally connected, with organizational systems?

☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

CA-?

Click or tap here to enter text.

☐ No ☐ N/A

CA-?

Click or tap here to enter text.

☐ No ☐ N/A

Confirm Box Selected

5. Configuration Management (CM)
CM-1

Does your organization:
a. Have a Configuration Management policy (and subsequent
procedures to facilitate the implementation of that policy) that
addresses the purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and
compliance for all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

CM-2

Does your organization ensure that the information system has a current
baseline configuration image for hosts within the system?

☐ Yes ☐ No ☐ N/A

CM-2(1)

Does your organization ensure the baseline configuration is reviewed and
updated every 365 days or when a critical security patch is necessary?

☐ Yes ☐ No ☐ N/A

CM-3

Does your organization:

CM-3(2)

CM-4

a. Define which changes to the system are controlled (i.e. require
approval)?
b. Review proposed changes with explicit attention to impact on
security?
c. Document and retain change control decisions for 3 years after
the change?
d. Periodically audit change control decisions?
e. Test, validate, and document changes to the information system
before implementing the changes on the operational system?

b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Analyze changes to the information system to determine
potential security and privacy impacts prior to change
implementation?
b. Audit activities associated with configuration changes?

QECP DSR

a. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

Page 11

CM-5

Does your organization ensure that the information system uses physical
and logical access restrictions to prevent unauthorized changes to the
system?

CM-7

Does your organization:

CM-7(1)
CM-7(2)
CM-7(5)

CM-8

a. Ensure that the information system only allows essential
capabilities, functions, software, ports, network protocols, and
applications?
b. Review the information system no less often than once every 30
days to identify and eliminate unnecessary functions, ports,
protocols, and/or services?
c. Perform automated reviews of the system no less often than once
every 72 hours to identify changes in functions, ports, protocols,
and/or services?
d. Disable functions, ports, protocols, and services within the
system deemed to be unnecessary and/or non-secure?
e. Prevent program execution for unauthorized software?
f. Identifies defined software programs authorized to execute
(whitelist) on the information system and reviews and updates
that list every 72 hours?
Does your organization ensure that the information system maintains an
up-to-date system inventory of all system components, including:
a. Each component’s unique identifier and/or serial number?
b. Information system of which the component is a part
c. Type of information system component (e.g. server, desktop,
application)?
d. Manufacturer/model information?
e. Operating system type and version/service pack level?
f. Presence of virtual machines?
g. Application software version/license information?
h. Physical location (e.g. building/room number)?
i. Logical location (e.g. IP address, position with the information
system [IS] architecture)?
j. Media access control (MAC) address?
k. Ownership?
l. Operational status?
m. Primary and secondary administrators?
n. Primary user?

☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A
f. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes
b. ☐ Yes
c. ☐ Yes
d. ☐ Yes
e. ☐ Yes
f. ☐ Yes
g. ☐ Yes
h. ☐ Yes
i. ☐ Yes
j. ☐ Yes
k. ☐ Yes
l. ☐ Yes
m.☐ Yes
n. ☐ Yes

☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No

☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A

CM-8(1)

Does your organization update the inventory of information system
components as an integral part of component installations, removals, and
information system updates?

☐ Yes ☐ No ☐ N/A

CM-11

Does your organization ensure that the information system prevents users
from installing software through user policies?

☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
QECP DSR

Page 12

Control(s)
Referenced

Rationale

CM-?

Click or tap here to enter text.

☐ No ☐ N/A

CM-?

Click or tap here to enter text.

☐ No ☐ N/A

Confirm Box Selected

6. Contingency Planning (CP)
CP-1

Does your organization:
a. Have a Contingency Planning policy (and subsequent procedures
to facilitate the implementation of that policy) that addresses the
purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance for
all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

CP-1

Click or tap here to enter text.

Confirm Box Selected
☐ No ☐ N/A

7. Identification and Authentication (IA)
IA-1

Does your organization:
a. Have an Identification and Authentication policy (and
subsequent procedures to facilitate the implementation of that
policy) that addresses the purpose, scope, roles, responsibilities,
management commitment, coordination among organizational
entities, and compliance for all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?

IA-2
IA-2(1)
IA-2(2)
IA-2(3)
IA-2(8)

QECP DSR

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Ensure that the information system uniquely identifies and
authenticates organizational users (or processes acting on behalf
of organizational users?
b. Implement multifactor authentication (MFA) for network access
to privileged accounts?
c. Implement MFA for network access to non-privileged accounts?
d. Implement MFA for local access to privileged accounts?
e. Implement replay-resistant authentication mechanisms for
network access to privileged accounts?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A

Page 13

IA-3

Does your organization ensure that the information system uniquely
identifies devices (e.g. IP address, hostname)?

☐ Yes ☐ No ☐ N/A

IA-4

Does your organization ensure that the information system:

a. ☐ Yes ☐ No ☐ N/A

a. Successfully assigns unique identifiers to users and devices?
b. Does not reuse identifiers for 3 years?
c. Disables inactive identifiers after 60 days of inactivity?
IA-5
IA-5(1)

IA-6

IA-8

b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A

Does your organization ensure that the information system:
a. Verifies that the correct identifier is being issued to a person or
device during authenticator distribution?
b. Has a standard for authenticator schema (e.g. first initial, last
name, number if duplicate)?
c. Prohibits the use of dictionary names or words?
d. Meets or exceeds enforcement ARS baseline minimum password
requirements?
e. Confirms the minimum password length for regular user
passwords is 8 characters and 15 characters for administrators or
privileged user passwords?
f. Sets the value at 6, if the operating environment enforces a
minimum of number of changed characters when new passwords
are created?
g. Stores and transmits only encrypted representations of
passwords?
h. Allows the use of a temporary password for system logons with
an immediate change to a permanent password?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A
f. ☐ Yes ☐ No ☐ N/A
g. ☐ Yes ☐ No ☐ N/A
h. ☐ Yes ☐ No ☐ N/A

Does your organization ensure that the system obscures feedback of
authentication information during the authentication process to protect
the information from possible exploitation/use by unauthorized
individuals?

☐ Yes ☐ No ☐ N/A

Does your organization ensure that the system uniquely identifies and
authenticates non-organizational users (or processes acting on behalf of
non-organizational users) prior to gaining access to all systems and
networks?

☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

IA-?

Click or tap here to enter text.

☐ No ☐ N/A

IA-?

Click or tap here to enter text.

☐ No ☐ N/A

QECP DSR

Confirm Box Selected

Page 14

As support for the answers above, please upload specific organizational policy and/or procedural document(s)
to the secure QECP Salesforce Portal. In addition, please specify the control(s) referenced, document title,
page/section reference, and last reviewed date to support future requests for evidence if required. Please add
rows as needed.
Control(s)
Referenced

Document Title, Page/Section Reference

IA-?

Click or tap here to enter text.

IA-?

Click or tap here to enter text.

Last Reviewed Date

8. Incident Response (IR)
IR-1

Does your organization:
a. Have an Incident Response policy (and subsequent procedures to
facilitate the implementation of that policy) that addresses the
purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance for
all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?

IR-2

IR-3

IR-4

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

Does your organization ensure that employees whom have incident
response duties complete incident response training within 1 month of
assuming the role and complete an incident response training every 365
days thereafter?

☐ Yes ☐ No ☐ N/A

Does your organization test the incident response capability of the
information system within every 365 days to determine the
organization’s incident response effectiveness, and documents its
findings?

☐ Yes ☐ No ☐ N/A

Does your organization:
a. Implement an incident handling capability?
b. Coordinate incident handling activities with contingency
planning activities?
c. Incorporate lessons learned from ongoing incident handling
activities into incident response procedures, training, and
testing/exercises?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A

IR-5

Does your organization track and document all physical, information
security, and privacy incidents?

☐ Yes ☐ No ☐ N/A

IR-6

Does your organization require personnel to report actual or suspected
security and privacy incidents?

☐ Yes ☐ No ☐ N/A

IR-7

Does your organization provide an incident response support resource,
integral to the organizational incident response function, who offers
advice and assistance to users of the information system for the handling
and reporting of security incidents?

☐ Yes ☐ No ☐ N/A

QECP DSR

Page 15

IR-8

Does your organization develop an incident response plan that:
a. Provides the organization with a roadmap for implementing its
incident response capability?
b. Describes the structure and organization of the incident response
capability?
c. Provides a high-level approach for how the incident response
capability fits into the overall organization?
d. Meets the unique requirements of the organization, which relate
to mission, size, structure, and functions?
e. Defines reportable incidents?
f. Provides metrics for measuring the incident response capability
within the organization?
g. Defines the resources and management support needed to
effectively maintain and mature an incident response capability?
h. Is reviewed and approved by the applicable Incident Response
Team Leader?
i. Is distributed via copies to necessary CMS information security
officers and other incident response team personnel?
j. Is reviewed within every 365 days?
k. Is updated to address system/organizational changes or problems
encountered during plan implementation, execution, or testing?
l. Communicates incident response plan changes to the appropriate
CMS and organizational parties?
m. Is protected from unauthorized disclosure and modification?

a. ☐ Yes
b. ☐ Yes
c. ☐ Yes
d. ☐ Yes
e. ☐ Yes
f. ☐ Yes
g. ☐ Yes
h. ☐ Yes
i. ☐ Yes
j. ☐ Yes
k. ☐ Yes
l. ☐ Yes
m.☐ Yes

☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No
☐ No

☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A
☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

IR-?

Click or tap here to enter text.

☐ No ☐ N/A

IR-?

Click or tap here to enter text.

☐ No ☐ N/A

Confirm Box Selected

9. Maintenance (MA)
MA-1

Does your organization:
a. Have a Maintenance policy (and subsequent procedures to
facilitate the implementation of that policy) that addresses the
purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance for
all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?

MA-2
QECP DSR

Does your organization:

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
Page 16

a. Schedule, perform, document, and review records of
maintenance and repairs on information system components in
accordance with manufacturer or vendor specifications and/or
organizational requirements?
b. Approve and monitor all maintenance activities, whether
performed on-site or remotely?
c. Require that applicable staff approve the removal of system or
system components from the organizational facilities for off-site
maintenance or repairs?
d. Sanitize equipment to remove all information from associated
media prior to removal?
e. Check all potentially impacted security controls to verify that
controls are still functioning following maintenance or repair
actions?
f. Include defined maintenance-related information in
organizational maintenance records?
MA-3
MA-3(1)
MA-3(2)

MA-4

a. Approve, control, and monitor information system maintenance
tools?
b. Inspect the maintenance tools carried into a facility by
maintenance personnel for improper or unauthorized
modifications?
c. Check media containing diagnostic and test programs for
malicious code before the media are used in the information
system?

d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A
f. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Establish a process for maintenance personnel authorization and
maintain a list of authorized maintenance organizations or
personnel?
b. Ensure that non-escorted personnel performing maintenance on
the information system have required access authorizations?
c. Designate organizational personnel with required access
authorizations and technical competence to supervise the
maintenance activities of personnel who do not possess the
required access authorizations?

QECP DSR

c. ☐ Yes ☐ No ☐ N/A

Does your organization:

a. Allow the use of nonlocal maintenance and diagnostic tools only
as consistent with organizational policy?
b. Employ strong identification and authentication techniques in
the establishment of nonlocal maintenance and diagnostic
sessions?
c. Maintain records for nonlocal maintenance and diagnostic
activities?
d. Terminate all sessions and network connections when nonlocal
maintenance is completed?
MA-5

b. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A

Page 17

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

MA-?

Click or tap here to enter text.

☐ No ☐ N/A

MA-?

Click or tap here to enter text.

☐ No ☐ N/A

Confirm Box Selected

10. Media Protection (MP)
MP-1

Does your organization:
a. Have a Media Protection policy (and subsequent procedures to
facilitate the implementation of that policy) that addresses the
purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and
compliance for all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

MP-2

Does your organization restrict access to sensitive digital and nondigital media by disabling CD/DVD writers and USB ports to only
allow access for appropriate personnel?

☐ Yes ☐ No ☐ N/A

MP-3

Does your organization ensure that the information system marks
system media based on the classification of information the media
holds?

☐ Yes ☐ No ☐ N/A

MP-4

Does your organization:
a. Physically control and securely store digital and non-digital
media within controlled areas?
b. Protect information system media until the media are destroyed
or sanitized using approved equipment, techniques, and
procedures.

MP-5
MP-5(4)

Does your organization ensure that the information system protects
media while being transported, to include:
a. Hand-carried – Uses a securable container (e.g. locked
briefcase) via authorized personnel?
b. Shipping – Tracks with receipt by commercial carrier?
c. Maintaining accountability for information system media
during transport outside of controlled areas?
d. Documenting activities associated with the transport of
information system media?
e. Restricting the activities associated with the transport of
information system media to authorized personnel?

QECP DSR

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A
f. ☐ Yes ☐ No ☐ N/A

Page 18

f.

MP-6
MP-6(1)

MP-7
MP-7(1)

MP-CMS-1

Implementing cryptographic mechanisms to protect the
confidentiality and integrity of information stored on digital
media during transport outside of controlled areas?

Does your organization:
a. Sanitize both digital and non-digital media prior to disposal,
release out of organizational control, or release for reuse using
defined sanitization techniques and procedures?
b. Review, approve, track, document, and verify media
sanitization and disposal actions?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Ensure that the information system prohibits the use of
personally owned media?
b. Prohibits the use of portable storage devices that have no
identifiable owner?
Does your organization ensure that records of disposed media which
contain sensitive information are maintained?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

MP-?

Click or tap here to enter text.

☐ No ☐ N/A

MP-?

Click or tap here to enter text.

☐ No ☐ N/A

Confirm Box Selected

As support for the answers above, please upload specific organizational policy and/or procedural document(s)
to the secure QECP Salesforce Portal. In addition, please specify the control(s) referenced, document title,
page/section reference, and last reviewed date to support future requests for evidence if required. Please add
rows as needed.
Control(s)
Referenced

Document Title, Page/Section Reference

MP-?

Click or tap here to enter text.

MP-?

Click or tap here to enter text.

Last Reviewed Date

11. Physical and Environmental Protection (PE)
PE-1

Does your organization:
a. Have a Physical and Environmental Protection policy (and
subsequent procedures to facilitate the implementation of that
policy) that addresses the purpose, scope, roles, responsibilities,

QECP DSR

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

Page 19

management commitment, coordination among organizational
entities, and compliance for all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?
PE-2

Does your organization:
a. Ensure that the information system maintains a current list of
authorized individuals to enter the facility?
b. Issue authorization credentials for facility access?
c. Review the access list detailing authorized facility access by
individuals every 180 days?
d. Remove individuals from facility access list when access is no
longer required?

PE-3

PE-4
PE-5
PE-6

PE-8

QECP DSR

Does your organization:
a. Verify individual access authorizations before granting access to
the facility?
b. Control ingress/egress to the facility using guards and/or defined
physical access control systems/devices (defined in the
applicable security plan)?
c. Maintain physical access audit logs for defined entry/exit points
(defined in the applicable security plan)?
d. Provide defined security safeguards (defined in the applicable
security plan) to control access to areas within the facility
officially designated as publicly accessible?
e. Escort visitors and monitors visitor activity in defined
circumstances requiring visitor escorts and monitoring (defined
in the applicable security plan)?
f. Secure keys, combinations, and other physical access devices?
g. Inventory define physical access devices (defined in the
applicable security plan), no less often than every 90 days?
h. Change combinations and keys for defined high-risk entry/exit
points (defined in the applicable security plan) within every 365
days, and/or when keys are lost, combinations are compromised,
or individuals are transferred or terminated?
Does your organization ensure that telephone and network hardware and
transmission lines (e.g. wiring closets, patch panels, etc.) are protected?
Does your organization control physical access to output devices
(printers, etc.)?
Does your organization:
a. Monitor physical access to the facility where CMS data resides
and respond to physical security incidents?
b. Review physical access logs weekly and upon occurrence of
security incidents?
c. Coordinate results of reviews and investigations with the
organization’s incident response capability?
Does your organization:
a. Maintain visitor access records to the facility for 2 years?
b. Review visitor access records no less often than monthly?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A
f. ☐ Yes ☐ No ☐ N/A
g. ☐ Yes ☐ No ☐ N/A
h. ☐ Yes ☐ No ☐ N/A

☐ Yes ☐ No ☐ N/A
☐ Yes ☐ No ☐ N/A
a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
Page 20

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

PE-?

Click or tap here to enter text.

☐ No ☐ N/A

PE-?

Click or tap here to enter text.

☐ No ☐ N/A

Confirm Box Selected

12. Planning (PL)
PL-1

Does your organization:
a. Have a Planning policy (and subsequent procedures to facilitate
the implementation of that policy) that addresses the purpose,
scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance for
all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?

PL-2

Does your organization:
a. Develop comprehensive security plans for information systems?
b. Distribute copies of the plans and communicate changes to
appropriate personnel?
c. Review the security plans every 365 days?
d. Update the plans at a minimum every 3 years?
e. Protect the security plans from unauthorized disclosure and
modification?

PL-4
PL-4(1)

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Establish and make readily available to individuals requiring
access to systems, the rules that describe their responsibilities
and expected behavior regarding usage?
b. Receive an acknowledgement from such individuals, indicating
that they have read, understand, and agree to abide by the rules
of behavior, before accessing the system?
c. Review and update the rules of behavior every 3 years?
d. Require individuals who have previously acknowledged rules of
behavior to read and re-acknowledge when rules are
revised/updated and at least every 365 days?
e. Inform employees and contractors that misuse of CMS data is a
violation and is grounds for disciplinary action, monetary fines,
and/or criminal charges that could result in imprisonment?
f. Include in the rules of behavior, explicit restrictions on the use of
social media/networking sites and posting organizational
information on public websites?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A
f. ☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
QECP DSR

Page 21

Control(s)
Referenced

Rationale

PL-?

Click or tap here to enter text.

☐ No ☐ N/A

PL-?

Click or tap here to enter text.

☐ No ☐ N/A

Confirm Box Selected

13. Personnel Security (PS)
PS-1

Does your organization:
a. Have a Personnel Security policy (and subsequent procedures to
facilitate the implementation of that policy) that addresses the
purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance for
all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?

PS-3

Does your organization:
a. Review and confirm ongoing need for current logical and
physical access when individuals are reassigned or transfer to
other positions within the organization?

QECP DSR

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A

Does your organization ensure that employee termination follows the
following steps:
a. Disables information system access before or during
termination?
b. Terminates/revokes any authenticators/credentials associated
with the individual?
c. Conducts exit interviews that include a discussion of nondisclosure of information security and privacy information?
d. Retrieves all security-related organizational information systemrelated property?
e. Retains access to organizational information and information
systems formerly controlled by the terminated individual?
f. Notifies defined personnel or roles (defined in the applicable
security plan) within 1 calendar day?
g. Immediately escorts employees terminated for cause out of the
organization?

PS-5

b. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Screen individuals prior to authorizing access to the information
system?
b. Rescreen individuals periodically and anytime they move to a
new position with a higher risk designation?
c. Conduct background investigations?
d. Perform reinvestigations for active national security clearances?
e. Refuse employees and contractors access to the system until they
have been vetted and sign appropriate access agreements?

PS-4

a. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A
f. ☐ Yes ☐ No ☐ N/A
g. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

Page 22

b. Notify security management for modification of access cards and
any applicable accounts within 30 days of the reassignment or
transfer?
PS-6

Does your organization:
a. Develop and document access agreements?
b. Review and update those agreements at a minimum of every 365
days?
c. Ensure that individuals requiring access acknowledge those
agreements prior to access and re-acknowledge within 365 days
when those agreements have been updated?

PS-7

Does your organization ensure that third-party service providers
(contractors, CSPs, vendor maintenance) follow the same personnel
requirements as full-time employees?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A

☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

Confirm Box Selected

PS-?

Click or tap here to enter text.

☐ No ☐ N/A

PS-?

Click or tap here to enter text.

☐ No ☐ N/A

14. Risk Assessment (RA)
RA-1

Does your organization:
a. Have a Risk Assessment policy (and subsequent procedures to
facilitate the implementation of that policy) that addresses the
purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance for
all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?

RA-3

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A

RA-5

QECP DSR

b. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Conduct an assessment of risk, including the likelihood and
magnitude of harm, from the unauthorized access, use,
disclosure, disruption, modification, or destruction of the
information system and the information it processes, stores, or
transmits?
b. Document risk assessment results in the applicable security plan?
c. Review risk assessment results within every 365 days?
d. Disseminate risk assessment results to affected stakeholders and
Business Owners?
e. Update the risk assessment every 3 years, or whenever there are
significant changes to the system?

RA-5(5)

a. ☐ Yes ☐ No ☐ N/A

Does your organization:

b. ☐ Yes ☐ No ☐ N/A
Page 23

a. Scan for vulnerabilities in the information system and hosted
systems no less often than once every 72 hours and when new
vulnerabilities are identified?
b. Employ vulnerability scanning tools and techniques?
c. Analyze vulnerability scan reports and results?
d. Remediate vulnerabilities based on the Business Owner’s risk
prioritization?
e. Share information obtained from vulnerability scans and security
control assessments with affected/related stakeholders to
facilitate eliminated similar vulnerabilities in other systems?
f. Implement privileged access authorization to operating system,
telecommunications, and configuration components for selected
vulnerability scanning activities to facilitate more thorough
scanning?

c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A
f. ☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

Confirm Box Selected

RA-?

Click or tap here to enter text.

☐ No ☐ N/A

RA-?

Click or tap here to enter text.

☐ No ☐ N/A

15. System and Services Acquisition (SA)
SA-1

Does your organization:
a. Have a System and Services Acquisition policy (and subsequent
procedures to facilitate the implementation of that policy) that
addresses the purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and
compliance for all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?

SA-2

Does your organization include the following requirements in the
acquisition contract (e.g. executed BAA) for the information system:
a. Security functional requirements?

QECP DSR

b. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Determine information security requirements for the information
system or service in mission/business process planning?
b. Determine, document, and allocate the resources required to
protect the information system or service as part of its capital
planning and investment control process?
c. Include information security requirements in mission/business
case planning?
d. Establish a discrete line item for the implementation and
management of information systems security?

SA-4

a. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
Page 24

b.
c.
d.
e.
f.

Security strength requirements?
Security assurance requirements?
Security-related documentation requirements?
Requirements for protecting security-related documentation?
Description of the system development environment and
environment in which the system is intended to operate?
g. Acceptance criteria?
SA-5

Does your organization:
a. Obtain administrator documentation for the system?
b. Obtain user documentation for the system?
c. Document attempts to obtain documentation that is either
unavailable or nonexistent?
d. Protect documentation as required?
e. Distribute documentation to defined personnel or roles?

c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A
f. ☐ Yes ☐ No ☐ N/A
g. ☐ Yes ☐ No ☐ N/A
a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A

SA-8

Does your organization ensure that the information system architecture is
designed following security engineering principles?

☐ Yes ☐ No ☐ N/A

SA-9

Does your organization ensure that any external connections outside of
the accreditation boundary include an Interconnection Service
Agreement or similar agreement?

☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

Confirm Box Selected

SA-?

Click or tap here to enter text.

☐ No ☐ N/A

SA-?

Click or tap here to enter text.

☐ No ☐ N/A

As support for the answers above, please upload specific organizational policy and/or procedural document(s)
to the secure QECP Salesforce Portal. In addition, please specify the control(s) referenced, document title,
page/section reference, and last reviewed date to support future requests for evidence if required. Please add
rows as needed.
Control(s)
Referenced

Document Title, Page/Section Reference

SA-?

Click or tap here to enter text.

SA-?

Click or tap here to enter text.

Last Reviewed Date

16. System and Communications Protection (SC)
SC-1

Does your organization:
a. Have a System and Communications Protection policy (and
subsequent procedures to facilitate the implementation of that
policy) that addresses the purpose, scope, roles, responsibilities,

QECP DSR

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

Page 25

management commitment, coordination among organizational
entities, and compliance for all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?
SC-2

Does your organization ensure that administrative and regular user
interfaces are separate?

☐ Yes ☐ No ☐ N/A

SC-4

Does your organization prevent unauthorized and unintended information
transfer via shared system resources?

☐ Yes ☐ No ☐ N/A

SC-7

Does your organization ensure that the information system:

SC-7(3)
SC-7(5)
SC-7(7)

SC-10

a. Monitors and controls communications at the external boundary,
both physically and logically, of the system and at key internal
boundaries within the system (e.g. firewall, IDS/IPS)?
b. Implements subnetworks for publicly accessible system
components that are logically separated from internal
organizational networks?
c. Connects to external networks or information systems only
through managed interfaces in accordance with an organizational
security architecture?
d. Limits the number of external network connections?
e. At managed interfaces denies network communications traffic by
default and allows network communications traffic by exception
(i.e. deny all, permit by exception)?
f. In conjunction with a remote device, prevents the device from
simultaneously establishing non-remote connections with the
system and communicating via some other connection to
resources in external networks?
Does your organization ensure that the information system disconnects:
a. Dynamic Host Configuration Protocol (DHCP) sessions after 7
days?
b. VPN connections after 30 minutes of inactivity?
c. Has the ability to terminate a network connection as required?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A
f. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A

SC-12

Does your organization ensure that the information system has a
cryptographic key management system that complies with HHS
standards?

☐ Yes ☐ No ☐ N/A

SC-13

Does your organization ensure that the information system uses FIPS
140-2 validated cryptographic modules for transmission of data in
motion and/or at rest?

☐ Yes ☐ No ☐ N/A

SC-15

Does your organization prohibit running collaborative computing
mechanisms (e.g. networked white boards, cameras, and microphones)
unless explicitly authorized?

☐ Yes ☐ No ☐ N/A

SC-23

Does your organization protect the authenticity of communication
sessions?

☐ Yes ☐ No ☐ N/A

SC-28

Does your organization protect the confidentiality and integrity of
information (PII and PHI) at rest?

☐ Yes ☐ No ☐ N/A

QECP DSR

Page 26

SC-CMS-1

Does your organization implement controls to protect sensitive
information that is sent via email?

☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

Confirm Box Selected

SC-?

Click or tap here to enter text.

☐ No ☐ N/A

SC-?

Click or tap here to enter text.

☐ No ☐ N/A

17. System and Information Integrity (SI)
SI-1

Does your organization:
a. Have a System and Information Integrity policy (and subsequent
procedures to facilitate the implementation of that policy) that
addresses the purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and
compliance for all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 3 years?

SI-2

SI-3(1)
SI-3(2)

SI-4
SI-4(4)
SI-4(5)
SI-4(14)

QECP DSR

b. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Identify, report, and correct system flaws?
b. Test flaw remediation updates prior to installation on production
systems?
c. Correct security related system flaws within 10 business days on
production servers, 30 days on all others?

SI-3

a. ☐ Yes ☐ No ☐ N/A

Does your organization information system use malicious code
protection that:
a. Is installed at system entry and exit points to detect and eradicate
malicious code?
b. Scans critical file systems every 12 hours and full system scans
no less often than once every 72 hours?
c. Is centrally managed?
d. Has up-to-date virus definitions?
Does your organization monitor the information system for:
a. Attacks and indicators of potential attacks?
b. Unauthorized local, network, and remote connections?
c. Inbound and outbound communications traffic at a defined
frequency for unusual or unauthorized activities or conditions?
d. Generated alerts to defined personnel notifying of presence of
malicious code, unauthorized export of information, or potential
intrusions?
e. Rogue wireless devices in order to detect attack attempts?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A

Page 27

SI-5

Does your organization?
a. Receive information security alerts, advisories, and directives on
an ongoing basis?
b. Generate internal security alerts, advisories, and directives as
deemed necessary?
c. Disseminate security alerts, advisories, and directives to defined
personnel or roles?
d. Implement security directives in accordance with established
time frames?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A

SI-7

Does your organization employ integrity verification tools to detect
unauthorized changes to software, firmware, and information?

☐ Yes ☐ No ☐ N/A

SI-8

Does your organization:

a. ☐ Yes ☐ No ☐ N/A

SI-8(1)
SI-8(2)

a. Employ spam protection mechanisms at information system
entry and exit points to detect and act on unsolicited messages?
b. Update spam protection mechanisms when new releases are
available?
c. Centrally manage spam protection mechanisms?
d. Automatically update spam protection mechanisms?

SI-10

Does your organization check the validity of defined information inputs
for accuracy, completeness, validity, and authenticity as close to the
point of origin as possible?

SI-11

Does your organization information system:
a. Generate error messages that provide information necessary for
corrective actions without revealing information that could be
exploited by adversaries?
b. Reveal error messages only to defined personnel or roles?

b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

Confirm Box Selected

SI-?

Click or tap here to enter text.

☐ No ☐ N/A

SI-?

Click or tap here to enter text.

☐ No ☐ N/A

As support for the answers above, please upload specific organizational policy and/or procedural document(s)
to the secure QECP Salesforce Portal. In addition, please specify the control(s) referenced, document title,
page/section reference, and last reviewed date to support future requests for evidence if required. Please add
rows as needed.
Control(s)
Referenced

Document Title, Page/Section Reference

SI-?

Click or tap here to enter text.

SI-?

Click or tap here to enter text.

QECP DSR

Last Reviewed Date

Page 28

18. Program Management (PM)
PM-1

Does your organization:
a. Develop and disseminate an organization-wide information
security program that is approved by a senior official with
responsibility and accountability for organizational risk?
b. Is that program reviewed and updated (as necessary) at least
every 365 days?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

PM-2

Does your organization have a Chief Information Security Officer
appointed to manage the security program, or similarly recognized
official?

☐ Yes ☐ No ☐ N/A

PM-4

Does your organization have a process that tracks, documents, and
rectifies findings?

☐ Yes ☐ No ☐ N/A

PM-12

Does your organization implement an insider threat program that
includes a cross-discipline insider threat incident handling team?

☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

Confirm Box Selected

PM-?

Click or tap here to enter text.

☐ No ☐ N/A

PM-?

Click or tap here to enter text.

☐ No ☐ N/A

19. Authority and Purpose (AP)
AP-CMS-1

Does your organization determine and document the legal authority that
permits the collection, use, maintenance, and sharing of PII, either
generally or in support of specific programs and the needs of information
systems?

☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for the above listed control-specific question, please provide a brief rationale
explaining why your organization has chosen not to implement the applicable control.
Control(s)
Referenced

Rationale

AP-CMS-1

Click or tap here to enter text.

Confirm Box Selected
☐ No ☐ N/A

20. Accountability, Audit and Risk Management (AR)
AR-1

Does your organization:
a. Appoint a Senior Official for Privacy (SOP) accountable for
developing, implementing, and maintaining an organization-wide
governance and privacy program to ensure compliance with all
applicable laws and regulations regarding the collection, use,
maintenance, sharing, and disposal of PII by programs and
information systems?

QECP DSR

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A
d. ☐ Yes ☐ No ☐ N/A
e. ☐ Yes ☐ No ☐ N/A

Page 29

b. Monitor federal privacy laws and policy for changes that affect
the privacy program?
c. Allocate an appropriate budget and staffing resources to
implement and operate the organization-wide privacy program?
d. Develop a strategic organizational privacy plan for implementing
applicable privacy controls, policies, and procedures?
e. Develop, disseminate, and implement operational privacy
policies and procedures that govern the appropriate privacy and
security controls for programs, information systems, or
technologies involving PII?
f. Update privacy plan, policies, and procedures, as required to
address changing requirements, but no less often than every 2
years?
AR-3

Does your organization:
a. Establish privacy roles, responsibilities, and access requirements
for contractors and service providers?
b. Include privacy requirements in contracts and other acquisitionrelated documents?
c. Review every 2 years, a random sample of contracts to ensure
that the contracts include clauses that make all requirements and
penalty provisions of the Privacy Act apply to the contractor or
service provider and its personnel?

AR-4

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Monitor and audit privacy controls at least every 365 days to
ensure effective implementation?
b. Monitor for changes to applicable privacy laws, regulations, and
policy affecting internal privacy policy no less often than once
every 365 days to ensure internal privacy policy remains
effective?
c. Document, track, and ensure mitigation of corrective actions
identified through monitoring or auditing?

AR-5

f. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Develop, implement, and routinely update a comprehensive
privacy training and awareness strategy?
b. Administer basic and targeted privacy training no less often than
once every 365 days?
c. Ensure that personnel certify (manually or electronically)
acceptance of responsibilities for privacy requirements no less
often than once every 365 days?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A

AR-8

Does your organization ensure that an accurate accounting of information
disclosures is kept for the life of the record or 5 years after the disclosure ☐ Yes ☐ No ☐ N/A
was made, whichever is longer?

AR-CMS-1

Does your organization:
a. Have an Accountability, Audit, and Risk Management policy
(and subsequent procedures to facilitate the implementation of
that policy) that identifies the purpose, scope, roles,

QECP DSR

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

Page 30

responsibilities, and management commitment for all parties
using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 2 years?
If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

AR-?

Click or tap here to enter text.

☐ No ☐ N/A

AR-?

Click or tap here to enter text.

☐ No ☐ N/A

Confirm Box Selected

21. Data Quality and Integrity (DI)
DI-CMS-1

Does your organization:
a. Have a Data Quality and Integrity policy (and subsequent
procedures to facilitate the implementation of that policy) that
addresses the purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and
compliance for all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 2 years?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

DI-CMS-1

Click or tap here to enter text.

Confirm Box Selected
☐ No ☐ N/A

22. Data Minimization and Retention (DM)
DM-1(1)

DM-2

Does your organization, where feasible and within the limits of
technology and the law, locate and remove/redact specified PII and/or
uses anonymization and de-identification techniques to permit
authorized use of the retained information while reducing its sensitivity
and reducing the risk resulting from disclosure?
Does your organization:
a. Retain each collection of PII for the time period specified by
the NARA-approved Records Schedule?
b. Dispose of, destroy, erase, and/or anonymize the PII in a
manner that prevents loss, theft, misuse, or unauthorized
access?
c. Use FIPS-validated techniques or methods to ensure secure
deletion or destruction of PII (including originals, copies, and
archived records)?

QECP DSR

☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A

Page 31

DM-3

Does your organization:

DM-3(1)

DM-CMS-1

a. Develop policies and procedures that minimize the use of PII
for testing, training, and research?
b. Implement controls to protect PII used for testing, training, and
research?
c. Where feasible, use techniques to minimize the risk to privacy
of using PII for research, testing, or training?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A
c. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Have a Data Minimization and Retention policy (and
subsequent procedures to facilitate the implementation of that
policy) that addresses the purpose, scope, roles, responsibilities,
management commitment, coordination among organizational
entities, and compliance for all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 2 years?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

DM-?

Click or tap here to enter text.

☐ No ☐ N/A

DM-?

Click or tap here to enter text.

☐ No ☐ N/A

Confirm Box Selected

23. Individual Participation and Redress (IP)
IP-CMS-1

Does your organization:
a. Have an Individual Participation and Redress policy (and
subsequent procedures to facilitate the implementation of that
policy) that addresses the purpose, scope, roles, responsibilities,
management commitment, coordination among organizational
entities, and compliance for all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 2 years?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

IP-CMS-1

Click or tap here to enter text.

Confirm Box Selected
☐ No ☐ N/A

24. Security (SE)
SE-1

QECP DSR

Does your organization:

a. ☐ Yes ☐ No ☐ N/A

Page 32

a. Establish, maintain, and update every 365 days, an inventory that
contains a listing of all programs and information systems
identified as collecting, using, maintaining, or sharing PII?
b. Provide each update of the PII inventory to the appropriate
personnel?
SE-2

Does your organization:
a. Develop and implement a Privacy Incident and Breach Response
Plan?
b. Provide an organized and effective response to privacy incidents
and breaches?

SE-CMS-1

b. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Have a Security policy (and subsequent procedures to facilitate
the implementation of that policy) that addresses the purpose,
scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance for
all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 2 years?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

SE-?

Click or tap here to enter text.

☐ No ☐ N/A

SE-?

Click or tap here to enter text.

☐ No ☐ N/A

Confirm Box Selected

25. Transparency (TR)
TR-3

Does your organization:
a. Ensure that the public has access to information about its privacy
activities and can communicate with its Senior Official for
Privacy (SOP)?
b. Ensure that its privacy practices are publicly available through
organizational websites or otherwise?

TR-CMS-1

b. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Have a Transparency policy (and subsequent procedures to
facilitate the implementation of that policy) that addresses the
purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance for
all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 2 years?

QECP DSR

a. ☐ Yes ☐ No ☐ N/A

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

Page 33

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

TR-?

Click or tap here to enter text.

☐ No ☐ N/A

TR-?

Click or tap here to enter text.

☐ No ☐ N/A

Confirm Box Selected

26. Use Limitation (UL)
UL-1
UL-2

UL-CMS-1

Does your organization use PII or PHI:
a. Internally – only for authorized purpose(s) identified in the
Privacy Act?
b. Externally – only for authorized purposes by permission of an
authorized Business Associate Agreement (BAA) with thirdparties, specifically describing the PII covered and purposes for
which it may be used?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

Does your organization:
a. Have a Use Limitation policy (and subsequent procedures to
facilitate the implementation of that policy) that addresses the
purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance for
all parties using CMS data?
b. Is that policy and subsequent procedures reviewed and updated
(as necessary) at least every 2 years?

a. ☐ Yes ☐ No ☐ N/A
b. ☐ Yes ☐ No ☐ N/A

If “No” or “N/A” was selected for any of the above listed control-specific questions, please provide a brief
rationale explaining why your organization has chosen not to implement the applicable control. Please add
rows as needed.
Control(s)
Referenced

Rationale

UL-?

Click or tap here to enter text.

☐ No ☐ N/A

UL-?

Click or tap here to enter text.

☐ No ☐ N/A

Confirm Box Selected

F. Overall Attestations and Audit Agreement
By the Security or Privacy Officer’s attestations and signature below, the applicant validates that the responses and the
information provided on this form and any other supporting documents related to this review are in fact true, complete,
and accurate. All related policies, procedures, and controls specified above may be subject to audit by CMS or CMS
appointed personnel, including possible on-site engagements. If required, this audit will be at the cost of the applicant.
Our organization is utilizing a Cloud Service Provider (CSP), and understand that security
and compliance are a shared responsibility between us, the customer, and the CSP. As the
customer, we have responsibility for security ‘in’ the cloud (customer data, applications,

QECP DSR

☐ Yes ☐ No ☐ N/A

Page 34

identity & access management, etc.), while the CSP has responsibility for security ‘of’ the
cloud (compute, storage, networking, regions, availability zones, etc.).
I have reviewed all information, either presented above or attached to this review, and
attest that is in fact true, complete, and accurate.

☐ Yes ☐ No

Name of QE



Name of Person Attesting



Title of Person Attesting



Signature of Person Attesting



Date



QECP DSR

Page 35


File Typeapplication/pdf
File TitleQECP Phase 2 Data Security Review 2020
AuthorCMS OEDA
File Modified2021-12-29
File Created2021-10-14

© 2024 OMB.report | Privacy Policy