The QualityNet Security Hub is a central repository that houses QualityNet policies, guidelines, and templates intended for existing or potential CCSQ contractors utilizing QualityNet IT Services and/or HCQIS network resources. These documents are intended to guide Contractors or potential bidders in meeting general CMS security requirements as well as providing associated processes to ensure compliance within the contract and while utilizing the CCSQ systems.

For more general information regarding CMS Information Security and Privacy, please visit: CMS Information Security and Privacy Overview












The QualityNet policies are comprised of various HHS, CMS and HCQIS policies that ensures FISMA compliance and other Federal Security & Privacy mandates. 







 











Annual Security Awareness Training REQUIRED for ALL CMS CONTRACTORS

HHS and CMS in accordance to Federal Information Security Management Act (FISMA) of 2002 and other policies requires that all Federal CMS and Contractor users of Federal Information Systems to be exposed to security and privacy awareness training materials at least annually. This is to inform federal employees, contractors and other users of information systems that support the operations and assets of the agency, of:

  • Information Security risks associated with technologies and their activities while utilizing those technologies.
  • Responsibilities in complying with agency policies and procedures designed to reduce risks.
  • Overview of protecting Personally Identifying Information (PII) or Personal Health Information (PHI) of any individual as directed in the Privacy Act of 1974.
  • Records Management and Retention









     








The SPOC procedures provides a full list of responsibilities and requirements for individuals acting as the Security Point of Contact (SPOC) for your respective contract. 
















As set by CMS policy, the CMS IR procedures provides both general and detailed information on when and how to submit an Incident ticket along with any related requirements including requirements for reporting timely. 













  • No labels