Document

Microsoft Word - QECP-DSR_Redline

ICR 202607-0938-003 · OMB 0938-1144 · Object 170831100.

Document Viewer [pdf]

Status: Original and derived artifacts are available for this document.

Download: pdf

Primary: pdfSource: application/pdf
Loading document viewer…

Document Metadata

Record metadata
application/pdf
Microsoft Word - QECP-DSR_Redline
MMV6
PScript5.dll Version 5.2.2
2026-07-07
2026-07-07
complete

Extracted Text

Qualified Entity Certification Program
Data Security Review
Final, Version 2.0

Table of Contents
Introduction to the QECP DSR ..................................................................................................... 1
QECP DSR ................................................................................................................................... 3
A.
B.
C.
D.
E.

QE Organization & Data Details .................................................................................... 3
Key Individuals .............................................................................................................. 5
Data Security Breaches ................................................................................................ 5
Security and Privacy Controls ....................................................................................... 6
Overall Attestations and Audit Agreement .................................................................. 26

List of Tables
Table 1: Organization Information ................................................................................................. 3
Table 2: Key Individuals ................................................................................................................ 5
Table 3: Data Security Breaches .................................................................................................. 5
Table 4: Access Control (AC) ....................................................................................................... 6
Table 5: AC Rationale ................................................................................................................... 7
Table 6: AC Rationale Document(s) ............................................................................................. 8
Table 7: Awareness and Training (AT) ......................................................................................... 8
Table 8: AT Rationale ................................................................................................................... 8
Table 9: Audit and Accountability (AU) ......................................................................................... 9
Table 10: AU Rationale ............................................................................................................... 10
Table 11: Security Assessment and Authorization (CA) ............................................................. 10
Table 12: CA Rationale ............................................................................................................... 10
Table 13: Configuration Management (CM) ................................................................................ 11
Table 14: CM Rationale .............................................................................................................. 11
Table 15: Contingency Planning (CP) ......................................................................................... 12
Table 16: CP Rationale ............................................................................................................... 12
Table 17: Identification and Authentication (IA) .......................................................................... 12
Table 18: IA Rationale ................................................................................................................ 13
Table 19: IA Rationale Document(s) ........................................................................................... 13
Table 20: Incident Response (IR) ............................................................................................... 13
Table 21: IR Rationale ................................................................................................................ 14
Table 22: Maintenance (MA) ....................................................................................................... 15
Table 23: MA Rationale .............................................................................................................. 15
Table 24: Media Protection (MP) ................................................................................................ 15
Table 25: MP Rationale .............................................................................................................. 16
Table 26: MP Rationale Document(s) ......................................................................................... 16
Table 27: Physical and Environmental Protection (PE) .............................................................. 17
Table 28: PE Rationale ............................................................................................................... 18
Table 29: Planning (PL) .............................................................................................................. 18
Table 30: PL Rationale ............................................................................................................... 18
Table 31: Personnel Security ...................................................................................................... 18
Table 32: PS Rationale ............................................................................................................... 19
Table 33: Risk Assessment (RA) ................................................................................................ 19
Table 34: System and Services Acquisition (SA) ........................................................................ 20
QECP DSR

ii

Table 35: SA Rationale ............................................................................................................... 21
Table 36: SA Rationale Document(s) ......................................................................................... 21
Table 37: System and Communications Protection (SC) ............................................................ 21
Table 38: SC Rationale ............................................................................................................... 22
Table 39: System and Information Integrity (SI) ......................................................................... 22
Table 40: SI Rationale ................................................................................................................ 23
Table 41: SI Rationale Document(s) ........................................................................................... 24
Table 42: Program Management (PM) ....................................................................................... 24
Table 43: PM Rationale .............................................................................................................. 24
Table 44: Personally Identifiable Information Processing and Transparency (PT) ..................... 25
Table 45: PT Rationale ............................................................................................................... 25
Table 46: Supply Chain Risk Management (SR) ........................................................................ 25
Table 47: SR Rationale ............................................................................................................... 26
Table 48: Attestation ................................................................................................................... 26

QECP DSR

iii

Introduction to the QECP DSR
The Centers for Medicare & Medicaid Services (CMS) Qualified Entity Certification Program
(QECP) (also known as the Medicare Data Sharing for Performance Measurement Program)
enables organizations to receive Medicare Parts A and B claims data and Part D prescription
drug event data for use in evaluating provider performance.
Under the QECP, CMS certifies Qualified Entities (QEs) to receive these data and monitors
certified QEs. As part of the Data Security Review (DSR), or Phase 2 of the overall certification
process, the organization must complete the following attestation questionnaire.
The QECP DSR follows a tailored framework modeled after the CMS Acceptable Risk
Safeguards (ARS) Version 5.1, and provides a roadmap to compliance to ensure that CMS data
is adequately secured and appropriately protected.
In addition to completing the QECP DSR, please upload the following context documents into
the secure QECP Salesforce Portal:






An updated Data Flow Diagram with annotations documenting the flow of CMS data
within your proposed environment, which includes flow between physical locations and
partner environments. An example diagram has been provided in the QECP Phase 2
Toolkit located on the QECP website.
If you are utilizing any vendors (e.g., Cloud Service Provider (CSP), colocation facility,
data management vendor), show proof of an executed Business Associate Agreement
(BAA) between your organization and those vendors. This documentation should
show the names of the parties involved, effective dates of the agreement, and
appropriate signatures. Please do not attach generic documents.
Policy and procedure documents as support for the following five families: Access
Control (AC), Identification and Authentication (IA), Media Protection (MP), System
and Services Acquisition (SA), System and Information Integrity (SI).

To complete the QECP DSR, the QE organization must:
1.

Provide organization and data details, key contacts, and relevant data breach incidents
in Sections A, B, and C.
Complete Section D by attesting to each security/privacy control question (i.e., selecting
Yes or No). Please provide a narrative statement justification in the rationale section for
each No or Not Applicable (NA) answer.
Complete Section E by attesting to the understanding of shared responsibility and
completeness of information within the DSR.

2.
3.

In preparation of completing the QECP DSR, it is recommended that the QE organization
completes the following:




Collaborate with their institutional information security and privacy officials (i.e., the
Chief Information Security Officer, Technology Officer, Privacy Officer, System
Manager, et al.);
Collect organizational policies that discuss or mimic ARS security control families
(e.g., access control policies, awareness and training policies, audit & accountability
policies, etc.); and
Collect any other organizational policies and/or procedural documents that outline
relevant security and privacy baselines.

QECP DSR

1

For any questions on specific controls or protocols when completing the QECP DSR, contact
your organization’s assigned QECP Program Manager.

QECP DSR

2

QECP DSR
A.

QE Organization & Data Details

Directions: The QE is the organization that has primary oversight of the research project. The
QE may or may not be the entity that stores the identifiable CMS data, but overall remains
responsible for ensuring that controls are in place and operating effectively for all parties,
including data custodians and/or partners.
Please identify the organization(s) participating in the QECP application. Note which physical
location will store the identifiable data and which organizations will access identifiable data.
Note: CMS will allow only one entity to store identifiable CMS data. This section reflects this
requirement by having the data stored either with the QE or with a Data Custodian.
If a CSP will be used by either the QE or Data Custodian to store or process CMS data, please
note that in Table 1.
Table 1: Organization Information
Item

Response Data

QE Organization Name

QE Organization Name

QE Address

QE Address

Does the QE store identifiable data?

Yes
No

Does the QE access identifiable data?

Yes
No

Computing Environment Type

CSP
On-site (Facility owned by QE)
Off-site (Colocation or Leased Space)
Hybrid: Uses CSP & On-site/Off-site

Computing Environment Address(es)

Computing Environment Address(es)

Cloud Service Provider (CSP)

CSP Name

QECP DSR

3

Item
Our environment is utilizing a Cloud Service
Provider (CSP), and we understand that security
and compliance are a shared responsibility
between us, the customer, and the CSP. As the
customer, we have responsibility for security ‘in’
the cloud (customer data, applications, identity &
access management, etc.), while the CSP has
responsibility for security ‘of’ the cloud (compute,
storage, networking, regions, availability zones,
etc.). we have responsibility for security ‘in’ the
cloud (customer data, applications, identity &
access management, etc.), while the CSP has
responsibility for security ‘of’ the cloud (compute,
storage, networking, regions, availability zones,
etc.).
Data Custodian Organization Name
Does the Data Custodian store identifiable data?

Response Data

Yes
No
NA

Data Custodian Name or NA if the QE
Organization is the Data Custodian
Yes
No

Does the Data Custodian access identifiable
data?
Data Custodian Address

QECP DSR

Yes
No
Data Custodian Address

4

B.

Key Individuals

Directions: Identify key individuals for the QE organization.
Table 2: Key Individuals
Item
Response Data

Description

Program
Owner

Insert Program Owner
Name

Responsible for overall management and oversight of
the program. The main point of contact for the QECP.

System
Security Officer

Insert System Security
Officer Name and Title

Individual with overall security responsibility for the data
and information systems used in the project.

Privacy Officer

Insert Privacy Officer
Name and Title

Individual with overall privacy responsibility for the
information used in the project.

C.

Data Security Breaches

Directions: Report any data security breaches that your organization has experienced during
the last 10 years. This would include all data security incidents involving unauthorized access or
disclosure of Protected Health Information (PHI) and/or Personally Identifiable Information (PII).
Also include any unresolved incidents from previous years. Copy the table if multiple incidents
need to be reported.
NA. Our organization has not experienced any data security breaches during the last 10
years.
Table 3: Data Security Breaches
Item
Has your organization experienced any data security breaches
during the last 10 years?

Response Data
Yes
No

How many?

Number of security incidents

Incident Date

Incident Date

Source (Internal or External)

Internal or External

Name of Organization Where Incident Occurred

Organization Name

Breached Data Type

PHI or PII or Both

Description of Incident

Describe Event

Number of Records/Individuals Affected

Number of Records/Individuals
Affected

Description of Resolution

Describe Resolution

Resolution Date

Resolution Date or Pending (if in
process)

QECP DSR

5

D.

Security and Privacy Controls

Directions: For each question, attest to whether your organization has implemented the listed
control, focusing on the system(s) that will contain CMS data. If No is selected, provide rationale
at the end of each subsection.
Table 4: Access Control (AC)
Control (s)
AC-1

AC-2

AC-3

AC-4

AC-5

AC-6
AC-6(1)
AC-6(7)
AC-6(9)
AC-7

AC-8

AC-11

QECP DSR

Item

Response
Data

Does your organization have an Access Control policy (and subsequent
procedures to facilitate the implementation of that policy) that addresses
the purpose, scope, responsibility, management commitment, coordination
among organizational entities, and compliance for all parties using CMS
data? Is the policy disseminated to the appropriate personnel or roles? Is
that policy reviewed and updated (as necessary) annually?

Yes

Does your organization’s account management system assign an account
manager, ensure unique user accounts, ensure group/role conditions for
membership, review user accounts periodically, and notify account
managers within 30 days when accounts are no longer required or when
system users are terminated or transferred?

Yes

Does your organization ensure the information system uses logical access
controls to restrict access to information (e.g., roles, groups, file
permissions)?

Yes

Does your organization ensure it controls information flow within the
system and any interconnected (internal or external) systems?

Yes

Does your organization ensure the information system separates the
duties of users?

Yes

Does your organization ensure that only authorized users have
permissions required to perform their job duties by disabling non-essential
functions; ensure security functions are explicitly authorized; review
privileges assigned to users every 90 days; ensure that authorized users
use their own account to access the system; escalate privileges to perform
administrative functions; and log all privileged account usage activities?

Yes

Does your organization ensure that the information system enforces the
automatic disabling/locking of accounts for 1 hour after five invalid login
attempts during a 120-minute time window?

Yes

Does your organization ensure that the information system displays a
notification or banner that provides appropriate privacy and security
notices before gaining access to the system?

Yes

Does your organization ensure that user sessions lock after 15 minutes of
inactivity and/or are automatically disconnected under specified
circumstances; and ensure that the information system conceals, via the
session lock, information previously visible on the display with a publicly
viewable image?

Yes

No

No

No

No

No

No

No

No

No

6

Control (s)
AC-12

AC-14

AC-17
AC-17(1)
AC-17(2)
AC-17(3)

Item

Response
Data

Does your organization ensure that the information system automatically
terminates a user session after defined conditions or trigger events are
met?

Yes

Does your organization ensure that the information system defines what
actions can be taken on the system without authentication (e.g., viewing
certain webpages with public information)?

Yes

Does your organization’s remote connections have usage restrictions;
connection requirements such as cryptography and managed network
access control points; and guidelines for user access? Are they monitored
through audit records and explicitly authorize the usage of privileged
commands through the remote connection?

Yes

Does your organization ensure that the information system has usage
restrictions and implementation guidance (e.g., encryption, access points
in secure areas) for wireless access, if that type of access is authorized?

Yes

Does your organization establish configuration requirements, connection
requirements, and implementation guidance for mobile devices?

Yes

Does your organization ensure that the information system does not allow
external systems to process, store, or transmit system information unless
explicitly authorized?

Yes

Does your organization have a process for approved information-sharing
circumstances that determines what is shared with external users (e.g.,
collaborators) and ensures that access authorizations assigned to these
users aligns with the organization’s access restrictions?)

Yes

No

No

No

AC-17(4)
AC-18

AC-19

AC-20
AC-20(1)

No

No

No

AC-20(2)
AC-21

No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 5: AC Rationale
Control (s)
Referenced
AC-

Rationale

Rationale

As support for the answers above, upload specific organizational policy and/or procedural
document(s) to the secure QECP Salesforce Portal. In addition, specify the control(s)
referenced, document title, page/section reference, and last reviewed date to support future
requests for evidence if required. Add rows as needed.

QECP DSR

7

Table 6: AC Rationale Document(s)
Control (s)
Document, Title, Page/Section Reference
Referenced
AC-

Document, Title, Page/Section Reference

Table 7: Awareness and Training (AT)
Control (s)
AT-1

AT-2

AT-2(2)
AT-2(3)
AT-3

AT-3(5)

AT-4

Item

Response
Data

Does your organization have an Awareness and Training policy (and
subsequent procedures to facilitate the implementation of that policy) that
addresses the purpose, scope, responsibility, management commitment,
coordination among organizational entities, and compliance for all parties
using CMS data? Is the policy disseminated to the appropriate personnel
or roles? Is that policy reviewed and updated (as necessary) annually?

Yes

Does your organization ensure that system users (including managers,
senior executives, and contractors) receive security and privacy literacy
training as part of initial training for new users, annually thereafter, and
when required by system changes or events as defined by the
organization; and that such users certify manually or electronically
completion of that training?

Yes

Does your organization ensure that the security training program includes
modules for security and privacy awareness, insider threat identification,
and social engineering?

Yes

Does your organization ensure that personnel are trained to carry out their
assigned information security or privacy related duties and responsibilities
prior to them assuming their security or privacy specific roles and
responsibilities? Do they receive additional training based on system
changes (e.g., statute, regulation, or policy changes) and at least once a
year for refreshed role-based security and privacy training?

Yes

Does your organization provide personnel (both contractor and employee)
with initial and annual training in the employment and operation of
personally identifiable information processing and transparency controls.

Yes

Does your organization retain individual security training records for a
minimum of 5 years after the individual completes each training?

Yes

No

No

No

No

No

No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 8: AT Rationale
Control (s)
Referenced
AT-

QECP DSR

Rationale

Rationale

8

Table 9: Audit and Accountability (AU)
Control (s)
AU-1

AU-2

Item

Response
Data

Does your organization have an Auditing and Accountability policy (and
subsequent procedures to facilitate the implementation of that policy) that
addresses the purpose, scope, responsibility, management commitment,
coordination among organizational entities, and compliance for all parties
using CMS data? Is the policy disseminated to the appropriate personnel
or roles? Is that policy reviewed and updated (as necessary) annually?

Yes

Does your organization’s information system have the capability to log
events in support of the audit function including:

Yes

No

No

User log on and log off (successful and unsuccessful); all system
administration activities; modification of privileges and access; application
alerts and error messages; configuration changes, account creation;
modification or deletion; concurrent log on from different workstations;
override of access control mechanisms; startup/shutdown of audit logging
services; and audit logging service configuration changes?
AU-3
AU-3(1)

Does your organization ensure that the audit records from the information
system contain the following metadata to support the detection,
monitoring, investigation, response, and remediation of security and
privacy incidents:

Yes
No

Date and time of the event (e.g., timestamp); process identifier or system
component (e.g., software, hardware) generating the event; user or
account that initiated the event (unique username/identifier); event type;
event outcome (success/failure); any privileged system functions
executed; process creation information (command line captures if
applicable)?
AU-6(3)

AU-7(1)

Does your organization analyze and correlate audit records across
different repositories to gain organization-wide situational awareness?

Yes

Does your organization ensure audit records are searchable?

Yes

No

No
AU-8

AU-9
AU-9(4)
AU-11

QECP DSR

Does your organization ensure the internal system clocks of the
information systems are regularly synchronized with a common
authoritative time source (e.g., atomic clocks, external Network Time
Protocol (NTP) server, National Institute of Standards and Technology
(NIST) time service, etc.) and that audit records use the internal system
clocks to generate a time stamp?

Yes

Does your organization ensure that audit information and audit logging
tools are protected from unauthorized access, deletion, and modification?
Is access to the management of audit logging functionality limited to a
subset of privileged users?

Yes

Does your organization ensure that audit records are retained for 90 days
in “hot” storage and archive storage for 1 year (regular data) or 3 years
(PII/PHI data)?

Yes

No

No

No

9

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 10: AU Rationale
Control (s)
Referenced
AU-

Rationale

Rationale

Table 11: Security Assessment and Authorization (CA)
Control (s)
Item
CA-1

CA-2

CA-2(1)

CA-3
CA-9
CA-7

Response
Data

Does your organization have a Security Assessment and Authorization
policy (and subsequent procedures to facilitate the implementation of that
policy) that addresses the purpose, scope, responsibility, management
commitment, coordination among organizational entities, and compliance
for all parties using CMS data? Is the policy disseminated to the
appropriate personnel or roles? Is that policy reviewed and updated (as
necessary) annually?

Yes

Does your organization develop an information security and privacy control
assessment plan that describes the scope of the assessment and contains
the controls under assessment, assessment procedures to determine
control effectiveness, the assessment environment/team/roles and
responsibilities?

Yes

Does your organization conduct information security and privacy control
assessments annually using independent assessors?

Yes

Does your organization approve and manage the exchange of information
between the system and other systems where CMS data resides and
document, as part of exchange agreements, the security and privacy
requirements, controls, and responsibilities of each system?

Yes

Does your organization have a continuous monitoring program that
manages identified vulnerabilities, remediation, and ongoing security and
privacy assessments and reports the security and privacy status of the
system to appropriate personnel or roles?

Yes

No

No

No

No

No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 12: CA Rationale
Control (s)
Referenced
CA-

QECP DSR

Rationale

Rationale

10

Table 13: Configuration Management (CM)
Control (s)
CM-1

CM-2

CM-3

CM-5

CM-6

CM-7
CM-7(5)
CM-8
CM-8(1)

Item

Response
Data

Does your organization have a Configuration Management policy (and
subsequent procedures to facilitate the implementation of that policy) that
addresses the purpose, scope, responsibility, management commitment,
coordination among organizational entities, and compliance for all parties
using CMS data? Is the policy disseminated to the appropriate personnel
or roles? Is that policy reviewed and updated (as necessary) annually?

Yes

Does your organization ensure that the information system has a current
baseline configuration image for hosts within the system?

Yes

Does your organization track, review, approve or disapprove, and log
changes to organizational information systems?

Yes

Does your organization ensure that the information system uses physical
and logical access restrictions to prevent unauthorized changes?

Yes

Does your organization establish and document configuration settings for
components employed within the system using the latest security baseline
configurations?

Yes

Does your organization ensure that the configuration of the information
system allows only essential functions, software, ports, protocols, and
applications (whitelisting)?

Yes

Does your organization maintain and review at least every 180 days an
up-to-date system inventory to include all boundary components, such as:

Yes

No

No

No

No

No

No

No

Each component’s unique identifier and/or serial number; the information
system of which the component is a part; the type of information system
component (e.g., server, desktop, application); the manufacturer/model
information; the operating system type and version/service pack level; the
presence of virtual machines; the application software version/license
information; the physical location (e.g., building/room number); the logical
location (e.g., Internet Protocol (IP) address, position with the information
system (IS) architecture); the media access control (MAC) address;
ownership; operational status; primary and secondary administrators; and
primary use?
CM-11

Does your organization ensure that the information system prevents users
from installing software through user policies?

Yes
No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 14: CM Rationale
Control (s)
Referenced
CM-

QECP DSR

Rationale

Rationale
11

Table 15: Contingency Planning (CP)
Control (s)
CP-1

CP-9

Item

Response
Data

Does your organization have a Contingency Planning policy (and
subsequent procedures to facilitate the implementation of that policy) that
addresses the purpose, scope, responsibility, management commitment,
coordination among organizational entities, and compliance for all parties
using CMS data? Is the policy disseminated to the appropriate personnel
or roles? Is that policy reviewed and updated (as necessary) annually?

Yes

Does your organization perform weekly and/or daily backups of user-level
information, system-level information, and information system
documentation? Does your organization protect the confidentiality,
integrity, and availability of backups containing CMS data?

Yes

No

No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 16: CP Rationale
Control (s)
Referenced
CP-

Rationale

Rationale

Table 17: Identification and Authentication (IA)
Control (s)
Item
IA-1

IA-2
IA-2(1)
IA-2(2)

Response
Data

Does your organization have an Identification and Authentication policy
(and subsequent procedures to facilitate the implementation of that policy)
that addresses the purpose, scope, responsibility, management
commitment, coordination among organizational entities, and compliance
for all parties using CMS data? Is the policy disseminated to the
appropriate personnel or roles? Is that policy reviewed and updated (as
necessary) annually?

Yes

Does your organization ensure that the information system uniquely
identifies and authenticates organizational users (or processes acting on
behalf of organizational users), and implements multifactor authentication
(MFA) for network access to privileged and non-privileged accounts?

Yes

Does your organization uniquely identify and authenticate devices prior to
granting access to organizational systems through effective identity
proofing and authentication processes? Does your organization establish
requirements for device authenticators; define reuse conditions; and set
minimum and maximum lifetimes for each authenticator type to be used?

Yes

Does your organization successfully assign unique identifiers to users and
devices; prevent reuse of identifiers for 3 years; and disable identifiers
after 60 days of inactivity?

Yes

No

No

IA-12
IA-3
IA-5
IA-5(1)
IA-4

QECP DSR

No

No

12

Control (s)
IA-6

Item

Response
Data

Does your organization ensure that the system obscures feedback of
authentication information during the authentication process to protect the
information from possible exploitation/use by unauthorized individuals?

Yes
No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 18: IA Rationale
Control (s)
Referenced
IA-

Rationale

Rationale

As support for the answers above, upload specific organizational policy and/or procedural
document(s) to the secure QECP Salesforce Portal. In addition, specify the control(s)
referenced, document title, page/section reference, and last reviewed date to support future
requests for evidence if required. Add rows as needed.
Table 19: IA Rationale Document(s)
Control (s)
Document, Title, Page/Section Reference
Referenced
IA-

Document, Title, Page/Section Reference

Table 20: Incident Response (IR)
Control (s)
IR-1

IR-2

IR-3

IR-4

QECP DSR

Item

Response
Data

Does your organization have an Incident Response policy (and
subsequent procedures to facilitate the implementation of that policy) that
addresses the purpose, scope, responsibility, management commitment,
coordination among organizational entities, and compliance for all parties
using CMS data? Is the policy disseminated to the appropriate personnel
or roles? Is that policy reviewed and updated (as necessary) annually?

Yes

Does your organization ensure that employees who have incident
response duties complete incident response training within 1 month of
assuming the role and annually thereafter, and that incident response
training content is reviewed and updated annually?

Yes

Does your organization test the incident response capability of the
information system annually to determine the organization’s incident
response effectiveness, and document its findings?

Yes

Does your organization implement an incident handling capability,
coordinate incident handling activities with contingency planning activities,
and incorporate lessons learned from ongoing incident handling activities
into incident response procedures, training, and testing/exercises?

Yes

No

No

No

No

13

Control (s)
IR-5

IR-6

IR-7

IR-8

IR-8(1)

Item

Response
Data

Does your organization track and document all physical, information
security, and privacy incidents?

Yes

Does your organization require personnel to report actual or suspected
security and privacy incidents?

Yes

Does your organization provide an incident response support resource,
integral to the organizational incident response function, who offers advice
and assistance to users of the information system for the handling and
reporting of security incidents?

Yes

Does your organization have an incident response plan that:

Yes

Provides the organization with a roadmap for implementing its incident
response (IR) capability; describes the structure and organization of the
incident response capability; provides a high-level approach for how the
incident response capability fits into the overall organization; meets the
unique requirements of the organization, which relate to mission, size,
structure, and functions; defines reportable incidents; provides metrics for
measuring the incident response capability within the organization; defines
the resources and management support needed to effectively maintain
and mature an incident response capability; is reviewed and approved by
the applicable Incident Response Team Leader; is distributed to the
organization’s information security officers and other incident response
team personnel; is reviewed annually or when an IR event(s)
demonstrates a change and/or update is needed to improve the IR Plan; is
updated to address system/organizational changes or problems
encountered during plan implementation, execution, or testing;
communicate incident response plan changes to the organizational
elements listed above; and is protected from unauthorized disclosure and
modification?

No

Does your organization include the following in the incident response plan
for breaches involving PII/PHI:

Yes

No

No

No

No

A process to determine if notice to individuals or other organizations,
including oversight organizations, is needed; an assessment process to
determine the extent of harm, embarrassment, inconvenience, or
unfairness to affected individuals and any mechanisms to mitigate such
harms; and identification of any applicable privacy requirements.

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 21: IR Rationale
Control (s)
Referenced
IR-

QECP DSR

Rationale

Rationale

14

Table 22: Maintenance (MA)
Control (s)
MA-1

MA-3
MA-3(1)
MA-3(2)

Item

Response
Data

Does your organization have a Maintenance policy (and subsequent
procedures to facilitate the implementation of that policy) that addresses
the purpose, scope, responsibility, management commitment, coordination
among organizational entities, and compliance for all parties using CMS
data? Is the policy disseminated to the appropriate personnel or roles? Is
that policy reviewed and updated (as necessary) annually?

Yes

Does your organization approve, control, and monitor information system
maintenance tools; inspect the maintenance tools carried into a facility by
maintenance personnel for improper or unauthorized modifications; and
check media containing diagnostic and test programs for malicious code
before the media are used in the information system?

Yes

No

No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 23: MA Rationale
Control (s)
Referenced
MA-

Rationale

Table 24: Media Protection (MP)
Control (s)
MP-1

MP-3

MP-4

QECP DSR

Rationale

Item

Response
Data

Does your organization have a Media Protection policy (and subsequent
procedures to facilitate the implementation of that policy) that addresses
the purpose, scope, responsibility, management commitment, coordination
among organizational entities, and compliance for all parties using CMS
data? Is the policy disseminated to the appropriate personnel or roles? Is
that policy reviewed and updated (as necessary) annually?

Yes

Does your organization mark information system media based on the
sensitivity of information the media holds?

Yes

Does your organization physically control and securely store digital and
non-digital media within controlled areas; and protect information system
media until the media are destroyed or sanitized using approved
equipment, techniques, and procedures?

Yes

No

No

No

15

Control (s)
MP-5

MP-6
MP-6(1)
MP-7

Item

Response
Data

Does your organization protect media:

Yes

While being transported, to include hand-carried/uses a securable
container (e.g., locked briefcase) via authorized personnel; shipped/tracks
with receipt by commercial carrier; maintains accountability for information
system media during transport outside of controlled areas; documents
activities associated with the transport of information system media; and
restricts the activities associated with the transport of information system
media to authorized personnel?

No

Does your organization sanitize both digital and non-digital media prior to
disposal, release out of organizational control, or release for reuse using
defined sanitization techniques and procedures; and review, approve,
track, document, and verify media sanitization and disposal actions?

Yes

Does your organization prohibit the use of personally owned storage
media and ensure that allowed portable storage devices have an identified
owner (e.g., designated personnel or organization)?

Yes

No

No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 25: MP Rationale
Control (s)
Referenced
MP-

Rationale

Rationale

As support for the answers above, upload specific organizational policy and/or procedural
document(s) to the secure QECP Salesforce Portal. In addition, specify the control(s)
referenced, document title, page/section reference, and last reviewed date to support future
requests for evidence if required. Add rows as needed.
Table 26: MP Rationale Document(s)
Control (s)
Document, Title, Page/Section Reference
Referenced
MP-

QECP DSR

Document, Title, Page/Section Reference

16

Table 27: Physical and Environmental Protection (PE)
Control (s)
Item
PE-1

PE-2

PE-3

PE-4

PE-6

PE-8

Response
Data

Does your organization have a Physical and Environmental Protection
policy (and subsequent procedures to facilitate the implementation of that
policy) that addresses the purpose, scope, responsibility, management
commitment, coordination among organizational entities, and compliance
for all parties using CMS data? Is the policy disseminated to the
appropriate personnel or roles? Is that policy reviewed and updated (as
necessary) annually?

Yes

Does your organization do the following:

Yes

Develop, approve, and maintain a list of individuals with authorized access
to the facility where the system resides; issue authorization credentials for
facility access; review the access list detailing authorized facility access by
individuals within every, 180 days; and remove individuals from the facility
access list when access is no longer required?

No

Does your organization ensure it:

Yes

Verifies individual access authorizations before granting access to the
facility; controls ingress/egress to the facility using guards and/or defined
physical access control systems/devices (defined in the applicable security
plan); maintains physical access audit logs for defined entry/exit points
(defined in the applicable security plan); provides defined security
safeguards (defined in the applicable security plan) to control access to
areas within the facility officially designated as publicly accessible; escorts
visitors and monitors visitor activity in defined circumstances requiring
visitor escorts and monitoring (defined in the applicable security plan);
secures keys, combinations, and other physical access devices;
inventories defined physical access devices (defined in the applicable
security plan), no less often than every 90 days; and changes
combinations and keys for defined high-risk entry/exit points (defined in
the applicable security plan) annually, and/or when keys are lost,
combinations are compromised, or individuals are transferred or
terminated?

No

Does your organization ensure that telephone and network hardware and
transmission lines (e.g., wiring closets, patch panels, etc.) are protected?

Yes

Does your organization monitor physical access to the facility where CMS
data resides and respond to physical security incidents; review physical
access logs weekly and upon occurrence of security incidents; and
coordinate results of reviews and investigations with the organization’s
incident response capability?

Yes

Does your organization maintain visitor access records to the facility for 2
years; and review visitor access records no less often than monthly?

Yes

No

No

No

No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.

QECP DSR

17

Table 28: PE Rationale
Control (s)
Referenced
PE-

Rationale

Table 29: Planning (PL)
Control (s)
PL-1

PL-2

PL-4

Rationale

Item

Response
Data

Does your organization have a Planning policy (and subsequent
procedures to facilitate the implementation of that policy) that addresses
the purpose, scope, responsibility, management commitment, coordination
among organizational entities, and compliance for all parties using CMS
data? Is the policy disseminated to the appropriate personnel or roles? Is
that policy reviewed and updated (as necessary) annually?

Yes

Does your organization have a complete and up-to-date system security
and privacy plan? How often is it reviewed/updated? Is it
reviewed/updated to address changes to the information system and
environment of operation?

Yes

Does your organization ensure that rules of behavior (e.g., user
agreements, system use agreements, etc.) describe the responsibilities
and expected behavior for information system usage, security and privacy
and are signed by all users and administrators? Is this updated/reviewed
at least once a year? How is it acknowledged?

Yes

No

No

No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 30: PL Rationale
Control (s)
Referenced
PL-

Rationale

Table 31: Personnel Security
Control (s)
PS-1

PS-3

QECP DSR

Rationale

Item

Response
Data

Does your organization have a Personnel Security policy (and subsequent
procedures to facilitate the implementation of that policy) that addresses
the purpose, scope, responsibility, management commitment, coordination
among organizational entities, and compliance for all parties using CMS
data? Is the policy disseminated to the appropriate personnel or roles? Is
that policy reviewed and updated (as necessary) annually?

Yes

Does your organization follow organizational policy regarding background
checks and screening for employees with access to CMS data?

Yes

No

No

18

Control (s)
PS-4

PS-6

PS-7

PS-8

Item

Response
Data

Does your organization upon termination of an individual’s employment:

Yes

Disable information system access before or during termination;
terminate/revoke any authenticators/credentials associated with the
individual; conduct exit interviews that include a discussion of nondisclosure of information security and privacy information; retrieve all
security-related organizational information system-related property; retain
access to organizational information and information systems formerly
controlled by the terminated individual; notify defined personnel or roles
(defined in the applicable security plan) within 1 calendar day; and
immediately escort employees terminated for cause out of the
organization?

No

Does your organization develop and document access agreements (e.g.,
nondisclosure, acceptable use, rules of behavior, and conflict-of-interest
agreements) for organizational systems; review and update the access
agreements annually; and verify that individuals requiring access to
organizational information and systems sign appropriate access
agreements (paper or electronic) prior to being granted access?

Yes

Does your organization ensure that third-party service providers
(contractors, CSPs, vendor maintenance) follow the same personnel
requirements as full-time employees?

Yes

Does your organization ensure that the organization has a formal sanction
process for employees who violate security policies or procedures?

Yes

No

No

No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 32: PS Rationale
Control (s)
Referenced
PS-

Rationale

Table 33: Risk Assessment (RA)
Control (s)
RA-1

QECP DSR

Rationale

Item

Response
Data

Does your organization have a Risk Assessment policy (and subsequent
procedures to facilitate the implementation of that policy) that addresses
the purpose, scope, responsibility, management commitment, coordination
among organizational entities, and compliance for all parties using CMS
data? Is the policy disseminated to the appropriate personnel or roles? Is
that policy reviewed and updated (as necessary) annually?

Yes
No

19

Control (s)
RA-3

RA-5

Item

Response
Data

Does your organization do the following:

Yes

Conduct an assessment of risk, including the likelihood and magnitude of
harm, from the unauthorized access, use, disclosure, disruption,
modification, or destruction of the information system and the information it
processes, stores, or transmits; document risk assessment results in the
applicable security plan; review risk assessment results annually;
disseminate risk assessment results to affected stakeholders and
Business Owners; update the risk assessment at a minimum every 3
years, or whenever there are significant changes to the system?

No

Does your organization use an automated vulnerability scanner to scan for
vulnerabilities in the information system and hosted systems no less often
than once every 72 hours and when new vulnerabilities are identified?

Yes
No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Control (s)
Referenced
RA-

Rationale
Rationale

Table 34: System and Services Acquisition (SA)
Control (s)
Item
SA-1

SA-5

Response
Data

Does your organization have a System and Services Acquisition policy
(and subsequent procedures to facilitate the implementation of that policy)
that addresses the purpose, scope, responsibility, management
commitment, coordination among organizational entities, and compliance
for all parties using CMS data? Is the policy disseminated to the
appropriate personnel or roles? Is that policy reviewed and updated (as
necessary) annually?

Yes

Does your organization obtain or develop administrator documentation for
the system or system components that describes:

Yes

No

No

Secure configuration, installation, or operation; effective use and
maintenance of security and privacy functions and mechanisms; and
known vulnerabilities regarding configuration and use of administrative or
privileged functions?
SA-8

QECP DSR

Does your organization apply security and privacy engineering principles
(consistent with NIST Special Publication (SP) 800-160 Volume 1) in
specification, design, development, implementation, and modification of
the system and system components?

Yes
No

20

Control (s)
SA-9

Item

Response
Data

Does your organization ensure that any external system services (thirdparty ticketing, messaging, auditing, monitoring, etc.) outside of the system
boundary comply with organizational information security and privacy
requirements?

Yes
No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 35: SA Rationale
Control (s)
Referenced
SA-

Rationale

Rationale

As support for the answers above, upload specific organizational policy and/or procedural
document(s) to the secure QECP Salesforce Portal. In addition, specify the control(s)
referenced, document title, page/section reference, and last reviewed date to support future
requests for evidence if required. Add rows as needed.
Table 36: SA Rationale Document(s)
Control (s)
Document, Title, Page/Section Reference
Referenced
SA-

Document, Title, Page/Section Reference

Table 37: System and Communications Protection (SC)
Control (s)
Item
SC-1

SC-2

SC-7

QECP DSR

Response
Data

Does your organization have a System and Communications Protection
policy (and subsequent procedures to facilitate the implementation of that
policy) that addresses the purpose, scope, responsibility, management
commitment, coordination among organizational entities, and compliance
for all parties using CMS data? Is the policy disseminated to the
appropriate personnel or roles? Is that policy reviewed and updated (as
necessary) annually?

Yes

Does your organization ensure that administrative and regular user
interfaces are separate?

Yes

Does your organization monitor, control, and protect communications (e.g.,
information transmitted or received by organizational systems) at the
external interfaces and key internal interfaces of organizational systems
(e.g., firewall, Intrusion Detection System (IDS)/Intrusion Prevention
System (IPS))?

Yes

No

No

No

21

Control (s)
SC-7(5)

SC-7(7)

SC-8
SC-13

Item

Response
Data

Does your organization’s information system deny network
communications traffic by default and allow network communications traffic
by exception at managed interfaces or for specific systems (i.e., deny all,
permit by exception)?

Yes

Does your organization prevent split tunneling for remote devices
connecting to organizational systems unless the split tunnel is securely
provisioned using defined security safeguards (i.e., the use of Virtual
Private Network (VPN) for remote connections, sufficiently provisioned
with appropriate security and privacy controls)?

Yes

Does your organization ensure that the information systems use Federal
Information Processing Standards (FIPS) 140-2 validated cryptographic
modules for transmission of data-in-motion and/or data-at-rest?

Yes

Does your organization ensure that the information system terminates the
network connection associated with a communications session at the end
of the session or after a defined period of inactivity?

Yes

Does your organization have a centralized cryptographic key management
system that complies with organizational standards?

Yes

Does your organization prohibit running collaborative computing
mechanisms (e.g., networked white boards, cameras, and microphones)
unless explicitly authorized?

Yes

No

No

No

SC-28
SC-10

SC-12

SC-15

No

No

No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 38: SC Rationale
Control (s)
Referenced
SC-

Rationale

Rationale

Table 39: System and Information Integrity (SI)
Control (s)
Item
SI-1

QECP DSR

Does your organization have a System and Information Integrity policy
(and subsequent procedures to facilitate the implementation of that policy)
that addresses the purpose, scope, responsibility, management
commitment, coordination among organizational entities, and compliance
for all parties using CMS data? Is the policy disseminated to the
appropriate personnel or roles? Is that policy reviewed and updated (as
necessary) annually?

Response
Data
Yes
No

22

Control (s)
SI-2

SI-3

SI-4
SI-4(4)
SI-5

SI-7

SI-8

SI-10

SI-11

Item

Response
Data

Does your organization:

Yes

Identify, report, and correct system flaws; test updates prior to installation
on production systems; correct high/critical security-related system flaws
within 10 business days on production servers and 30 days on nonproduction servers; centrally manage flaw remediation; and track and
approve any security-related patches which are not installed?

No

Does your organization update malicious code protection mechanisms
when new releases are available and perform periodic scans of
organizational systems and real-time scans of files from external sources
as files are downloaded, opened, or executed? Does your organization’s
information system use malicious code protection that has up-to-date virus
definitions and scans important file systems every 12 hours and full
system every 72 hours?

Yes

Does your organization monitor organizational systems, including inbound
and outbound communications traffic, to detect attacks and indicators of
potential attacks? Is the monitoring used to identify unauthorized use of
organizational systems?

Yes

Does your organization receive information security alerts, advisories, and
directives on an ongoing basis; generate internal security alerts,
advisories, and directives as deemed necessary; disseminate security
alerts, advisories, and directives to defined personnel or roles; and
implement security directives in accordance with established time frames?

Yes

Does your organization employ integrity verification tools to detect
unauthorized changes to software, firmware, and information?

Yes

Does your organization employ spam filters for email servers hosted within
the system boundary, if applicable?

Yes

Does your organization’s information system validate user input (e.g.,
username, password, or data entry fields) before accepting it into the
system to protect against injection attacks, cross-site scripting, or other
types of attacks?

Yes

Does your organization’s information system generate error messages that
provide information necessary for corrective actions without revealing
information that could be exploited by adversaries; and reveal error
messages only to defined personnel or roles?

Yes

No

No

No

No

No

No

No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 40: SI Rationale
Control (s)
Referenced
SI-

QECP DSR

Rationale

Rationale

23

As support for the answers above, upload specific organizational policy and/or procedural
document(s) to the secure QECP Salesforce Portal. In addition, specify the control(s)
referenced, document title, page/section reference, and last reviewed date to support future
requests for evidence if required. Add rows as needed.
Table 41: SI Rationale Document(s)
Control (s)
Document, Title, Page/Section Reference
Referenced
SI-

Document, Title, Page/Section Reference

Table 42: Program Management (PM)
Control (s)
PM-1

PM-2

PM-12

PM-18

Item

Response
Data

Does your organization have a Program Management policy (and
subsequent procedures to facilitate the implementation of that policy) that
addresses the purpose, scope, responsibility, management commitment,
coordination among organizational entities, and compliance for all parties
using CMS data? Is the policy disseminated to the appropriate personnel
or roles? Is that policy reviewed and updated (as necessary) annually?

Yes

Does your organization have a Chief Information Security Officer
appointed to manage the security program, or similarly recognized official?

Yes

Does your organization implement an insider threat program that includes
a cross-discipline insider threat incident handling team?

Yes

Does your organization develop and disseminate a strategic privacy plan?

Yes

No

No

No

No
PM-19

PM-21

Does your organization have a Chief Privacy Officer appointed to manage
the privacy program, or similarly recognized official?

Yes

Does your organization ensure that an accurate accounting of disclosures
of PII is developed and maintained to include date, nature, and purpose of
each disclosure; and contact information of the person or organization to
which the disclosure was made? Does your organization also ensure that
the accounting of disclosures is retained for the length the PII is
maintained or five years after the disclosure is made, whichever is longer,
and that the accounting of disclosures is made available to the related
individual upon request?

Yes

No

No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 43: PM Rationale
Control (s)
Referenced
PM-

QECP DSR

Rationale

Rationale

24

Table 44: Personally Identifiable Information Processing and Transparency (PT)
Control (s)
Item
PT-1

PT-2

PT-3

Response
Data

Does your organization have a Personally Identifiable Information
Processing and Transparency policy (and subsequent procedures to
facilitate the implementation of that policy) that addresses the purpose,
scope, responsibility, management commitment, coordination among
organizational entities, and compliance for all parties using CMS data? Is
the policy disseminated to the appropriate personnel or roles? Is that
policy reviewed and updated (as necessary) annually?

Yes

Does your organization determine and document the relevant legal
authority that permits the collection, use, maintenance, and sharing of
PII/PHI and restrict the minimum relevant and necessary elements of
PII/PHI to only that which is authorized?

Yes

Does your organization identify and document the purpose(s) for
processing PII/PHI and restrict the processing of PII/PHI to only that which
is compatible with the identified purpose(s)?

Yes

No

No

No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.
Table 45: PT Rationale
Control (s)
Referenced
PT-

Rationale

Rationale

Table 46: Supply Chain Risk Management (SR)
Control (s)
Item
SR-1
SR-2

SR-3
SR-6

Response
Data

Does your organization develop a policy for the implementation of supply
chain risk management and a plan for managing supply chain risks
associated with the research and development, design, manufacturing,
acquisition, delivery, integration, operations and maintenance, and
disposal of the systems processing, transmitting, or storing CMS data? Are
the policy and plan reviewed and updated annually or as required, to
address environmental changes?

Yes

Does your organization establish a process or processes to identify and
address weaknesses or deficiencies in the supply chain elements and
processes of systems processing, transmitting, or storing CMS data as
well as assess and review supply chain-related risks associated with
suppliers or contractor services on an annual basis?

Yes

No

No

If No was selected for any of the above listed control-specific questions, provide a brief rationale
explaining why your organization has chosen not to implement the applicable control. Add rows
as needed.

QECP DSR

25

Table 47: SR Rationale
Control (s)
Referenced
SR-

E.

Rationale

Rationale

Overall Attestations and Audit Agreement

The Data Custodian attests in Table 48. Please note that all related policies, procedures, and
controls specified above may be subject to audit by CMS or CMS appointed personnel,
including possible on-site engagements.
IMPORTANT: If required, this audit will be at the cost of the applicant.
Table 48: Attestation
Item
Our environment is using a CSP, and we understand that security and
compliance are a shared responsibility between us, the customer, and the
CSP. As the customer, we have responsibility for security “in” the cloud
(customer data, applications, identity & access management, etc.), while the
CSP has responsibility for security “of” the cloud (compute, storage,
networking, regions, availability zones, etc.).
I have reviewed all information, either presented above or attached to this
review, and attest that is in fact true, complete, and accurate.

Response Data
Yes
No
NA
Yes
No

Name of QE

Name of QE

Name of PersonData Custodian Attesting (Name)

Name of Data
CustodianName of
Person Attesting

Title of Person AttestingData Custodian Organization

Name of Custodian’s
Organization

Does the Data Custodian store identifiable data?

Yes
No

Does the Data Custodian access identifiable data?

Yes
No

Date

QECP DSR

MM/DD/YYYY

26