QualityNet Jira will be unavailable on Tuesday, September 03, 2024, between 8:00 PM ET and 11:00 PM ET while the team performs a system upgrade. QualityNet Confluence will also be briefly unavailable between 8:00 PM ET and 8:30 PM ET.  If you have questions or concerns, please reach out to us in Slack at #help-atlassian.

QualityNet Security

Versions Compared

Old Version 89

changes.mady.by.user Angel Tucker

Saved on

compared with

New Version 90

changes.mady.by.user Angel Tucker

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.



Section




Section


Column
width2



Column
width5

Security Policy


Column
width5

Awareness & Training


Column
width5

Security Point Of Contact


Column
width5

Incident Response




Section


Column
width4



Column
width80

HCQIS Security Awareness Training (SAT) & Certification Administration Instructions :  HHS and CMS in accordance to Federal Information Security Management Act (FISMA) of 2002 and other policies requires that all Federal CMS and Contractor users of Federal Information Systems to be exposed to security and privacy awareness training materials at least annually. This is to inform federal employees, contractors and other users of information systems that support the operations and assets of the agency, of:

  • Information Security risks associated with technologies and their activities while utilizing those technologies.

  • Responsibilities in complying with agency policies and procedures designed to reduce risks.

  • Overview of protecting Personally Identifying Information (PII) or Personal Health Information (PHI) of any individual as directed in the Privacy Act of 1974.

  • Records Management and Retention.

During onboarding and before access to any HCQIS system or application each user must complete proper training requirements on an annual basis and must provide evidence of completion to his/her respective Security Point of Contact (SPOC) who will track all required training within the organization.


Column
width4




Section


Column
width5



Column
width20


Panel
borderColorgrey
borderWidth1
borderStylesolid


Column
width4



Column
width5025


Column
width4





Column
width3



Column


Panel
borderColorgrey
borderWidth1
borderStylesolid


Column
width4


Column
width4





Column
width3



Column


Column
width3



Column


Column
width10











Background Color
color#e1e3e6


Section




Section


Column
width4



Column


Column
width80





Section


Column
width4



Column
width75

During onboarding and before access to any HCQIS system or application each user must complete proper training requirements on an annual basis and must provide evidence of completion to his/her respective Security Point of Contact (SPOC) who will track all required training within the organization.


Note: In most cases, an annual attestation is also provided to the CMS COR as a deliverable. Contact your COR for specific contract deliverables and dates.

Security Awareness Training

The HCQIS system utilizes the DoD Cyber Exchange (h ttps://public.cyber.mil/cyber-training/), a publicly accessible training library with course offerings to allow Contractors to meet the CMS SAT requirements. These trainings include the C yber Awareness Challenge and Identifying and Safeguarding Personable Identifiable Information (PII) Privacy Training.


Records Management

The Department of Health and Human Services (HHS) Records Management training is a mandatory training requirement and is outlined in the HHS Policy for Records Management and the Office of Management and Budget (OMB) and National Archives and Records Administration (NARA) Directive M-19-21, Transition to Electronic RecordsThe purpose of this training is to provide an overview of employee responsibilities for records management, help employees tell the difference between records and non-records, and assist employees in learning how to manage the federal records lifecycle.


Note: HHS Human Capital manages Records Management training and requirements for CMS. Therefore, separate or updated instructions may be sent by HHS which include updates to training links, requirements or content and should be used as underlining guidance outside of these instructions. Please check with your COR on for any changes to these requirements.


Below are the links to the websites where the three required trainings are hosted. DoD provides the links for the security trainings and are subject to change at any time. If a link is broken, you may also do a web search for the name of the training and use the appropriate search result since they are publicly available.



Column
width4






Section


Column
width10



Column
width20



Column
width20




Column
width20



Column
width10




Section


Column
width4



Column
width85
  1. Complete the online trainings as defined by the deliverable, contract onboarding period or other timeframe identified by the program/contract.
  2. Type your name in the online display for the Certificate of Completion, which is provided at the successful conclusion of the training and print a copy.
    1. Note: Screen captures Training certificate are acceptable if no printable certificate exists or if any errors occur while printing.
  3. Sign the Certificate of Completion and provide the original to the local Security Point of Contact (SPOC) for record retention.


Column
width4




Section







Section


Column
width4



Column


Column
width55




Section


Column
width10



Column
  1. Only (1) memo is required for all sites under each prime contract region/area/site.
  2. The Certification Memo must be signed by the Security Point of Contact (SPOC)/ Security Officer (SO) and the organization's designated Program Lead.
  3. You may apply a naming convention that best suits your organization, Contract or deliverable. Some examples of the document format names are listed below:
    1. Naming format for BFCC: "BFCC-QIO-(Contract Name)_SAT_20xx.pdf"
    2. Naming format for QIN: "QIN-QIO-(Contract Name)_SAT_20xx.pdf"
    3. Other Organizations: "(Org/Contract Name)_SAT_20xx.pdf"
  4. You may also have multiple sites that need to be tracked separately. "Site Identification" located at the top of the Certification Memo will help (if applicable):
    1. Region/Area/Network ID; this will vary between contract type/organization.
      1. "BFCC-QIO Region 1"
      2. "QIN-QIO Area-G"
  5. Submit the completed certification memo electronically to your COR using the specified vehicle outlined in the contract (email, CDS, DARRT, etc.) as directed by the CMS COR (if applicable).


Column
width4




Section






Background Color
color#e1e3e6



Section



Section


Column
width4



Column


Column
width55




Section


Column
width10



Column
  1. SAT Records are not required for submission unless requested by the COR or ISSO. SAT Records must always be updated and maintained. (SAT record templates are available within HCQIS Security Resources on QNP or may be obtained by the CMS COR/ISSO.
  2. Contracts acting under multiple sites (prime/sub) may exercise the option of having multiple SAT records or a single SAT record that reflects ALL individual sites and each user respectfully.
  3. At the top of each page insert the Contract name and specify the site if applicable.
  4. For multiple sites in a single area, you may use a different table that identifies each state/region for each site.





Column
width4




Section





Section




Column
width4



Column


Column
width55




Section


Column
width4



Column

Newly on-boarded HCQIS Services users who have taken all three training modules within the last 90 days of the organization's certification period are EXEMPT from taking SAT training for the current annual certification period. This group of users will take security awareness training as normal during the following annual certification period.


Note: Any deviations from either training module will require the user to take any missed training during the current certification period.