QualityNet Jira will be unavailable on Tuesday, September 03, 2024, between 8:00 PM ET and 11:00 PM ET while the team performs a system upgrade. QualityNet Confluence will also be briefly unavailable between 8:00 PM ET and 8:30 PM ET.  If you have questions or concerns, please reach out to us in Slack at #help-atlassian.

QualityNet Security

Versions Compared

Old Version 82

changes.mady.by.user Angel Tucker

Saved on

compared with

New Version Current

changes.mady.by.user Brandon Tennessee

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
top
top
  

Image Added

Image Removed

section



Section


Column
width2



Column
width5

Security Policy


Column
width5

Awareness & Training


Column
width5

Security Point Of Contact


Column
width5

Incident Response





Section


Column
width4



Column
width8065

Introduction

During onboarding, and before accessing any QualitNet system or application, each user must sign Rules of Behavior, complete the appropriate training, and provide evidence of training completion to their

HCQIS Security Awareness Training (SAT) & Certification Administration Instructions :  HHS and CMS in accordance to Federal Information Security Management Act (FISMA) of 2002 and other policies requires that all Federal CMS and Contractor users of Federal Information Systems to be exposed to security and privacy awareness training materials at least annually. This is to inform federal employees, contractors and other users of information systems that support the operations and assets of the agency, of:

  • Information Security risks associated with technologies and their activities while utilizing those technologies.

  • Responsibilities in complying with agency policies and procedures designed to reduce risks.

  • Overview of protecting Personally Identifying Information (PII) or Personal Health Information (PHI) of any individual as directed in the Privacy Act of 1974.

  • Records Management and Retention.

During onboarding and before access to any HCQIS system or application each user must complete proper training requirements on an annual basis and must provide evidence of completion to his/her respective Security Point of Contact (SPOC) who ; the SPOC will track all required training within the organizationtheir organization. In many cases, an annual attestation is also provided to the organization’s CMS Contracting Officer’s Representative (COR) as a deliverable.  

If you have questions about policy or need more information regarding contract requirements, please contact your COR.



Column
width4








10
Section


Column
width102



Column
width105
Image Removed

Required Training



column
Column
width35

User Instructions


Image Removed

Column
width3
Column
5

SPOC Certifications/Attestation

Image Removed


Column
width3
Column

Image Removed

Column
width
5

Record Keeping for SPOCs



HTML
<hr style="border: 1px dashed #1e3d59;" />

Background Color
color#e1e3e6


Section



Column
width4




Section


Column
width4



Column
width25
Image Removed

Image Added


Column
80
width65


Anchor
Training
Training



Section


Column
width410



Column
width7580


Security Awareness Training (SAT)The QualityNet program

During onboarding and before access to any HCQIS system or application each user must complete proper training requirements on an annual basis and must provide evidence of completion to his/her respective Security Point of Contact (SPOC) who will track all required training within the organization.

Note: In most cases, an annual attestation is also provided to the CMS COR as a deliverable. Contact your COR for specific contract deliverables and dates.

Security Awareness Training

The HCQIS system

utilizes the DoD Cyber Exchange

(h ttps://public.cyber.mil/cyber-training/)

, a publicly accessible training library with course offerings, to allow

Contractors

contractors to meet part of the CMS SAT requirements.

These trainings include the C yber Awareness Challenge and 

SAT Training is broken into two (2) separate trainings:  

Identifying and Safeguarding Personable Privacy Training.

Records Management

The Department of Health and Human Services (HHS) Records Management training TrainingAdditional to Security Awareness training, the HHS Records Management Training is a mandatory training requirement and is outlined in   the HHS Policy for Records Management  and the Office of Management and Budget (OMB) and /National Archives and Records Administration (NARA) joint Directive   M-19-21, Transition to Electronic RecordsThe purpose of this records management training is to provide an overview of employee user responsibilities for records managementhandling, help employees users tell the difference between records and non-records, and assist employees in them in learning how to manage the federal records lifecycle.  

Note: HHS The HHS Office of Human Capital manages Records Management records management training and requirements for CMS. Therefore, separate or updated instructions may be sent issued by HHS which to include updates to new training linksrequirements, requirements or content and should be used as underlining guidance outside of these instructionscontent or links. Please check with your COR on for any changes to these requirementsthe information provided by HHS.Below are the links to the websites where the three required trainings are hosted. DoD provides the links for the security trainings and are subject to change at any time. If a link is broken, you may also do a web search for the name of the training and use the appropriate search result since they are publicly available.


Back to Top




Column
width10







HTML
<hr style="border: 1px dashed #1e3d59;" />



Section

Anchor
User Instructions
User Instructions

Section


Column
width4



Column
width25

Image Added


Column
width65




section
Section


Column
width10



10
Column
width2080


Step 1 - Complete the required online training by selecting the corresponding modules listed below.

Section
Image RemovedImage Removed


Column
width
20
10



Column
width20
Image Removed


Image Added


Column
width
20
4


Image Added



Column
width20


Image Added


Column
width
85
10



Step 2 - Enter

  • Complete the online trainings as defined by the deliverable, contract onboarding period or other timeframe identified by the program/contract.
    • Type

    your name in the Certification of Completion’s online display

    for the Certificate of Completion

    , which is provided at the successful conclusion of the training

    and print a copy.
    1. Note: Screen captures Training certificate are acceptable if no printable certificate exists or if any errors occur while printing.

    .

    Step 3 - Take a screen capture (shot) or save a copy of the certificate locally then provide a copy of your completed certification to your organization’s assigned

    Sign the Certificate of Completion and provide the original to the local

    Security Point of Contact (SPOC) who will maintain a copy for record retention.


    Recently transitioned from a previous contract?

    New users take training during onboarding and before initial access then annually thereafter. Some contracts and organizations require all users to complete training by a specific time each year. There also may be times where a user has transferred from another contract and has taken required training.  Therefore, if a user has started or transferred from a previous QualityNet contract and has taken all required trainings within the last 90 days, that user is except from taking any training again until the following calendar year or deliverable period; whichever schedule is followed. Please contact your COR for any questions regarding requirements. 


    Back to Top




    Column
    width4








    HTML
    <hr style="border: 1px dashed #1e3d59;" />


    Anchor
    Certification
    Certification

    section
    Background Color
    color#e1e3e6


    Section



    55
    Section


    Column
    width4



    Column
    Image Removed
    width30


    Image Added



    Column
    width
    60




    Section


    Column
    width10



    Column
    width70


    The SPOC should adhere to the following guidelines related to certification and attestation of training results:

    1. Only one
    Only (1)
    1. memo is required for all sites under each prime contract region/area/site.
    2. The Certification Memo must be signed
    by the Security Point of Contact (SPOC)/ Security Officer (SO) and the organization's
    1. (digitally if preferred) by any designated SPOC and the organization’s designated Program Lead. 
    2. You may apply a naming convention that best suits your organization, Contract or deliverable
    . Some examples of the document format names are listed below:
    1. Naming format for BFCC: "BFCC-QIO-(Contract Name)_SAT_20xx.pdf"
    2. Naming format for QIN: "QIN-QIO-(Contract Name)_SAT_20xx.pdf"
    3. Other Organizations: "(Org/Contract Name)_SAT_20xx.pdf"
  • You may also have multiple sites that need to be tracked separately. "Site Identification" located at the top of the Certification Memo will help (if applicable):
    1. Region/Area/Network ID; this will vary between contract type/organization.
      1. "BFCC-QIO Region 1"
      2. "QIN-QIO Area-G"
    1. , but that is easy to understand by other readers.
    2. Submit the completed certification memo electronically to
    your
    1. you’re COR using the specified vehicle outlined in the contract
    (email, CDS, DARRT, etc.)
    1. as directed by the CMS COR
    (if applicable).
    1. .


    Organizational SPOCs may leverage the provided template to fulfill the requirement. 

    QNet Security Awareness Certification Template.docx


    Back to Top


    Column
    width4




    Section
    Background Color
    color#e1e3e6






    HTML
    <hr style="border: 1px dashed #1e3d59;" />




    Section


    Anchor
    Record
    Record

    Section


    Column
    width4



    Column
    width25

    Image Added

    Image Removed


    55
    Column
    width
    65




    Section


    Column
    width10



    Column
    width70


    Records must be updated and maintained at all times, but they are only to be submitted to CMS if

    SAT Records are not required for submission unless

    requested by the COR or the Information Systems Security Officer (ISSO

    . SAT Records must always be updated and maintained. (SAT record

    ). Record templates are available within

    HCQIS

    the Security

    Resources on QNP

    page on the QualityNet Communications Hub or may be obtained

    by the

    through your CMS COR

    /ISSO

    .

    Contracts

    acting under

    operating across multiple sites (prime/sub) may exercise the option of having multiple

    SAT

    records or a single

    SAT

    record that reflects

    ALL

    all individual sites and each user

    respectfully

    respectively.

    At the top of each page insert the Contract name and specify the site if applicable.

    For multiple sites in a single area, you may use a different table that identifies each

    state

    State/region for each site.

    Column
    width4
    Section
    Section


    Organizational SPOCs may leverage the provided template to fulfill the requirement. 

    Security Awareness Training Record template



    Back to Top


    Column
    width4
    Column

    Image Removed

    Column
    width55



    Newly on-boarded HCQIS Services users who have taken all three training modules within the last 90 days of the organization's certification period are EXEMPT from taking SAT training for the current annual certification period. This group of users will take security awareness training as normal during the following annual certification period.

    Note: Any deviations from either training module will require the user to take any missed training during the current certification period.
    Section
    Column
    width4
    Column







    HTML
    <hr style="border: 1px dashed #1e3d59;" />